# Asymptotically Secure Network Code for Active Attacks and its Application to Network Quantum Key Distribution

When there exists a malicious attacker in the network, we need to be careful of eavesdropping and contamination. This problem is crucial for network communication when the network is realized by a partially trusted relay of quantum key distribution. We discuss the asymptotic rate in a linear network with the secrecy and robustness conditions when the above type of attacker exists. Also, under the same setting, we discuss the asymptotic rate in a linear network when we impose the secrecy condition alone. Then, we apply these results to the network composed of a partially trusted relay of quantum key distribution, which enables us to realize secure long-distance communication via short-distance quantum key distribution.

## Authors

• 34 publications
• 12 publications
• ### Verifiable Quantum Secure Modulo Summation

We propose a new cryptographic task, which we call verifiable quantum se...
10/14/2019 ∙ by Masahito Hayashi, et al. ∙ 0

• ### A Reconfigurable Relay for Polarization Encoded QKD Networks

We propose a method for reconfiguring a relay node for polarization enco...
06/02/2021 ∙ by Jing Wang, et al. ∙ 0

• ### Long-distance twin-field quantum key distribution with entangled sources

Twin-field quantum key distribution (TFQKD), using single-photon-type in...
11/06/2021 ∙ by Bing-Hong Li, et al. ∙ 0

• ### Single-Shot Secure Quantum Network Coding for General Multiple Unicast Network with Free One-Way Public Communication

It is natural in a quantum network system that multiple users intend to ...
03/30/2020 ∙ by Go Kato, et al. ∙ 0

• ### Secure network code over one-hop relay network

When there exists a malicious attacker in the network, we need to consid...
03/27/2020 ∙ by Masahito Hayashi, et al. ∙ 0

• ### Topological optimization of hybrid quantum key distribution networks

With the rapid development of quantum key distribution (QKD) technology,...
03/31/2020 ∙ by Ya-Xing Wang, et al. ∙ 0

• ### Analytical Model and Topology Evaluation of Quantum Secure Communication Network

Due to the intrinsic point-to-point feature of quantum key distribution ...
09/05/2019 ∙ by Qiong Li, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

Secure information transmission over a network is an important topic because there is a risk that a part of the network is broken, contaminated, and/or eavesdropped in a large network system. Cai and Yeung [1] started the study of secure network coding, which offers a method securely transmitting information from the authorized sender to the authorized receiver. The demand for such a type of secure communication is increasing beyond the areas of information theory and communication theory. For example, to realize rigorous security, quantum key distribution is actively studied [2]. Its commercial use has been well developed for limited transmission distance [3]. However, it is very difficult to directly connect two distinct parties over long distances via quantum key distribution. To realize long-distance communication with quantum key distribution over short distances, they often consider using quantum repeater [4, 5, 6]

. However, it is also difficult to realize quantum repeater. Hence, it is natural to establish a network whose edges are realized by secure communication by one-time-pad use of keys generated by quantum key distribution over short distances. That is, we generate many pairs of shared secure keys on intermediate nodes by quantum key distribution, where each pair is composed of two nodes connected by an edge. The secure keys shared by two nodes realize a secure channel between the two nodes. Hence, the application of the network coding to the network composed of these secure channels yields a scheme to realize secure communication between two distinct parties across a long distance. However, there is a possibility that a part of the nodes are occupied by Eve. Hence, we need to use secure network coding instead of network coding. To resolve this problem, the pioneering papers

[7, 8] studied this type of information transmission for the case of partially trusted routing networks. This paper addresses a general network including routing networks, in which a part of the nodes are attacked and the attacked nodes cannot be identified by the sender and the receiver like the Byzantine setting. The network topology is not known to the sender and the receiver.

