Universal Secure Network Coding by Non-linear Precoding Chung Chan Institute of Network Coding, The Chinese University of Hong Kong Email: [email protected], [email protected]

Abstract—A secure network code is devised where the secret is precoded non-linearly at the source node and multicast linearly over the network. It achieves stronger notions of universality and security than the previous linear secure network codes. Unlike the alternative approach of random linear precoding or non-linear secret key agreement, no public channel is required to reveal any coding coefficients or cryptogram.

I. I NTRODUCTION Consider a communication network modeled by a directed acyclic graph, where the nodes and edges represent the users and channels respectively. Each node can encode some information into a data packet in the form of a sequence of symbols up to some chosen length called the packet size, and transmit it over an outgoing edge. The source of information may be a message from the node or the incoming packets received from other nodes. A reliable network code is a specification of how the nodes should encode such that some messages generated at some source nodes at certain rates can be recovered by some designated sink nodes. The network code is linear if the coding operations are linear over some finite field, say Fqm , an element of which is represented by a packet or message of m symbols from a given alphabet of size q. If the message can be additionally concealed from a wiretapper who eavesdrops some subset of the edges, then the network code is secure. The problem of finding a secure network code that multicast a secret from a source node to a set of sink nodes was first studied by [2]. A particular security notion of interest is to conceal the secret from a wiretapper who can eavesdrop any edges up to a given number called the wiretapping rate. For the problem of reliable but not necessarily secure multicast, it is well-known [3] that an optimal linear network code exists achieving the capacity, say n (packets), which is the minimum size of a set of edges removal of which disconnects all directed paths from the source node to at least one sink node. The field size q m needs to be large by making the packet size m large to ensure that all sink nodes, not just one of them, can observe enough linearly independent packets to recover the message. If a wiretapper can observe µ edges, [2] showed that any given reliable linear code can be used to multicast a secret at any rate l ≤ n − µ securely by an additional linear precoding step at the source node, which is This work was partially supported by a grant from the University Grants Committee of the Hong Kong Special Administrative Region, China (Project No. AoE/E-02/08).

understood in [4] as the coset coding scheme in [5]. To protect the secret from any choices of µ packets, not just one of them, the linear precoding is over a large enough extension field Fqmk with some positive integer k. To represent an element in the extension field, the packet size is increased to mk. Subsequently, linear secure network coding has been shown to be possible with additional desirable properties as summarized in [10]. [6] showed that it can be universal, in the sense that a precoding scheme linear over Fqmk can provide the desired security simultaneously for all reliable network codes linear over Fqm , provided that k ≥ n. In particular, the precoding scheme can be constructed from a maximum-rankdistance (MRD) code without the knowledge of the underlying reliable network code nor the network topology except that the reliable code is linear with coding coefficients defined over the base field Fqm . [7] showed that, with k ≥ n + l and the secret uniformly random, an MRD code can be used to construct a precoding scheme that is not only universal but also achieves the stronger notion of security introduced by [8]. i.e. even in the case a wiretapper observes µ ≥ n − l packets, the l secret elements can be multicast with every subset of n − µ elements independent of the wiretapped packets. In [9], it was pointed out that the universal linear precoding approach can be insecure if the packets are split and merged over the network due to some underlying network protocol. This is because the transmitted packets after splitting and merging appear to be linear over Fqmk instead of Fqm , making the extension k in the precoding step ineffective. A more detailed explanation can be found in [10]. The solution proposed in [9] is to perform random linear precoding so that the wiretapper does not have a complete knowledge of the code to strategically choose which packets to wiretap. The coding coefficients are revealed afterwards using a separate public channel but the communication overhead is quite significant, in the order of n2 symbols over Fqmk . In [10], we considered a stronger universal model where the wiretapping is based on the complete knowledge of the code, which renders the random linear precoding approach insecure. A secure network coding approach by non-linear secret key agreement is proposed. The wiretapped network is used to generate and share a uniformly random junk data over x ∈ Fnq among the source and sink nodes without any security concern. Then, the source node computes a key k ∈ Flq as a non-linear function of the random junk data, and use it to

