Practical Schemes for Tunable Secure Network Coding

Abstract

Network coding is promising to maximize network throughput and improve the resilience to random network failures in various networking systems. In this paper, the problem of providing efficient confidentiality for practical network coding system against a global eavesdropper (with full eavesdropping capabilities to the network) is considered. By exploiting a novel combination between the construction technique of systematic Maximum Distance Separable (MDS) erasure coding and traditional cryptographic approach, two efficient schemes are proposed that can achieve the maximum possible rate and minimum encryption overhead respectively on top of any communication network or underlying linear network code. Every generation is first subjected to an encoding by a particular matrix generated by two (or three) Vandermonde matrices, and then parts of coded vectors (or secret symbols) are encrypted before transmitting. The proposed schemes are characterized by tunable and measurable degrees of security and also shown to be of low overhead in computation and bandwidth.

1. Introduction

Network coding is an elegant and novel routing approach that generalizes traditional routing where each node simply stores and forwards the incoming packets [1]. It has been proved that network coding can potentially maximize network capacity, improve transmission efficiency, and increase network robustness [2], [3], [4]. Recently, network coding has received a large number of applications in wired and wireless networks [5]. Moreover, an often noted advantage of network coding over traditional packet forwarding protocols is the inherent protection that it provides against eavesdropping [6]. This inherent security is an important issue of general interest to the research community, and has been attracting much attention.

In [7], Cai and Yeung first studied an information theoretic secure network code over a wiretap network for single source multicast, where a wiretapper can eavesdrop any one but not more than one set of channels, called a wiretap set, unknown by the transmitter and receivers, from a given collection of all possible wiretap sets of a fixed size r. For this special case, they also proved some tight fundamental performance bounds. Subsequently, Feldman et al. [8] pointed out a tradeoff between the size of the message set and the size of the transmission alphabet. The scheme, as well as the scheme in [7], is essentially a coset coding scheme that uses the message to select a coset of a Maximum Distance Separable (MDS) code and transmits a random codeword within the coset. Both can be considered as a generalization of wiretap channel II [9]. A similar equivalent problem was covered in [10]. However, these security schemes with perfect security are only designed for some specific network codes, each also requires coding over a large field and thus shows inefficiency in applications. To address this issue, Silva and Kschischang [11] exploited a universal perfectly secure network coding scheme independent of any linear codes, but involves expensive arithmetic operations over a large extension field. More recently, Cheng et al. [12] extensively investigated the wiretap channel II [9] when the wiretap sets consists of arbitrary subsets of channels and obtained some more general performance bounds comparing to the existing schemes.

For practical consideration, Bhattad and Narayanan [13] proposed a relaxed model of security whose goal is also to get rid of the loss of information rate in the secure network coding and maximally secure against guessing. Herein, security is defined as wiretappers not being able to obtain any meaningful information of source messages without trading off the throughput. However, the scheme incurs complicated construction of an encoding matrix which also depends on the network topology and the specific network code. Thereafter, another weakly secure scheme was introduced by Silva et al. [14] based on rank-metric codes, it can be applied on top of any linear network code seamlessly. Unfortunately, they also showed the existence of universal weakly secure network code, but have not shown an explicit construction. Besides, their code construction involves expensive arithmetic operations over a large extension field at the source, while incurring the similar inefficiency as the scheme in [13]. Furthermore, this practical security was then explored for trusted storage based on a secret sharing technique [15], where part of blocks are protected by the remaining parts, and vice versa. Interestingly, another parallel work with imperfect secrecy under a generalization of wiretap channel II [9] was presented in [16] where the wiretapper can obtain some partial information about the private message which is measured by the equivocation of the message given the symbols obtained by the wiretapper. They also proved a tight region of the achievable rate tuples.

The most attractive advantage of these information theoretic based secure schemes includes that no secret sharing is needed between the source and receivers. Moreover, these schemes also provide measurable or quantifiable privacy-preserving viewing from the angle of information theory. However, the major disadvantage or impracticality of these schemes is that they must restrict the eavesdropping capacity, which is not the case in some realistic scenarios. Actually, as for wireless network, it is possible that a wiretapper can access global network linkages because of the broadcast nature of the wireless interface. To address this problem, securing network coding in conjunction with traditional cryptographic approaches emerges in general applications.