In the above type of network, there are two types of attacks. In the first type of attack, the malicious adversary, Eve, wiretaps a subset of all the channels in a network, which was studied by the first paper by Cai and Yeung [1]. Using the universal hashing lemma [9, 10, 11], the papers [12, 13] showed the existence of a secrecy code that works universally for any type of eavesdropper when the cardinality of is bounded. In particular, the paper [14, 15, 16] discussed a concrete construction of such a universally secure code, which is more practical. As another type of attack on information transmission via a network, a malicious adversary contaminates the communication by changing the information on a subset of all the channels in the network. Using an error correction, the papers [17, 18, 19, 20] proposed a method to protect the message from contamination. That is, we require that the authorized receiver correctly recovers the message, which is called robustness. Now, for simplicity, we consider the unicast setting. When the transmission rate from the authorized sender, Alice, to the authorized receiver, Bob, is and the rate of noise injected by Eve is , using the results published in [21, 22], the study [23] showed that there exists a sequence of asymptotically correctable codes with the rate if the rate of information leakage to Eve is less than .

However, there is a possibility that the malicious adversary combines eavesdropping and contamination. That is, contaminating a part of the channels, the malicious adversary might improve the ability of eavesdropping while a parallel network offers no such a possibility [24, 25, 26]. In fact, in arbitrarily varying channel model, noise injection is allowed after Eve’s eavesdropping, but Eve does not eavesdrop the channel after Eve’s noise injection [27, 28, 29, 31][30, Table I]. The studies [14, 15, 16, 34] discussed the secrecy when Eve eavesdrops the information transmitted on the channels in after noises are injected in , but they assume that Eve does not know the information of the injected noise.

In contrast, this paper discusses the secrecy when Eve adds artificial information to the information transmitted on the channels in , eavesdrops the information transmitted on the channels in

, and estimates the original message from the eavesdropped information and the information of the injected noises. We call this type of attack an active attack and call an attack without contamination a passive attack. Specially, we call each of Eve’s active operations a strategy. Indeed, while the paper

[32] discusses robustness for an active attack, it discusses secrecy only for a passive attack. When and any active attack is available for Eve, she is allowed to arbitrarily modify the information on the channels in sequentially based on the obtained information. Fortunately, the previous paper [33] showed that an active attack has the same performance as the passive attack in the case of linear codes.

The aim of this paper is as follows. First, we give a formulation of our setting with a general set of eavesdropping nodes and a general set of noise-injection nodes. Then, we state that no strategy can improve Eve’s information when every operation in the network is linear, which is a brief review of the result of [33]. Next, we discuss a code that satisfies the need for secrecy and robustness when the transmission rate from Alice to Bob is , the rate of noise injected by Eve is , and the rate of information leakage to Eve is . In the asymptotic setting, given linear operations on the intermediate nodes with a certain order, our protocol controls only the encoder in the sender and the decoder in the receiver. Since we address the static Byzantine setting, the sender and the receiver do not know the two sets and , i.e., what edges are attacked, while they know the channel parameter and the upper bounds of and . Although intermediate nodes make linear operation over a single transmission, the sender and the decoder are allowed to make coding operations across several transmissions. Such a coding is called a non-local code to distinguish operations over a single transmission. We show the existence of such a secure protocol with rate . Since our non-local code depends only on the number , the upper bounds of and , and the dimensions of the input and the output, it works universally. Also, we discuss the asymptotic performance when only secrecy is considered. When Alice and Bob share a small number of initial secret keys and can communicate with each other via a public channel, we do not need to impose robustness, but need the correctness only for passive attack because we can make error verification [35, Section VIII]. In such a case, we show the existence of a secure protocol with the rate .

Then, we apply these two types of asymptotic analyses to network quantum key distribution. Since public communication is allowed in quantum key distribution, the latter setting is more useful for the security analysis in network quantum key distribution. Further, although the above discussion addresses the unicast setting, we explain how to extend this setting to the multiple multicast case including the multiple unicast case.

The remaining part of this paper is organized as follows. Section II formulates our problem and shows the impossibility of Eve’s eavesdropping under a linear network, which is a brief review of the result by [33]. Section III discusses the asymptotic setting, and show the achievability of the asymptotic rate . Section IV discusses the asymptotic setting with secrecy without robustness. Using the result of Section IV, Section V considers the application of obtained results to network quantum key distribution Section VI applies the obtained result to multiple multicast networks. In Section VII, we state the conclusion.

