Obligatory Example/History

s

t1 t2

b1 b2

b2

b2

b1

b1 b1

b1 b1

b1 (b1,b2)

b1+b2

b1+b2b1+b2

(b1,b2)

[ACLY00] [ACLY00] Characterization Non-constructive

[LYC03], [KM02] Constructive (linear) Exp-time design

[JCJ03], [SET03] Poly-time design Centralized design

[HKMKE03], [JCJ03] Decentralized design

EVER

BETTER

.

.

.

C=2

[This talk] All the above, plus security

Tons of work

[SET03] Gap provably exists

Multicast

Wired

Wireless

Simplifying assumptions• All links unit capacity

• (1 packet/transmission)• Acyclic network

Network = Hypergraph

ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob

Network Model

Multicast Network Model

ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob

3

2

2

Upper bound for multicast capacity C,C ≤ min{Ci}

[ACLY00] With mixing, C = min{Ci} achievable!

[LCY02],[KM01],[JCJ03],[HKMKE03] Simple (linear) distributed codes suffice!

Mixing

)2(1,0)...( 21mm

m Fxbbb

2x

kx

b1b2 bmx

1x

kk xxx ...2211

β1

β2

βk

F(2m)-linear network[KM01]

Source:- Group together m bits,

Every node:- Perform linear combinations over finite field F(2m)

Generalization: The X arelength n vectors over F(2m)

X1

X2

Xk

kkXXX ...2211

• Source: Sends packets.

Distributed multicast

X IC packets

“Small” rate-loss

[HKMKE03] X

• Source: Sends packets.

• Sink gets Y (Each column encoded with same transform T)

• Now sink knows T and can decode.

Distributed multicast

X I

TX T

C packets

“Small” rate-loss

[HKMKE03]

Y=

X

Y

TX

Problems!

Eavesdropped links

Attacked/noisy links

Corrupted links

This talk• Errors

– Types of errors/erasures• Random• Malicious

– Types of solutions proffered• Error detection• Error correction

– Tools• Information theory• Cryptography

• Wiretappers/secrecy

Random errors

Noisy links

Corrupted links

[SYC06], [B02] Linkwise independent noise,Channel/network coding separable

Random errors

[SYC06], [B02] Linkwise independent noise,Channel/network coding separable

• Routers/relays have to do extra work• Not for malicious (packetwise) errors

GOAL: END-TO-END ERASURE/ERROR-DETECTION/CORRECTION

Point-to-point Codes

Y=TX+E

Generator matrix

Low-weightvector

YX

(Linear) Channel Code

10000

c

T

E

X

TY

TZ

Z

Y=TX+E=TX+TZZ

Networktransform matrices

Low-weightvector

(Un)known

Network Codes

Example (Coherent ECCs)

1X2X

3X

Z

ZX 111

ZX 222

ZX 333 C=3

ZO=1

ZβXαYZβXαYZβXαY

33 33

22 22

11 11

n-length vectors (packets)

3n known 4n unknown

6 known scalars (“coherence”)

X3=X1+X2R = C - Zo

2 3 1

4n known

Redundancy addedat source

1 1 1 1

2 2 2 2

3 3 3 3

α 0 β X Y0 α β X Yα α β Z Y

Invertible with high probability

Example (Partially Coherent ECCs)

1X2X

3X

Z

ZX 111

ZX 222

ZX 333 C=3

ZO=1


33 33

22 22

11 11

3 known scalars (“partial coherence”)

Network transform known,Adversarial location unknown

R = C - Zo

1 1 1 1

2 2 2 2

3 3 3 3


Still invertible with high probability,regardless of adversarial location.

Basis from columns of

'

'

' '

1 1 1 1

2 2 2 2

3 3 3 3


[MU07,SK07,BZ08] (Fast implementations via Gaussian elimination)

Incoherent?

When stuck…“ε-rate secret uncorrupted channels”

• Useful abstraction/ building block

Example

1X2X

3X

Z

ZX 111

ZX 222

ZX 333 C=3

ZO=1ZβXαYZβXαYZβXαY

33 33

22 22

11 11

4n+6 unknown

non-linear

6 secret hashes of X

4n+6 known4n known

)1()1(0)1()1()1(0)1(

)1()1(0)1(

333

222

111

yzxyzxyzx

)2()2(22)2()2()2(1)2(

)2()2(1)2(

3333

2222

1111

yzxyzxyzx

3

2

1

)1(

z

'''

)2(2 3

2

1

3

2

1

z

'''

3

2

1

)3()3(33)3()3()3(22)3(

)3()3(1)3(

3333

2222

1111

yzxyzx

yzx

'''