As we all know, traditional encryption has been broadly employing in military or commercial systems. It means that the wiretapper cannot obtain the protected information without the secret key. An intuitive approach based on traditional cryptography is to employ link-to-link encryptions on coded packets. However, this method is not feasible as it will bring heavy computational overhead to each node, and result in significant performance degradation. Hence, it is indeed unwise to encrypt all confidential messages without regard to the intrinsic security properties of network coding in network coding settings.

The mixing feature of network coding can be used to ensure confidentiality more efficiently by protecting much shorter coding vector instead of the long message content. By viewing the network code as a cipher, it is possible to create a lightweight cryptographic scheme that reduces the overall computational complexity. As a practical example, Vilela et al. [17] proposed a computationally secure network coding scheme by means of hidding the precoding matrix. However, the scheme is actually insecure when some plaintext are disclosed unless one-time-pad/precoding is adopted, which will incur heavy bandwidth overhead for transmitting precoding information. Another elegant solution is to protect the coding vectors using Homomorphic Encryption Functions [18], but substantial homomorphic cryptographic operations greatly degrade the communication efficiency. As a variant and extension of the scheme in [17], Lima et al. [19] designed a secure solution by additionally encrypting partial vector packets. However, the same bandwidth overhead occupied as that of global coding vector will be used to transmit the precoding vector. In addition, Zhang et al. [20] proposed a scheme called P-Coding, which would be more inefficient than traditional full encryption since all the information symbols of each generation (even including the global coding vectors) have to be protected.

Mostly, the existing traditional cryptographic based schemes always realize the security by means of the encryption or protection to the global coding vectors. On one hand, the security of this kind cannot be proven to satisfy or guarantee the practical applications; On the other hand, these schemes show to be inefficient in either computation or bandwidth, as the security feature provided by random linear network coding (RLNC) is not fully exploited. More importantly, it is hard to evaluate the degree of security provided by these schemes. Therefore, how to provide efficient and exact security against wiretapping is still an open issue in practical applications for network coding, which becomes the main contribution of our work.

In sum, both kinds of solutions suffer from various drawbacks as mentioned above. In this paper, we further exploit the practically appealing security and propose two efficient weakly secure network coding schemes in terms of bandwidth overhead and security requirement. Both schemes are inspired by the idea of [13], and rely on the novel combination of traditional cryptographic approach and the construction technique of systematic MDS erasure coding by the Vandermonde matrices as presented in [22]. The following are some features of our scheme:

The remainder of this paper is organized as follows. Section 2 describes the system model and adversary model, as well as some preliminaries behind this paper. The proposed basic scheme and security analysis are then presented in Section 3 and 4. An alternative scheme with low encryption overhead is shown in Section 5. The performance evaluation of the proposals is exhibited in Section 6. Section 7 surveys some related work. Finally we conclude this paper in Section 8.

 

2. Models and Preliminaries

2.1 Network Model

We adopt the general random linear network coding model introduced in [4]. A network can be represented as an acyclic directed graph, and each edge is assumed to transport a row vector defined in a finite field Fq in unit time. The transmitted message is firstly divided into a sequence of vector groups of the same size called generations (or sessions), each can be also represented as a matrix containing m (row) vectors vi = (vi1,vi2,...,vin)∈(i = 1,2,...,m) which span an m-dimensional linear space . Here consider a general multicast case in which one source needs to deliver a series of generations to a set of sinks.

Before sending, the source first creates m augmented vectors ∈(i = 1,2,...,m) for each generation by prefixing vi with the ith unit vector of dimension m, i.e,

For each intermediate node, it receives the vectors from its l inputting links respectively, and forwards a linear combination formed by into each outgoing link, where the coefficients α1,α2,...,αl are selected in Fq for the outgoing link. Note that only vectors from the same generation are encoded. Obviously, the first m symbols of are termed as global encoding coefficients.

Different methods for selecting the coefficients yield different types of network coding. When the {αi} are deterministic for each intermediate node, the resulting code is referred as deterministic network coding. If the {αi} are chosen randomly and independently by each intermediate node, the resulting code is termed as RLNC.

At the network terminals, every sink performs decoding operations to the received generations. As stated in [4], one generation can be recovered with a high probability if a proper large coding field is utilized in multicast. For example, a sink has received m legitimate independent vectors = (ei;ci)∈(i = 1,2,...,m) belonging to the generation represented as a matrix F at the source, the sink can recover F using Gaussian Elimination as

where and .