## Ii Secrecy in finite-length setting

Although the paper [33] discusses the formulation of a channel model of network with eavesdropping and contamination more rigorously, this section briefly explains this model in the case of an acyclic network with well synchronization. We consider the unicast setting. Assume that the authorized sender, Alice, and the authorized receiver, Bob, are linked via an acyclic network with the set of edges , where the operations on all nodes are linear on the finite field with prime power . Alice inputs the input variable 111

In this paper, we denote the vector on

by a bold letter. But, we use a non-bold letter to describe a scalar and a matrix. in and Bob receives the output variable in . We also assume that the malicious adversary, Eve, wiretaps the information in on the edges of a subset . Now, we fix the topology and dynamics (operations on the intermediate nodes) of the network. When we assume all operations on the intermediate nodes are linear, there exist matrices and such that the variables , , and satisfy their relations

 YB=KBX,YE=KEX. (1)

That is, the matrices and are decided from the network topology and dynamics. We call this attack the passive attack.

To address the active attack, we consider stronger Eve, i.e., we assume that Eve adds an error in on the edges of a subset . Using matrices and , we rewrite the above relations as

 YB=KBX+HBZ,YE=KEX+HEZ, (2)

which is called the wiretap and addition model. We set the parameter as

 rankKB=m0, (3)

and assume the ranks of and as

 rankHB=m1, rankKE=m2. (4)

Hence, the channel parameters are summarized as Table I.

Now, to consider the time ordering among the edges in , we assign the integers to the edges in such that . We assume that the information transmission on each edge is done with this order. In this representation, the elements of and are arranged in this order. Hence, the elements of the subsets and are expressed as and by using two strictly increasing functions and . The causality yields that

 HE;j,i=0 when η(i)≥ζ(j). (5)

It is natural that Eve can choose the information to be added in the edge based on the information obtained previously on the edges in the subset . That is, the added error is given as a function of , which can be regarded as Eve’s strategy. We call this attack the active attack with the strategy .

Now, we consider the -transmission setting, in which, Alice uses the same network times to send the message to Bob. Alice’s input variable (Eve’s added variable) is given as a matrix (a matrix ), and Bob’s (Eve’s) received variable is given as a matrix (a matrix ). We assume that the topology and dynamics of the network and the edge attacked by Eve are not changed during transmissions. In particular, the operations on intermediate nodes are not changed. Then, their relation is given as

 YnB =KBXn+HBZn, (6) YnE =KEXn+HEZn. (7)

Notice that the relations (6) and (7) with (only the relation (6)) were treated as the starting point of the paper [32] (the papers [21, 22, 23]).

To discuss the secrecy and the robustness, we formulate a code. Let and be the message set and the set of values of the scramble random number. Then, an encoder is given as a function from to , and the decoder is given as from to . Our code is the pair , and is denoted by . Since the code pair of and is across transmission, it is called a non-local code to distinguish operations over a single transmission. Then, we denote the message and the scramble random number by and . The cardinality of is called the size of the code and is denoted by .

Here, we treat as deterministic values, and denote the pairs and by and , respectively. In the following, we fix . As a measure of the leaked information, we adopt the mutual information between and Eve’s information and Since the variable is given as a function of , we have . Since the leaked information is given as a function of in this situation, we denote it by . When we always choose , the attack is the same as the passive attack. This strategy is denoted by . and chooses her strategy dependently of the position.

Now, we have the following theorem [33].

###### Theorem 1.

For any Eve’s strategy , Eve’s information with strategy and that with strategy can be simulated by each other. Hence, we have the equation

 I(M;YnE)[Φn,K,H,0]=I(M;YnE)[Φn,K,H,α]. (8)

While the paper [33] showed this theorem in a more general setting with more rigorous description of the problem setting, we briefly give its proof in Appendix A. This theorem shows that the information leakage of the active attack with the strategy is the same as the information leakage of the passive attack. Hence, to guarantee the secrecy under an arbitrary active attack, it is sufficient to show the secrecy under the passive attack.