)3(32

3

2

1

3

2

1

zZ''βXαYZ''βXαYZ''βXαY

33 33

22 22

11 11

'β,'β,'βααα 3213,2,1,Solve forX3=X1+X2

Example

1X2X

3X

Z

ZX 111

ZX 222

ZX 333 C=3

ZO=1

X3=X1+X2

6 secret hashes of X

4n+6 known4n+6 unknown

3

2

1

2

1

333

22

11

YYY

Z'XX

'βαα'βα0'β0α

Z''βXαYZ''βXαYZ''βXαY

33 33

22 22

11 11

Invertible with high probability

3

2

1

3

2

1

)1('''

zZ=(0 z(2) z(3)… z(n))

3

2

1

3

2

1

0'''

3

2

1

2

1

33

2

1

YYY

Z'XX

0αα0α000α

“Small” shared secret

Theorem [JLKHHE07]: Rate C-ZO-ε achievable with ZI={E},ε-rate secret uncorrupted channel

Incoherent Example

1X2X

3X

Z

ZX 111

ZX 222

ZX 333


33 33

22 22

11 11

X3=X1+X2

n more constraints added on X

3

2

1

3

2

1

)1('''

z

Z=(0 z(2) z(3)… z(n))

3

2

1

3

2

1

0'''

DX=0

Z=(0 0 0… 0)R = C – Zo - redundancyR = C – Zo

2 3 11 3 1 1R = C – 2Zo

Omniscient adversary

Theorem [JLKHHE07]: Rate C-2ZO-ε achievable with ZI={E}

Partially omniscient adversary

Theorem [JLKHHE07]: Rate C-ZO-ε achievable, if ZI+2ZO<C

ZI<C-2ZO

Using algorithm 2 for small header, can transmit secret, correct information…… which can be used foralgorithm 1 decoding!

Algorithm 2 rate

Eavesdropping rate

ZI<R Information-theoretic Privacy

Theorem [JL07]: Rate C-ZO-ε achievable, if ZI+ZO<C

Summary

Optimal rates Poly-timeDistributedUnknown topologyEnd-to-endRatelessInformation theoretically secure/privateWired/wireless

Scenario Rate

Coherent C-ZO

Partially coherent C-ZO

Shared secret C-ZO

Omniscient C-2ZO

Partially oblivious C-ZO

A Fresh Approach

Slide courtesy of Frank Kschischang

Slide courtesy of Frank Kschischang

Problem formulation• A source s wishes to send a large file to a group of peers, T.• View the data to be transmitted as vectors in n-dimensional vector space ,

where p is a prime. The source node augments these vector to given by

where the first m elements are zero except the i-th one is 1, and .• Each packets received by a peer is a linear combination of all the pieces.

mvv ,,1 mvv ,,1

),,,0,,1,,0( 1 inii vv v

Slide courtesy of Fang Zhao

Signature for network coding• The vectors span a subspace V of .• A received packet is a valid linear combination if and only if it belongs to V.• Each node verifies the integrity of a received vector w by checking the

membership of w in V.• Our approach has the following ingredients:

– q: a large prime such that p is a divisor of q -1.– g: a generator of the group G of order p in .– Private key: , a random set of elements in .– Public key: .

mvv ,,1

nmpF

qF

nmiipr aK ,,1}{

*qF

nmia

ipuighK ,,1}{


Signature for network coding• The scheme works as follows:

1. The source finds a vector u that is orthogonal to all vectors in V.2. The source computes vector .3. The source signs x with some standard signature scheme and publishes it.4. When a node receives a vector w and wants to verify that w is in V, it computes

and verifies that d =1.

)/,,/( 11 nmnm auau x

nm

i

wxi

iihd1


Discussion• It can be shown that it is as hard as the Discrete Logarithm problem to find

new vectors that also satisfy the verification criterion other than those that are in V.

• Overheads– Part of the public key Kpu has to be re-generated for each file,

otherwise a malicious node can use the information from the previous file to crack the system.

– Signature vector, x.


Discussion• If the file sizes are large, after the initial setup, each additional file distributed only

incurs a negligible amount of overhead using our signature scheme.• Under our assumptions that

1. there is no secure side-channel to transfer hash values from the source to all the peer nodes, and;

2. all peers have full knowledge of the public information of the security scheme,our signature scheme has to be applied on the original file, not on hashes.


Conclusions• Proposed a solution to the security problem in content distribution with

network coding.• Use a signature vector for each file that can be used to easily check the

integrity of all the packets received for this file.• This scheme is secure and has low overhead.


network coding security

Documents

rate czo

c zo redundancyr

c zo2

blockexample c

x1 x2example c

multicast capacity c

zo achievable

b2b1 b2b1 b2b1 b2b1