encrypt a secret s ∈ Flq from the source node by the one-time pad [11]. The cryptogram c = s + k is revealed over a separate public channel so that the sink nodes can recover the secret after computing k from x. It turns out that a stronger notion of security can be achieved, in the sense that every λ ≤ l linear combinations of s, not just a subset of λ elements in s, can be asymptotically independent of c and any µ ≤ n − λ wiretapped linear combinations of x. The approach also covers the case of helper nodes generating common randomness in [12] since the random junk data can be generated and multicast by any nodes in the network, not necessarily the source node. The additional encryption step only incurs a communication overhead in the order of the length l ≤ n of the secret. In this work, we consider the possibility of removing the communication overhead completely from the non-linear approach in [10], while maintaining a stronger notion of security and universality than linear secure network coding. In particular, the secret is non-linearly precoded at the source node into a coded message, which is then multicast over the wiretap network by some unknown reliable linear network code possibly with splitting and merging of packets. Similar to [9, 10], an asymptotic notion of secrecy is used, where the amount of information leaked to the wiretapper can be nonzero but required to decay to zero as the wiretapped network is used for a longer time. The non-linear precoding scheme will be described in the next section. Readers may refer to [10] for a more detailed explanations of the notions of linear precoding, strong security, universality and non-linear key agreement. II. N ON - LINEAR PRECODING A reliable linear network code is provided as a black box that allows a source node to multicast a message x ∈ Fnq to the sink nodes. The parameter q is the size of an element in a packet. It is the basic unit that data can be represented or wiretapped, and cannot be changed by the network code. The network involves a source node and some sink nodes. A wiretapper with wiretapping rate µ ≤ n can observe based on the w = xB by choosing any matrix B ∈ Fn×µ q complete knowledge of the network code. Since the choice of B is arbitrary and not restricted to any coding coefficients, the wiretap model is universal to all linear network codes. Furthermore, since x is not defined over a larger extension field of Fq , the model covers arbitrary splitting and merging of packets as explained in [10], and is therefore stronger than the usual model for linear precoding. The source node wants to send a uniformly random secret s ∈ Flq for l ≤ n by precoding x at the source node. We consider a non-linear precoding scheme where x = θ(s, r) for some invertible non-linear precoding function θ ∶ Fnq ↦ Fnq and some uniformly random junk data r ∈ Fn−l independent of s. q The sink nodes can recover s from x simply by inverting θ. Compared to the random linear precoding in [9], the function θ is not randomly chosen during transmission but fixed a priori, while, compared to the non-linear secret key agreement in [10], the secret is directly sent through the network instead of additionally encrypted and sent over a separate public channel.

Thus, there is no additional communication overhead required to reveal the coding coefficients or a cryptogram. Note also that if θ were linear instead, the sink node would recover the secret by a linear decoding function s = xD. This would be insecure under the current wiretap model since the wiretapper could always recover part of the secret by choosing B as a submatrix of columns from D. We will consider a stronger notion of security than [8] in the sense that the security requirement is imposed on linear combinations of the secret elements, not just some subsets of them. More precisely, we use the following secrecy index to measure the security of every λ ≤ l linear combinations of the secret against every µ ≤ n − l − ν wiretapped packets, where the non-negative integer ν ≤ n is the gap between λ + µ and n required for security. For ν ∈ {0, . . . , n}. ςnθ (ν) ∶= max [λ − H(sA∣xB = w)] ≥ max I(sA ∧ xB)

(1)

where A ∈ Fλq and B ∈ Fµq are matrices of ranks λ and µ respectively, and w is a vector in the row space of B. All logarithms are taken base q, including the ones in the definitions of the entropy H and mutual information I [3]. The maximizations are over all choices of λ, µ, A, B, w with λ + µ + ν ≤ n.