###### Remark 1 (Number of choices).

To compare passive and active attacks, we count the number of choices of both attacks. While the passive attack is characterized by the matrix , the information leaked to Eve in the passive attack depends only on the kernel of the matrix . To characterize the information leaked to Eve, we consider two matrices to be equivalent when their kernels are the same. In a passive attack, when we fix the rank of (the dimension of leaked information), by taking into account the equivalent class, the number of possible choices is upper bounded by . With an active attack, this calculation is more complicated. For simplicity, we consider the case with . To consider the minimum number of choices of , we assume condition (5). (When we do not make this assumption, the number of choices is larger.) We do not count the choice for the inputs on the edge with because it does not affect Eve’s information. Then, even when we fix the matrices , the number of choices of is

 q∑i:η(i)<ζ(m6)qTi, (9)

where . Notice that when . If we count the choice on the remaining edges, we need to multiply on (9). For a generic natural number , the number of choices of is

 qn∑i:η(i)<ζ(m6)qnTi. (10)

## Iii Asymptotic setting with secrecy and robustness

In this section, under the model given in Section II, we consider the asymptotic setting by taking account of robustness as well as secrecy while Eve’s strategy is assumed to satisfy the uniqueness condition. We previously assumed that the matrices , , , and , i.e., the topology and dynamics of the network and the edge attacked by Eve do not change during transmissions. Now, we assume that Eve knows these matrices and that Alice and Bob know none of them because Alice and Bob often do not know the topology and/nor dynamics of the network and/nor the places of the edges attacked by Eve. However, due to the limitation of Eve’s ability, we assume that the dimension of the information leaked to Eve and the rank of the information injected by Eve are limited to and , respectively. Indeed, when the original network is given by the graph and Eve eavesdrops at most edges and injects the noise at most edges, we have and . This evaluation is still valid even in the wiretap and replacement model. Therefore, it is natural to assume the upper bounds of these dimensions. (See Remark 2.)

When Eve adds the error , there is a possibility that Bob cannot recover the original information . This problem is called robustness, and may be regarded as a kind of error correction. Under the conventional error correction, the error

is treated as a random variable subject to a certain distribution. However, our problem is different from the conventional error correction because the decoding error probability depends on the strategy

. Hence, we denote it by . Then, the following proposition is known.

###### Proposition 1 ([21, 22, 23, 32]).

Assume that . There exists a sequence of non-local codes of block-length on a finite field whose message set is such that

 limn→∞knln=m0−m1 (11) limn→∞maxK,HmaxαnPe[Φn,K,H,αn]=0, (12)

where the maximum is taken with respect to with conditions (3) and (4). Here, there is no restriction for the choice of and .

The existing proof of Proposition 1 is given as a combination of several results. Each part of the existing proof is hard to read because it omits the detail derivation. Hence, for readers’ convenience, we give its alternative proof in Appendix B, which has an improvement over the existing proof. Combining Theorem 1 and Proposition 1, we obtain the following theorem.

###### Theorem 2.

We assume that . There exists a sequence of non-local codes of block-length on finite field whose message set is such that

 limn→∞knln=m0−m1−m2 (13) limn→∞maxK,HmaxαnPe[Φn,K,H,αn]=0 (14) maxK,HmaxαnI(M;YnE)[Φn,K,H,αn]=0, (15)

where the maximum is taken in the same way as with Proposition 1.

Before our proof, we prepare basic facts about information-theoretic security. We focus on a random hash function from to with random variable deciding the function . It is called universal2 when

 Pr{fR(x)=y}≤|Y||X| (16)

for any and .

For , we define the conditional Rényi entropy

for the joint distribution

as [11]

 H1+s(X|Z):=−1slog∑z∈ZPZ(z)∑x∈XPX|Z(x|z)1+s, (17)

which is often denoted by in [36, 37]. When

obeys the uniform distribution, we have

 H1+s(X|Z)≥log|X||Z|. (18)
###### Proposition 2.

[9, 10][11, Theorem 1]

 I(fR(X);Z|R)≤eslog|Y|−H1+s(X|Z)s (19)

for .

Proof of Theorem 2:   We choose a sequence of non-local codes given in Corollary 1. We fix . Now, we choose a universal2 linear surjective random hash function from to .

To construct our non-local code, we consider a virtual protocol as follows. First, Alice sends a larger message by using the non-local code , and Bob recovers it. Second, Alice randomly chooses deciding the hash function and sends it to Bob via a public channel. Finally, Alice and Bob apply the hash function to their message, and denote the result value by so that Alice and Bob share the information with a probability of close to .