2.2 Adversary Model

In this paper, the adversary considered is an internal or external wiretapper with computation bounded power, aims at intercepting packets and decoding them to extract meaningful information. Moreover, the wiretapper has the capabilities to wiretapping all the network transmissions (excluding the secret keys) and possesses full knowledge of encoding and decoding schemes at each node. The eavesdropper with these characteristics is called as global wiretapper, which can be achieved in real practice. Without loss of generality, we assume the source and terminals are always trusted and can never be compromised by an adversary. The wiretapper can be always aware of the existence of the proposed schemes, even also the intermediate nodes can be monitored or compromised.

2.3 Practical Security

Let us denote by M the multicast information, and C a set of ciphertext messages observed by a wiretapper.

We first recall the Shannon security, where the ciphertext C is considered to be secure against wiretapping with regard to M if the mutual information between C and M equals 0, i.e., I(C;M)= 0. The security criterion considered by [7], [8], [10], [11] fall in this category.

Compared to the Shannon security, the weakly secure network coding proposed by [13] is a different information theoretic security model with more practically appealing. We term this type of security in this paper as practical security.

Under practical secrecy criterion, the ciphertext C is considered to be secure with regard to M if C has no meaningful information with regard to M, that is, I(xi; M)=0, ∀xi∈M. For example, if a wiretapper can only observe the message of the form c = 4x+3y over Fq , a practical secure scheme guarantees that I(x;c) = I(y;c) = 0 , but I(x,y;c) ≠ 0. Naturally, the goal of an adversary is to recover as much meaningful information with regard to the plaintext data as possible.

Practical security is more suitable for energy-constrained networks where network coding applications may not have perfect secure requirements in practice. The most appealing advantage of the practical security is that it allows communication at maximum rate while ensuring that only meaningless information is leaked to the adversary.

2.4 Matrices with No Singular Square Submatrices

In practical applications, the matrices over Fq with no singular square submatrices are used to build systematic MDS erasure codes. Over a given finite field, the matrices with this property can be constructed according to the following theorem.

Theorem 1 ([21]): Let us denote by A and B two r×r matrices of rank r over a given field such that any r×r submatrix of the r×2r matrix (A| B) has a rank r, the matrix A-1 · B is such that any of its square submatrices is nonsingular.

Among the matrices with this property, the class constructed by two Vandermonde matrices is an excellent candidate to build systematic MDS codes principally since matrix-vector multiplications can be performed very efficiently, especially when fast Fourier transform (FFT) can be used [23].

 

3. Proposed Secure Network Coding Scheme

In this section, we introduce the basic secure scheme for RLNC over wireless networks. The scheme can be naturally used for deterministic network coding over wired networks.

The plaintext of the generation is represented as an m×n matrix , where vi = (vi1, vi2,..., vin)∈(i = 1,2,...,m) are termed as source vectors. Also, the Vandermonde matrix is denote by V(a1,a2,...,am) in following text. To make concise presentation, a transmitting instance for only one generation is presented below.

3.1 Secure Source Coding

Before source coding, the proposed scheme needs a one-time key pre-distribution to begin with, the relevant technique of key distribution is complemented later. To achieve security, the key idea is to encrypt the crucial information by which the plaintext can be easily recovered. Under this idea, the following operation steps need to be performed:

1) The source generates two public m×m Vandermonde matrices V1 = V(a1,a2,...,am) and V2 = V(b1,b2,...,bm) over Fq , and computes

2) The vectors are encrypted to be the vectors z1,z2,...,zm using an encryption mechanism E (such as, AES in a stream cipher mode), where the integer set {i1,i2,...,ir}⊂{1,2,...,m}is pre-determined and zik = E(wik)(k=1,2,...,r).

3) The source constructs the packets pi(i=1,2,...,m) which are composed by prefixing zi with the ith unit vector of dimension m. The packets are then sent out to the network.

For simplicity, the case without loss of generality that the first r vectors, i.e., w1, w2,..., wr , are encrypted is considered herein. Let us consider a scenario such as the one when m = 3, r = 1 at the source coding depicted in Fig. 1.

Fig. 1.Illustration of the operations at the source when m= 3, r = 1. The source vectors v1, v2,..., vm are encoded to be z1, z2,..., zm at the step 1 and 2. One row of identity matrix is generated for each coded source vector. Each packet is composed by a header which includes a row of identity matrix I3 . Then the packets are sent into the network using standard network coding protocol.