(2)

The lower bound on (1) follows from the standard informationtheoretic arguments [3] that λ ≥ H(sA), maxw −H(sA∣xB = w) ≥ −H(sA∣xB) and I(sA ∧ xB) = H(sA) − H(sA∣xB). As in [9, 10], we consider an asymptotic notion of security instead of the perfect secrecy [11]. More precisely, a sequence of θ in n is considered strongly secure if ςnθ (ν) decays to zero with ν ≥ γn for all positive γ ∈ (0, 1] independent of n. The convergence rate is measured in terms of the secrecy exponent defined as follows. A secrecy exponent S ∶ [0, 1] ↦ R is said to be achievable if there exists a sequence of θ in n with lim inf

min

n→∞ ν∈{0,...,n}

[

−1 log ςnθ (ν) − S( nν )] ≥ 0 n

(3)

which equivalently means that we have for some δn → 0 ςnθ (ν) ≤ q −n(S( n )−δn ) ν

(4)

for all ν ∈ {0, . . . , n}. We have the desired strong security if an achievable S exists with S(γ) > 0 for all γ ∈ (0, 1]. This is possible by the following main theorem. Theorem 1 S(γ) ∶= γ/2 is achievable.

2

P ROOF As in [10], the desired non-linear precoding scheme exists by a random coding argument. i.e. we will consider a random ensemble of precoding functions and show by the method of types [13] that the probability it does not achieve the secrecy exponent is strictly smaller than one, implying the desired code exists in the ensemble. Unlike the random linear precoding in [9], the desired code can be revealed to everyone, including the wiretapper before he chooses which edges to wiretap. The method of types argument will also be

different from the one applied in [10], primarily because the precoding function here needs to be invertible but the secret key function there does not. For the random coding argument, we choose the precoding function θ ∶ Fnq ↦ Fnq uniformly randomly from the set of q n ! permutations on Fnq . By the definition (3) of the secrecy exponent, we want to show that, for any choice of λ, µ, ν, A, B, w in (1) satisfying (2), the amount λ−H(sA∣xB = w) of leaked information can decay to zero with exponent γ/2 if ν/n → γ. More precisely, we will regard H(sA∣xB = w) as a random variable with randomness due to the random choice of θ, and show that the desired convergence can happen with non-zero probability. For the non-trivial case 1 ≤ λ ≤ l and 1 ≤ µ, define K ∶= Fλq = {sA ∶ s ∈ Flq } L ∶= {x ∈ Fnq ∶ xB = w} K is the support set of sA containing ∣K∣ = q λ elements since A has rank λ. L is the possible values of x to a wiretapper who observes xB = w. By linearity, it is a coset of size ∣L∣ = q n−µ since B has rank µ. H(sA∣xB = w) can be computed from the distribution of sA over K given x ∈ L. To do so, define ϕ ∶ L ↦ K in terms of θ as A ϕ(β) = θ−1 (β) [ ] 0

for β ∈ L

where θ−1 denotes the inverse of θ and 0 is a zero matrix with n − l rows. To a wiretapper who observes xB = w, x is uniformly distributed over L since x is a bijection θ of the uniformly random s and r. Since sA = ϕ(x) by definition, the probability of sA = α ∈ K is proportional to the number of β ∈ L with ϕ(β) = α. More precisely, define the type of a function g ∶ L ↦ K by the empirical distribution ∣β ∈ L ∶ g(β) = α∣ Q(α) = ∣L∣

Pr{ϕ ∈ TQ }

∑

Q∈P∶λ−H(Q)≥δ

≤ ∣P∣

max Q∈P∶λ−H(Q)≥δ

[∣TQ ∣ max Pr{ϕ = g}] (5) g∈TQ

where the last inequality is obtained by rewriting Pr{ϕ ∈ TQ } as ∑g∈TQ Pr{ϕ = g}, and then bounding each term in the sum over g by the maximum over g, and each term in the sum over Q by the maximum over Q. The cardinalities in (5) satisfy ∣K∣

A M (α) ∶= {z ∈ Fnq ∶ z [ ] = α} 0

∣P∣ ≤ (∣L∣ + 1) ∣L∣! ∣TQ ∣ = ∏α∈K (∣L∣Q(α))!