Since the conditional mutual information between and depends on , we denote it by . Theorem 1 shows , which does not depend on and depends only on . Now, we evaluate this leaked information via a similar idea to that reported in [12]. Since inequality (18) implies that , Proposition 2 yields

 I(¯M;YlnE|R)[Φn,K,H,0]≤ es(¯knlogq−H1+s(M|YlnE))s ≤ qs(¯kn−kn+lnm2)s≤q−s⌈√ln⌉s. (20)

We set . For each matrix satisfying , Markov inequality guarantees that the inequality

 I(¯M;YlnE)[Φn,K,H,0]|R=r≤q−⌈√ln⌉+c+1 (21)

holds at least with probability . Since the number of matrices satisfying is upper bounded by , there exists a matrix such that and (21) does not hold at most with probability . Hence, (21) holds for any matrix satisfying at least with probability . Letting be , we have

 I(¯M;YlnE)[Φn,K,H,0]|R=r≤q−⌈√ln⌉+m6m3+1 (22)

for any matrix satisfying at least with probability . Therefore, there exists a suitable hash function such that

 I(¯M;YlnE)[Φn,K,H,0]|R=r≤q−⌈√ln⌉+m6m3+1,

which goes to zero as goes to infinity because is a constant. Since the code on our network is linear, Eve observes a subspace of input information . Hence, the amount of leaked information is an integer times . Hence, as discussed in [13], when is sufficiently large, there exists a suitable hash function such that

 I(¯M;YlnE)[Φn,K,H,0]|R=r=0.

Now, we return to the construction of non-local codes. We choose the sets and as and , respectively. Since the linearity and the surjectivity of implies that for any element , we can define the invertible function from to the domain of , i.e., such that for any element . This condition implies that for . Then, we define our non-local encoder as , and our non-local decoder as . The sequence of non-local codes satisfies the desired requirements.

###### Remark 2.

If we replace the condition (4) by the condition

 rankHB≤m1, rankKE≤m2, (23)

the Proposition 1 and Theorem 2 still hold due to the following reason. For to satisfy (3) and (23), there exists to satisfy (3) and (4) such that and . Hence, the Proposition 1 and Theorem 2 still hold under this modification.

###### Remark 3 (Efficient non-local code construction).

We discuss an efficient construction of our non-local code from a non-local code given in Corollary 1 with . A modified form of the Toeplitz matrices is also shown to be a universal2 linear surjective hash function, which is given by a concatenation of the Toeplitz matrix and the identity matrix [38], where is the random seed used to decide the Toeplitz matrix and belongs to

. The (modified) Toeplitz matrices are particularly useful in practice, because there exists an efficient multiplication algorithm using the fast Fourier transform algorithm with complexity

.

When the random seed is fixed, the encoder for our non-local code is given as follows. By using the scramble random variable , the encoder is given as because . (The multiplication of Toeplitz matrix can be performed as a part of a circulant matrix. For example, the reference [38, Appendix C] provides a method to give a circulant matrix.). A more efficient construction for univeral2 hash function is discussed in [38]. Hence, the decoder is given as .

###### Remark 4.

Here, we clarify the difference between our results and the setting of the preceding papers [14, 15, 16, 32, 34, 40], which consider correctness and secrecy. Their secrecy analysis is different from our analysis although the non-local code construction in [14, 15, 16, 32, 34] does not depend on the concrete form of matrices , which is similar to our non-local code construction.

While the papers [39, 32] considered correctness when the error exists, it discusses the secrecy only when there is no error. Similarly, the paper [40] considers a different active adversary model, in which, it discusses the node-repair and data-reconstruction operations even in the presence of such an attack while the model of passive eavesdroppers in the paper [40] discusses the secrecy with respect to the message to be transmitted. Indeed, the papers [39, 32] provided a statement similar to Theorem 2. However, it showed only Eq. (14) and instead of (15) by combining Proposition 4 and the result of the paper [39]. To show (15), we need to employ Theorem 1. If we do not apply Theorem 1 in step (22) in our proof of Theorem 2, we have to multiply the number of choices of strategy . As a generalization of (9), this number is given in (10), which grows up double-exponentially. Hence, our proof of Theorem 2 does not work without the use of Theorem 1.