3.2 Packets Relay

The network forwarder (or encoder) is an important component of the wireless relays of the network coded system. Every forwarder linearly combines the received packets according to the rules of standard RLNC protocol [4].

3.3 Decoding at Sinks

A sink (or recipient) first applies Gaussian elimination on the global encoding matrix to decode z1, z2,...,zm and then decrypts z1, z2,...,zr with the corresponding key as to recover the vectors w1, w2,..., wr Using the publicly constructed matrix A, the sink obtains the plaintext vectors v1, v2,...,vm by M = A-1·W .

 

4. Security Analysis

In this section, the proposed scheme is shown to be secure against wiretapping attacks under the following feasible constraints. Each element of the original data, or plaintext, is uniformly distributed and mutually independent over Fq . Actually, it can always be satisfied by applying entropy coding on the source vectors. Besides, we assume that the used cipher E such that the output is independent of the plaintext and uniform distributed over Fq .

Theorem 2: For a computational bounded adversary, the proposed scheme can achieve practical security to protect the plaintext M even if the entire ciphertext Z has been wiretapped.

Proof: Consider that each plaintext symbol is mutually independent and uniformly distributed over Fq , we can easily conclude that the same statistical properties is satisfied among the columns of any one generation plaintext matrix M. Therefore, the security discussion to the first column of M (donoted as s = (v11,v21,...,vm1) ) is enough in the following.

Assume that a wiretapper has collected as many packets to recover all zi(i = 1,2,...,m) , but he cannot obtain any meaningful information about w11,w21,...,wr1 which are encrypted by a secure cipher E. Although wr+1,1,wr+2,1,...,wm1 and A can be observed by the wiretapper, they do not help him to solve the plaintext vector s with m unknowns by m-r linear equations.

From the statement of Theorem 2 in [13], if a secure scheme is considered to be weakly secure, it must resist a certain number of guesses, which is also a threshold against wiretapping. If more guesses beyond the threshold can be done by the wiretapper, he can also recover all plaintext vectors.

Next, we will show that our scheme can effectively resist r-1 guesses with regard to s, i.e., the security threshold to recover s is r-1.

There exists a wiretapper that has the ability to guess any subset of r-1 elements of s. Without loss of generality, we assume that the guessed plaintext subset Փ consists of the first r-1 elements of s. To recover the content of s, the wiretapper must construct and try to solve the following system of equations according to the known information, i.e.,

When the wiretapper sets vi1 = (i = 1,2,...,r-1) after r -1 guesses, we have that

where .

It is easily to show that the system (2) always exists a free variable for each equation. Note that any square submatrices of A is nonsingular, the coefficient matrix (denoted by A' ) of (2) should be full row rank according to Theorem 1. Therefore, when we put the coefficient matrix A' in the reduced row echelon form (Im-r;hT) , the last column hT cannot include 0. Otherwise, we assume the first element is 0, the square matrix composed by all the columns of A' except the first one is an exact singular matrix, which is a contradiction.

From the information-theoretical aspect, we have that the mutual information between the ciphertext and the guessed plaintext subset equals to 0, i.e., I(z1,z2,...,zm;Փ) = 0. The result always implies that I(z1,z2,...,zm;vi1) = 0(i = 1,2,...,m) in conjunction with the above statements, which obviously meets the practical security criterion in this paper.

Generally, the security analysis to the case that Փ is any arbitrary r-1 plaintext symbol guessed set is similar to the discussion above. Particularly, if the r-1 guesses to the unknown symbols of the chosen subset Փ are exact what values of they are, then one more successful guess would result in full disclosure of the plaintext data. □

Theorem 2 shows that the algebraic property of A guarantees that the proposed scheme is always practical secure against any r-1 successful guesses to the plaintext data. Although the wiretapper can observe the other n-r packets that are not encrypted, he cannot recover any value(s) of the plaintext symbol(s) unless all encrypted packets have been revealed.

But have to say, the efficiency of the source coding is even more important than security in some scenarios such as real-time or resource-constrained networks. We observe that the proposed scheme may consume much computation resource for encryption operation and the resulting coding complexity maybe still a burden for some resource-constrained systems. To overcome this issue, an alternative smarter scheme is designed for more general circumstances, and particularly features lower encryption overhead for those special applications in the following section.