(6) (7)

where (6) is because each Q(α) has at most (∣L∣ + 1) possible 1 values, namely {0, ∣L∣ , . . . , ∣L∣ }. To explain (7), represent g ∈ ∣L∣

for α ∈ K.

n.b. M (α)’s are ∣K∣ = q λ cosets that partition Fnq and the size of each coset M (α) is equal to ∣M ∣ = q n−λ independent of α ∈ K. By definition, the event ϕ(α) = g(α) for all α ∈ K can be equivalently stated as the event that θ−1 (β) ∈ M (g(β)) for all ∣ β ∈ L. The probability of θ−1 (β) ∈ M (g(β)) is ∣M for any β ∈ qn L because there are ∣M ∣ desired values and q n possible values for θ−1 (β), and θ−1 is a uniformly random permutation since θ is. However, given that θ−1 (β) ∈ M (g(β)), the probability that another β ′ ≠ β ∈ L has θ−1 (β ′ ) ∈ M (g(β ′ )) is equal to ∣M ∣−1 ∣M ∣ if g(β ′ ) = g(β), and equal to ∣L∣−1 if g(β ′ ) ≠ g(β). This q n −1 −1 is because θ is a bijection and so we have the restriction that θ−1 (β ′ ) ≠ θ−1 (β). Continuing this argument, we have ∣L∣Q(α)−1

Pr{ϕ = g} =

∏α∈K ∏i=0

∣L∣−1 ∏i=0 (q n

(∣M ∣ − i)

for g ∈ TQ (8)

− i)

which is simply maxg∈TQ Pr{ϕ = g} since it depends on g only through Q. Consider the non-trivial case where Q satisfies ∣L∣Q(α) ≤ ∣M ∣ for all α ∈ K. We have by (7) and (8) Pr{ϕ ∈ TQ } = ∣TQ ∣ max Pr{ϕ = g}

(9)

g∈TQ

∣L∣Q(α)−1

=

∣L∣! ∏α∈K ∏i=0

′

k′

(∣M ∣ − i)

∣L∣−1 [∏α∈K (∣L∣Q(α))!] ∏i=0 (q n n −1

=(

for α ∈ K

Let P be the set of all possible types, and TQ be the type class of all possible functions g of a given type Q ∈ P. Given ϕ ∈ TQ , there are ∣L∣Q(α) distinct values of β ∈ L with ϕ(β) = α, which implies under the uniformity of x that Pr{sA = α∣xB = w} = Q(α) and so H(sA∣xB = w) = H(Q). Thus, for δ ≥ 0, Pr{λ − H(sA∣xB = w) ≥ δ} =

TQ by an ordered sequence g ∶= (g(β) ∶ β ∈ L) for some ordering of L. Then, ∣TQ ∣ is the number of g with ∣L∣Q(α) elements of α for all α ∈ K, which is (7) by some standard combinatorial arguments. To compute Pr{ϕ = g} in (5), define

q ) ∣L∣

∏(

α∈K

− i)

∣M ∣ ) ∣L∣Q(α)

(10)

(n′ −i)

denotes the binomial coefficient for where (nk′ ) ∶= ∏i=0k′ ! non-negative integers n′ ≥ k ′ ≥ 0. It can be interpreted as the number of binary sequences with k ′ ones and n′ − k ′ zeros. In the language of the method of types, it is the size of the class of n′ -sequences of type Q′ with Q′ (1) = k ′ /n′ and Q′ (0) = (1 − k ′ /n′ ). It can be bounded as in [13, Lemma 2.3] by k′ k′ 1 n′ n′ h( n n′ h( n ′) ′) q ≤ ( ) ≤ q n′ + 1 k′

where h ∶ [0, 1] ↦ [0, 1] is the entropy function defined as h(p) ∶= −p log p − (1 − p) log(1 − p)