While the papers [16, Proposition 5][34] consider the secrecy when the error exists, it addresses the amount of leaked information only when the eavesdropper does not know the information of the noise. That is, they evaluate the mutual information between and . However, our analysis evaluates the leaked information when the eavesdropper knows the information about the noise. That is, we address the mutual information between and the pair .

## Iv Asymptotic setting with secrecy

When Alice and Bob can communicate via public channel, the verification of correctness can be done by a universal2 hash function [35, Section VIII][41, Step 4 of Protocol 2]. When we employ a modified Toeplitz matrix as a universal2 hash function and bits are exchanged for the verification, it has only calculation complexity . Due to this step, we can guarantee the correctness with probability , which is called the significance level[35, Section VIII]. Hence, in this case, we consider the case when only the secrecy is imposed and the robustness is not imposed. That is, we impose the following condition.

 limn→∞maxKPe[Φn,K,0,0]=limn→∞maxK,HPe[Φn,K,H,0]=0. (24)

However, even when the verification of correctness is passed, there is a possibility that Eve can make an active attack to satisfy

 Pe[Φn,K,H,αn]=0. (25)

Hence, as the secrecy, we impose the following condition.

 maxK,HmaxαnI(M;YnE)[Φn,K,H,αn]=0. (26)

Here, both maximums are taken with respect to with (3) and (4). We notice that the situation of the correctness (24) is different from the situation of the secrecy (26). Indeed, it is possible to restrict the range of by imposing the condition (25). However, since it is not so easy to handle the condition (25), the maximum for is addressed without the restriction (25). That is, the correctness (24) addresses only the case with passive attack, but the secrecy (26) addresses the cases with active attack.

This setting appears when we consider quantum key distribution, as explained in Section V. Then, we have the following theorem to analyze this problem.

###### Theorem 3.

There exists a sequence of non-local codes of block-length on finite field whose message set is such that conditions (24) and (26) and

 limn→∞knln=m0−m2 (27)

holds.

From the definition, we see that . Also, note that does not depend on . Further, the rate is asymptotically optimal, i.e., there is no non-local code surpassing the rate , which follows from the converse part of the conventional wire-tap channel [42, 43].

To show the above theorem, as a special case of Theorem 2 with , we prepare the following corollary.

###### Corollary 1.

There exists a sequence of non-local codes of block-length on finite field whose message set is such that

 limn→∞knln=m0−m2 (28) maxKI(M;YnE)[Φn,K,0,0]=0, (29) limn→∞maxKPe[Φn,K,0,0]=0, (30)

where the maximum is taken with respect to under the conditions (3) and (4).

Combining Corollary 1 and Theorem 1, we obtain Theorem 3.

Here, we compare existing results with Corollary 1. As a similar result to Corollary 1, the following proposition is known. Since Corollary 1 does not require the assumptions and , Corollary 1 is slightly advantageous. Hence, Theorem 3 is a stronger statement than the following existing statement.

###### Proposition 3 ([13, Theorem 7],[16]).

We assume that and . There exists a sequence of non-local codes of block-length on finite field whose message set is such that

 limn→∞knn=m0−m2 (31) limn→∞maxKI(M;YnE)[Φn,K,0,0]=0, (32) limn→∞Pe[Φn,K,0,0]=0, (33)

where the maximum is taken with respect to with condition (4).

## V Application to network quantum key distribution

In this section, to realize long-distance communication with quantum key distribution, using the result in Sections III and IV, we consider a network of quantum key distribution. Although the existing studies [7, 8] discussed a similar case over routing networks, they did not discuss the relation with network code including active attacks.

Assume that the authorized sender, Alice, is connected to the authorized receiver, Bob, via the network given by the graph with . A linear operation is fixed in each node so that we have the relation with Alice’s input and Bob’s output . Then, if secure information transmission is available on each edge, secure communication from Alice to Bob can be realized. For every edge , the distant nodes and generate secure common keys by quantum key distribution. That is, pairs of secure keys are generated by quantum key distribution. In the following, we discuss how we can make secure message transmission from Alice to Bob by using these pairs of secure keys with public channels. This kind of secure communication is called network quantum key distribution.