 

5. An Alternative Scheme With Low Encryption Overhead

Recall the proposed basic scheme just described can achieve the maximum possible rate for transmission. In reality, the tradeoff between security overhead and bandwidth usage is feasible to improve the system efficiency for practical requirement. It is possible that a little bandwidth sacrifice would be exchanged for greatly reduce the security overhead, under which a lightweight scheme is obtained with low encryption overhead based on the basic scheme.

5.1 Construction

As the basic scheme, the key pre-distribution is first performed in advance. The details of this scheme performed at the source and sinks are described as follows:

(1) Secure Source Coding

1) Generates two public m×m Vandermonde matrices V1 = V(a1,a2,...,am), V2 = V(b1,b2,...,bm) over Fq, and r vectors Δi = (i=1,2,...,r) , where σi are chosen uniformly at random from all non-zero elements of Fq .

2) Computes .

3) Chooses a pre-determined integer set {i1,i2,...,ir}⊂{1,2,...,m} and constructs an encoding matrix where ｜A*｜≠0 and

4) Computes .

Obviously, the encoding matrix A* is generated by three Vandermonde matrices V1, V2 and .

5) Encrypts σk to be βk = E(σk),k = 1,2,...,r. When k = i1,i2,...,ir , βk is attached to be the prefix of the vector wk ; Otherwise, an arbitrary element βk over Fq is padded to be the prefix of wk(k≠i1,i2,...,ir) .

6) Generates the packet pi(i=1,2,...,m) as the following form, which is composed by prefixing zi = wi with the ith unit vector of m dimension, i.e.,

The packets p1,p2,...,pm are then sent into the network using standard RLNC protocol. Another operation instance when m = 3, r = 1 for secure source coding is illustrated in Fig. 2.

Fig. 2.Illustration of the operations at the source when m= 3,r = 1 and i1 =1. Note that , zi=wi but β2, β3 are padded by two arbitrary elements from Fq .

(2) Decoding at Sinks

Every sink first decodes the packets p1,p2,...,pm using Gaussian elimination, and then decrypts βk(k = i1,i2,...,ir) . Finally, the plaintext generation matrix M is recovered at the sink through the matrix A* .

5.2 Security Analysis

The alternative scheme is a variant and extension of the basic scheme, and characterized by a lightweight security with less encryption operations is performed. Under the same assumption, the security of the alternative scheme is discussed similarly as the basic scheme.

First, a lemma is first shown in the following.

Lemma 1: Let the plaintext data be a vector m= (m1,m2,...,mm) whose components mi, i = 1,2,…, m, are random symbols independently and uniformly distributed over Fq , β is a random symbol chosen from Fq . If η = (η1,η2,...,ηm) = (β, β2,..., βm) and δ = μ·η , the mutual information between μ and δ is zero.

Proof: The lemma is easy to follow. Actually, we have that

According to the chain rule of entropy, we have

where means a observation or realization of the random variable μi . In the following, we only analyze the case . Note that δ = μ·η , so we have

where (5) and (6) follows from and ηi = βi . Eq. (7) is valid because β is independent from μm .

Furthermore, the random symbols mi(i = 1,2,...,m) are independently and uniformly distributed over Fq , we have that

On the other hand, the mutual information I(μ;δ) is not always less than 0, then it follows that I(μ;δ) = 0 from Eq. (3) and Eq. (4).

Theorem 3: For a computational bounded wiretapper, the alternative scheme satisfies the criterion of practical security.

Proof: Without loss of generality, we set ri = i(i=1, 2,..., r) and assume the wiretapper has the ability to guess at most r-1 plaintext symbols. We only analyze two typical cases that are the most conducive to the wiretapper. As the same reason in Theorem 2, only the first column of the generation plaintext matrix M, i.e., s = (v11,v21,...,vm1), is considered herein.

1) Case 1: If the wiretapper tries to reveal the secrets set β1, β2,..., βr, he has the only way to guess any r-1 secret symbols of the set (here for β1, β2,..., βr-1 as an example). However, there still exists a free unknown variable βr, which means that the wiretapper cannot collect any meaningful information to construct A* .

2) Case 2: The wiretapper chooses to distill the plaintext information of the vector s . According to Lemma 1, he has no ability to get any meaningful information to s even if z1, z2,..., zm are all known to the wiretapper. By the discussion in Theorem 2, we can conclude that the alternative scheme can resist any r-1 guesses to any one plaintext vector.