(11)

again with the logarithm taken base q. Applying this to (10), Pr{ϕ ∈ TQ } ≤ (q n + 1)q

∣L∣

−q n h( qn )

∏q

∣M ∣h(

∣L∣Q(α) ) ∣M ∣

α∈K 2n −q n [h(q −µ )−q −λ ∑α∈K h(q λ−µ Q(α))]

≤q q

where the last inequality is obtained by applying q n + 1 ≤ q 2n , ∣K∣ = q λ , ∣L∣ = q n−µ and ∣M ∣ = q n−λ . n.b. the bracketed expression h(q −µ ) − q −λ ∑α∈K h(q λ−µ Q(α)) is zero if Q is

1 uniform, i.e. Q(α) = ∣K∣ for all α ∈ K. If Q differs from the uniform distribution with the variational distance

∆ ∶= ∑ ∣Q(α) − α∈K

1 ∣ ∣K∣

(12)

then we can apply Proposition 1 in the appendix to lower bound the bracketed term by q −µ ∆2 log6 e with p = q −µ ≤ 12 in (14). Thus, we have Pr{ϕ ∈ TQ } ≤ q 2n q −q

n−µ

e ∆2 log 6

(13)

We want to upper bound this probability by lower bounding ∆ for all Q satisfying λ − H(Q) ≥ δ specified in (5). By Proposition 2 in appendix, we have √ e ≤ 2n∆ δ ≤ λ − H(Q) ≤ ∆ log e∣K∣ ≤ ∆ λ+log 2 where we have also applied ∣K∣ = q λ and λ ≤ n. It follows 1 and so (5) can be bounded using (9) and (13) as that ∆ ≥ δ 2n Pr{λ − H(sA∣xB = w) ≥ δ} ≤ ∣P∣ ⋅ q 2n q −q

n−µ 2 log e δ 24n2

≤ q nq q 2n ⋅ q −q λ

log e

λ+ν 2 log e δ 24n2

24n3

= q 2n+ 24n2 q ( log e −q δ ) The last inequality is obtained by applying (2) that n − µ ≥ λ λ λ + ν and (6) that ∣P ∣ ≤ (∣L∣ + 1)∣K∣ = (q n−µ + 1)q ≤ q nq since ∣L∣ = q n−µ , ∣K∣ = q λ , µ ≥ 1, q ≥ 2 and n ≥ 1. Choose ν ν δ = q −n(S( n )−δn ) = q − 2 +nδn for some δn → 0. Summing the above probability over λ, µ, ν, A, B, w gives the union bound λ

ν 2

Pr {∃ν ∈ {0, . . . , n}, ςnθ (ν) ≥ q −n(S( n )−δn ) } ν

≤

log e

q 2n+ 24n2 q

∑

λ

3

ν −ν+2nδn ( 24n ) log e −q q

λ,µ,ν,A,B,w

≤ n3 q 2n

2

+n

log e

⋅ q 2n max q 24n2 q

λ

3

2nδn ( 24n ) log e −q

λ

We want to choose δn → 0 appropriately so that the above upper bound is strictly small than 1. i.e. the desired sequence of θ satisfying (4) exists. To do so, we first make the bracketed 3 3 term 24n − q 2nδn ≤ −q 2nδn /2 by requiring that 48n ≤ q 2nδn , log e log e 3

1 log 48n . This is possible with δn → 0. With this, i.e. δn ≥ 2n log e the maximization over λ above becomes log e

max q − 48n2 q λ

λ 2nδn q

log e

≤ q − 48n2 q

2nδn

which is obtained by setting λ = 0 since the expression to maximize is non-increasing in λ. The overall bound becomes Pr {∃ν, ςnθ (ν) ≥ q −n(S( n )−δn ) } ≤ q 2n ν

2

log e 2nδn +3n+3 log n− 48n 2q

which is strictly smaller than 1 as desired if we can set δn > 2 2 +3n+3 log n) 1 log 48n (2n log . This is possible with δn → 0. ∎ n e III. C ONCLUSION We have described a secure network coding scheme by non-linear precoding that is universal to a general class of linear networks with splitting and merging of packets, and that protects not only subsets of secret elements but also their linear functions. Compared to the other approach by non-linear secret key agreement, the achievable secrecy exponent is halved, but no separate public channel is required. An explicit construction remains to be found.

A PPENDIX Proposition 1 For all p ∈ [0, 21 ], positive integer k and a distribution Q over the finite set K, we have 1 2 log e h(p) − (14) ∑ h (p∣K∣Q(α)) ≥ p∆ ∣K∣ α∈K 6 where h is the entropy function in (11), ∆ is the variational distance in (12) between Q and the uniform distribution, and e is the natural number. 2 P ROOF Consider the non-trivial case where p ≠ 0. By Taylor’s theorem, we have for all ϵ ∈ [−p, 1 − p], h′′ (ξ) 2 ϵ 2 for some real number ξ between p and p + ϵ, where h′ (p) = log e and h′′ (p) = − p(1−p) are the first and second order log 1−p p derivatives of h(p) with respect to p. n.b. h′′ (x) is nondecreasing in x ∈ (0, 21 ] and non-increasing in x ∈ [ 12 , 1). Thus, h′′ (ξ) with ξ between p and p + ϵ can be upper bounded by h′′ (p + ϵ) if ϵ ∈ [0, 21 − p], and by h′′ ( 12 ) if ϵ ∈ ( 12 − p, 1 − p]. For negative ϵ ∈ [−p, 0), h′′ (ξ) is upper bounded by h′′ (p), which in turn is upper bounded by h′′ (p + ∣ϵ∣) for ∣ϵ∣ ≤ 12 − p and h′′ ( 12 ) otherwise. Applying these bounds, we have h(p + ϵ) = h(p) + h′ (p)ϵ +

h(p) + h′ (p)ϵ − h(p + ϵ) = −

h′′ (ξ) 2 ϵ ≥ gp (ϵ) 2

where (15)

′′ ⎧ log e 2 −h (p+∣ϵ∣) ⎪ = ϵ2 2(p+∣ϵ∣)(1−p−∣ϵ∣) , ∣ϵ∣ ≤ 12 − p ⎪ϵ gp (ϵ) ∶= ⎨ −h′′ (21 ) 2 2 ⎪ ⎪ = ϵ2 (2 log e) otherwise ⎩ϵ 2 It is easy to see that gp (ϵ) is a continuous even function in ϵ, which is convex over ϵ < − 12 + p and over ϵ > 12 − p. Indeed, it is also convex over the entire interval. In particular, it can be shown that gp (ϵ) is differentiable at ϵ = 0 and 12 − p with slope equal to 0 and 2(1 − 2p) log e respectively. The second deriva3 2 (1−p)p+(1−p)2 p2 tive of gp (ϵ) for ϵ ≤ 12 − p is ϵ (1−2p)+3ϵ log e, (1−p−ϵ)3 (p+ϵ)3 which is non-negative as desired since 0 ≤ p ≤ 21 . To prove the desired inequality (14), define ϵ(α) ∶= Q(α) − 1 for all α ∈ K. It follows that ∑α∈K ϵ(α) = 1 − 1 = 0 and ∣K∣ ∑α∈K ∣ϵ(α)∣ = ∆ by (12). The L.H.S. of (14) is 1 1 h(p) − + ϵ(α))) ∑ h (p∣K∣( ∣K∣ ∣K∣ α∈K 1 ′ = ∑ [h(p) + h (p)p∣K∣ϵ(α) − h(p + p∣K∣ϵ(α))] ∣K∣ α∈K 1 ≥ ∑ gp (p∣K∣∣ϵ(α)∣) ∣K∣ α∈K