Generally, we can similarly conclude that the wiretapper can also guess any r-1 symbols out of β1, β2,..., βr and s . In a nutshell, the alternative scheme satisfies the practical security criterion, and guaranteed practical security against wiretapping in the general scenarios.

 

6. Performance Analysis

In this section, we discuss the performance of the proposed schemes in term of computational complexity and communication overhead. Besides, the main security characteristics of both schemes are elaborated on as well.

6.1 Computational Complexity

The analysis to the computation overhead of both schemes consists of three parts: (1) matrix-vector multiplication; (2) encryption; (3) decoding at the sinks. As part of public transmitted message, the matrices V1 and V2 can be generated offline, so the computation cost to construct them can be neglected in the following discussion.

(1) Matrix-vector multiplication

1) Analysis to the basic scheme

Compared to the standard rule of matrix-vector multiplication, the Vandermonde or inverse of Vandermonde matrix-vector multiplication can be more efficient. As pointed out in [23], the computation complexity is at most O(mlog2 m) rather than O(m2) in generic ones. For reducing the computation overhead, the encoding to one generation plaintext matrix M by left multiplying A, i.e., A·M , can be computed by multiplying M using two matrices, i.e., ·(V2·M) . Since one generation plaintext data is composed by n column vectors, we can conclude that the computational complexity of this part in the basic scheme is O(mnlog2 m).

Also, the complexity of this part can be further improved considering the case when m is a divisor of q-1 and the two Vandermonde matrices are generated by two elements of Fq of order m respectively [23]. Under this setting, the encoding operations in this phase can be performed at most O(mnlogm) by using Fast Fourier Transform (FFT).

2) Analysis to the alternative scheme

Different from the basic scheme, the source in the alternative scheme needs to perform standard matrix-vector multiplication, so the computational complexity for matrix-vector multiplication is O(m2n) as well as O(rm) for generating the Vandermonde matrix V3 . In network coded applications, the scheme does not increase the overall compution overhead, because Gaussian elimination is already required for the decoding of network coding, which always performs the same computational complexity, i.e., O(m2n) .

In sum, the proposed schemes present several advantages in source coding complexity. In [13], [14], it is not a easy task of finding a suitable source coding matrix over a large coding field that exactly satisfies the practical security, which greatly lowers the coding efficiency. More seriously, the issue with lack of scalability is primary reason is restraining the existing schemes of this kind applications. As stated in [13], the choice of the source coding matrix is also dependent on the particular network topology and the underlying network code, which severely impacts on the applications of network coding. In contrast, the coding matrix at the source in this paper can be easy and efficient in construction. Due to no adaptation to encode the plaintext data using random matrix as used in [17], [18], the proposed schemes can be more efficiently to prevent the global wiretapping.

(2) Encryption

The encryption to the secret symbols can be efficient implemented using symmetric cipher, such as a block cipher constructed in the counter (CTR) mode [24]. The parameters of the adopted cipher should be adjusted to approximate these criteria [25].

Different from the schemes in [17], [18], the proposals do not additional hide the encoding matrix itself, thus greatly reduce the encryption overhead. In contrast, the encryption volume per generation of the proposals is minimized from nr in the basic scheme to r in the alternative scheme, while this volume in [17], [18] is even up to m(m+n) . Obviously, both proposals are characteristic by manageable complexity and lightweight encryption overhead.

(3) Decoding at the sinks

Based on the above discussion, a sink needs to take at most O(mnlog2 m) or O(m2n) algebraic operations in both proposed schemes respectively after decoding using Gaussian Elimination and decryption.

6.2 Communication Overhead

Since the encoding matrix A can be public, so the maximum rate can be achieved using the basic scheme without trading off the throughput. Unlike the schemes in [13], [14], the implementations of the proposed schemes do not require a large field or extension field for secure coding, which makes the computation and bandwidth resource can be further saved. Compared to the basic scheme, the alternative scheme also features lower security overhead, while the ability to reduce the encryption volume comes at the cost of little bandwidth penalty. Luckily, this communication overhead is still far less than that of the schemes in [17], [19], where the precoding matrix must be online exchanged securely therein between the source and sinks.