1 ≥ gp ( ∣K∣ ∑α∈K p∣K∣∣ϵ(α)∣) = gp (p∆)

where the first equality is because ∑α∈K h′ (p)p∣K∣ϵ(α) = h′ (p)p∣K∣ ∑α∈K ϵ(α) = 0. The first inequality is by (15) and the fact that gp is an even function, i.e. gp (ϵ) = gp (∣ϵ∣). The last inequality follows from Jensen’s inequality [3] since gp is convex. More explicitly, the lower bound gp (p∆) is ⎧ log e 1 ⎪ , ∆ ≤ 2p −1 ⎪p∆2 gp (p∆) = ⎨ 2 22(1+∆)(1−p(1+∆)) ⎪ otherwise ⎪ ⎩p ∆ (2 log e)

It remains to show that this is lower bounded by the R.H.S. of (14), namely p∆2 log6 e . Suppose the first case is true, i.e. 1 ∆ ≤ 2p − 1, implying 21 ≤ (1 − p(1 + ∆)) ≤ 1. Then, gp (p∆) = p∆2

log e log e ≥ p∆2 2(1 + ∆)(1 − p(1 + ∆)) 2⋅3⋅1

pf (p − δ) ≥ δf (0) + (p − δ)f (p)

1 as desired since ∆ ≤ ∑α∈K Q(α)+ ∣K∣ = 2. Suppose the second 1 1 case is true, i.e. ∆ > 2p − 1, implying p > 2(1+∆) ≥ 61 . Then,

2 log e log e ≥ p∆2 6 6 as desired. n.b. the bound can also be improved slightly since 1 ) by a simple combinatorial argument. ∆ ≤ 2(1 − ∣K∣ ∎ gp (p∆) = p2 ∆2 (2 log e) ≥ p∆2

Proposition 2 For any distribution Q over K, √ log∣K∣ − H(Q) ≤ ∆ log e∣K∣

(16)

with ∆ defined in (12).

2

P ROOF Without loss of generality, let K = {1, . . . , k}. It suffices to prove (16) for an optimal Q that minimizes H(Q) under the constraint (12). By the result of [14], an optimal Q is Q(α) = k1 + ϵ(α) for α ∈ K with ∆ ⎧ ⎪ ⎪ 2 ⎪ ⎪ ⎪ ⎪ ⎪0 ϵ(α) ∶= ⎨ ⎪ −ξ ⎪ ⎪ ⎪ ⎪ 1 ⎪ ⎪ ⎩− k

,α = 1 ⌋ , 2 ≤ α ≤ k − ⌊k ∆ 2 ⌋ , α = k − ⌊k ∆ where ξ ∶= 2 otherwise

∆ 2

−

1 k

⌊k ∆ ⌋ 2

It can be argued that ϵ(α) ∈ [− k1 , 1 − k1 ], ∑α∈K ϵ(α) = 0 and ∑α∈K ∣ϵ(α)∣ = ∆, which is consistent with the fact that Q is a distribution with a variational distance of ∆ from the uniform distribution. One can think of Q as obtained from the uniform distribution by taking ∆ probability mass from the tail and 2 putting it all at the first symbol. Define f (p) ∶= −p log p

for p ∈ [0, 1]

with the convention that f (0) ∶= limp↓0 −p log p = 0. We have H(Q) = ∑α∈K f (Q(α)) and log k = ∑α∈K f ( k1 ). Thus, (a)

log k − H(Q) = ∑ [f ( k1 ) − f ( k1 + ϵ(α))] α∈K

(b)

=

f ( k1 )−f ( k1

+

∆ ) + f ( k1 )−f ( k1 2

(c)

≤ f (1 −

∆ ) + f ( k1 )ξk 2

(d) ∆ log e ≤ 2

+

∆ 2

⌋ − ξ) + f ( k1 ) ⌊k ∆ 2

⌋ + f ( k1 ) ⌊k ∆ 2

log k

which simplifies to the desired bound in (16). (b) is obtained from (a) by eliminating trivial terms in the summation with ⌋. (c) is because f is concave with f (0) = 2 ≤ α ≤ k − ⌊k ∆ 2 f (1) = 0. More precisely, the first and second derivatives of f (p) with respect to p are f ′ (p) = − log ep and f ′′ (p) = − logp e respectively. f is concave because f ′′ (p) ≤ 0 for p ∈ (0, 1]. Then, by concavity, we have for all p, δ, τ ≥ 0 ∶ p + δ + τ ≤ 1 f (p) − f (p + δ) ≤ f (p + τ ) − f (p + τ + δ).