As stated in Section 3, it is necessary that the proposed schemes require shared secret keys between the source and several legitimate destinations. There has been considerable research that provides security solutions to the key pre-distribution mechanism in multicast. while the specifics of the key pre-distribution mechanism are not the central topic of this paper, but excellent solutions including offline key pre-distribution or broadcast encryption [26] can be commonly recommended in this paper. Before the proposals running, the secret key has been generated and shared among all authorized participates in advance, which would bring to some bandwidth overhead of which the amount is about O(log2n) during the start-up time (n denotes the number of authorized participates in the network). Notice that the key distribution does not pertain to the main body of the proposed scheme itself, so it is easily seeing that the additional overhead brought by the key distribution actually does not affect the light-weight specificity of the proposed schemes in traffic. Thus, the overhead for secret key sharing is omitted in the following analysis.

Table 1 shows that the proposed schemes enjoys important advantages compared to the existing schemes.

Table 1.Comparisons between the proposals and the existing typical schemes

6.3 Measurable and Tunable Security

From the proofs of Theorem 2 and 3, both schemes can provide the security against global wiretapping with measurable degree which is evaluated by the metric“mutual information” [27]. Actually, both schemes can effectively resist up to r-1 guesses to any column vector of any generation plaintext. Furthermore, the security degrees provided by the proposed schemes can be finely tuned since r is a tunable systematic parameter, which can characterize different security configurations. Therefore, the proposals can realize and offer a tunable and efficient security service without taking environment and/or application characteristics explicitly into account. Meanwhile, the optimal tradeoff between the security requirement and computational complexity can be achieved easily.

6.4 An Implementation Example

To support our discussion, this section presents a practical implementation using AES. Herein, the source wants to transmit a file of 200 megabytes to the receivers. The file is encoded into 655.360 generations of 320 bytes. Every generation is represented as an 8×20 matrix V in , i.e., m = 8, n = 20 . For securing the communication, the source performs the proposed basic scheme for each generation in the same way.

According to the statements in Section 3 and 5, the example needs to encrypt 20 and 1 plaintext symbols per generation respectively when r = 1 in the basic and alternative schemes, the corresponding encryption ratios are = 12.5% and = 0.625%, thus the encryption volumes for the transmission of the file are 25 and 1.25 megabytes. In contrast, the amounts are high up to 80 megabytes and 49 megabytes in [17] and [19] respectively.

 

7. Discussion

In this paper, we mainly address the issue of designing practical-oriented security for network coded systems. Meanwhile, some other indispensable issues should be paid attention to in real applications.

The information-mixing nature of network coding also renders it highly susceptible to “pollution attacks” in which some faked packets are injected into network information flow. The polluted data packets will propagate quickly that even worse the receivers cannot decode any original plaintext data. As a necessary assistance of our scheme, the techniques in [28], [29] can be used to effectively mitigate pollution attacks whereas at some cost of delay and overhead.

In order to achieve reliable communication over unstable or extreme networks, the alternative solutions, such as resilient network coding [30] or network error-correcting codes [31], should be introduced to improve the robustness for network failure and packet losses/errors. Besides, all the forwarders (including the intermediate nodes and the receivers) should reserve a storing buffer for collecting or decoding the coded packets for network coding.

Which one of the proposals in this paper is selected for concrete applications needs a comprehensive consideration towards the tradeoff between the security complexity and communication overhead. From the above analysis, the basic scheme features low communication overhead, while the alternative scheme is characterized by lightweight security complexity. Although the first can achieve the maximum network throughput, the second one shows a more promising potential for applications due to its lower security penalty.

 

8. Conclusion

In this paper, we focus on how to achieve practically secure network coding against global wiretapping in an efficient way instead of encrypting all transmitted symbols. The basic idea is to exploit the algebraic structures of systematic MDS erasure codes and Vandermonde matrices by means of the traditional cryptographic technique. Under this idea, we propose two effective schemes with low complexity that can provide measurable and tunable security levels for different requirements. Under the assumption of zero-error communication, the basic scheme is showed to achieve the maximum possible rate, while the alternative scheme is characterized by low encryption overhead. Both can be deployed on top of any communication network without requiring knowledge of the underlying network code.

Our work only focused on wiretapping attacks. We note that systematic MDS codes built from the matrices with no singular submatrices have been widely used in practical applications to cope with losses of data packets [32]. Intuitively, the proposed scheme has the promising potential to be an alternative solution to design secure error-correcting codes (such as the scheme in [33]) against global attackers, which becomes part of our future work.