With p = k1 , δ = ∆ , and τ = 1−p−δ, we have f ( k1 )−f ( k1 + ∆ )≤ 2 2 ∆ f (1 − 2 ) − f (1) = f (1 − ∆ ) since f (1) = 0. This explains the 2 first term in (c). By the concavity of f , we also have for 0≤δ≤p≤1 With p = δ = ξ and f (0) = 0, the above inequality can be rewritten as f ( k1 ) − f ( k1 − ξ) ≤ f ( k1 )ξk, which explains the second term in (c). To explain (d), we have again by concavity of f that for 0 ≤ δ ≤ p ≤ 1 1 , k

f (p − δ) ≤ f (p) − f ′ (p)δ , f (p) = f (1) = 0 and −f ′ (p) = log ep = With p = 1, δ = ∆ 2 √ log e, we have f (1 − ∆ ) ≤ ∆ log e, which explains the first 2 term in (d). The final term in (d) follows from the definition of ξ and f . n.b. by a more careful treatment, the bound can be improved to the order of k∆2 when ∆ ≤ k1 , leading to a 2 slightly better secrecy exponent in Theorem 1 for small λ. ∎ R EFERENCES [1] C. Chan, publications. http://chungc.net63.net/pub, http://goo.gl/4YZLT. [2] N. Cai and R. Yeung, “Secure network coding on a wiretap network,” Information Theory, IEEE Transactions on, vol. 57, no. 1, pp. 424 –435, jan. 2011. [3] R. W. Yeung, Information Theory and Network Coding. Springer, 2008. [4] S. El Rouayheb, E. Soljanin, and A. Sprintson, “Secure network coding for wiretap networks of type II,” Information Theory, IEEE Transactions on, vol. 58, no. 3, pp. 1361 –1371, march 2012. [5] L. H. Ozarow and A. D. Wyner, “Wire-tap channel II.” in EUROCRYPT’84, 1984, pp. 33–50. [6] D. Silva and F. Kschischang, “Universal secure network coding via rankmetric codes,” Information Theory, IEEE Transactions on, vol. 57, no. 2, pp. 1124 –1135, feb. 2011. [7] J. Kurihara, T. Uyematsu, and R. Matsumoto, “Explicit construction of universal strongly secure network coding via mrd codes,” submitted to ISIT 2012. [8] K. Harada and H. Yamamoto, “Strongly secure linear network coding,” IEICE Transactions on Fundamentals, vol. 91-A, no. 10, pp. 2720–2728, October 2008. [9] R. Matsumoto and M. Hayashi, “Secure multiplex network coding,” in Network Coding (NetCod), 2011 International Symposium on, july 2011, pp. 1 –6. [10] C. Chan, “Universal secure network coding by non-linear secret key agreement,” submitted to NETCOD 2012, see [1]. [11] C. E. Shannon, “Communication theory of secrecy systems,” Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, 1949. [12] H. Yamamoto, K. Harada, and T. Kubo, “Secure network coding with helper nodes generating random numbers,” submitted to ISIT 2012. [13] I. Csisz´ar and J. K¨orner, Information Theory: Coding Theorems for Discrete Memoryless Systems. Akad´emiai Kiad´o, Budapest, 1981. [14] S.-W. Ho and R. Yeung, “The interplay between entropy and variational distance,” Information Theory, IEEE Transactions on, vol. 56, no. 12, pp. 5906 –5929, dec. 2010.