First, we consider the case when all nodes are authenticated. In this case, Alice can securely send her message to Bob in the following way. Let be the random variable to be transmitted on the -th edge. Let be the secure keys generated in the -th edge by quantum key distribution. When is directly transmitted, this information transmission is not secure. To realize security, is transmitted on the -th edge, instead. Then, a secure transmission in each edge is realized. Hence, due to the above relation , secure communication from Alice to Bob can be realized.

However, it is very difficult to guarantee security when a part of the nodes are occupied by Eve. Such a model is often called a node adversary model while the model introduced in Section II is called an edge adversary model. The main problem with network quantum key distribution is the realization of secure communication from Alice to Bob under a node adversary model. To investigate the security in the node adversary model, we convert a given node adversary model to a special case of the edge adversary model as in [31]. In an edge adversary model, Eve wiretaps and contaminates the information only on the edges . To apply the model to the current situation, we consider that all the edges linked to the nodes occupied by Eve are wiretapped and controlled by Eve. When these occupied nodes communicate with each other, Eve’s attack is an active attack. That is, analysis for active attack is essential. Therefore, we can apply Theorem 2 to the security analysis of the direct transmission of the secret message via network quantum key distribution. In quantum key distribution, it is usual to assume that Alice and Bob share secure random numbers whose lengths are asymptotically negligible in block-length because the asymptotically negligible keys are needed for authentication for the public channel. In this case, to generate secure keys with length , we can employ Theorem 3, where the asymptotically negligible keys are used for an error verification test.

For example, we consider the network given in Fig. 1, which has nodes as intermediates nodes. Fig. 2 expresses the information flow on each edge in this network. This network connects Alice and Bob with rank 4. The ranks of and of typical cases are summarized in Table II. Also, Section II-D of [33] discusses the same network.

When the number of nodes occupied by Eve is limited to 1, the ranks of and are upper bounded by . In the latter case, Theorem 3 guarantees that Alice can securely transmit a random number with rank 2 per single use of the network. In the former case, since , Theorem 2 cannot guarantee that Alice securely transmits her message to Bob.

As another example, we consider the circle type network given in Fig. 3, in which, the nodes connect the next nodes and the nodes after the next. Assume that we have pairs of secret keys in the circle type network of Fig. 3. We suppose that intends to communicate with securely. They make the network as , , , , which connects and with rank 4. When Eve occupies one intermediate node, the ranks of and are one. In the latter case, Theorem 3 guarantees that Alice in can securely transmit a random number with rank 3 per single use of the network. In the former case, Theorem 2 guarantees that Alice in securely transmits her message to Bob with rank 2 per single use of the network.

When Eve occupies two intermediate nodes, the ranks of and are at most two. In the latter case, Theorem 3 guarantees that Alice in can securely transmit a random number with rank 2 per single use of the network. In the former case, Theorem 2 cannot guarantee that Alice in securely transmits her message to Bob. This method can be generalized to the case when Alice and Bob are and with .

Indeed, this idea can be generalized to this circle type network even when the number of nodes is odd. Further, this network can be generalized to the following network of quantum key distribution with two integers

. The set of nodes is given as , and the set of edges is given as . Now, we set Alice and Bob as and with . Then, they can make paths connecting and without duplication in the intermediate nodes. Then, even when nodes are occupied by Eve, Alice and Bob can securely share a secret random number due to Theorem 3.

## Vi Application to multiple multicast network

We assume that these senders and receivers are connected via network composed of linear operations. Then, using matrices , we can describe their relations as

 →Yi,j=a∑i′=1Ki,j;i′→Xi′. (34)

While the senders transmit their information repeatedly, we assume that the coefficient matrices do not change. We assume that receivers do not collude to recover the message from senders. Now, we apply the model (6) and (7) to the secure communication transmission from Sender to Receiver . When we consider information leakage to Receiver with , we substitute , , and into , , , and , respectively. We assume that the rank of information crossed from other senders is and the rank of leaked information to Receiver is . We introduce the maximum ranks , , and . Sender and Receiver are assumed to know only the integers , , , , and have no other knowledge for the network structure. We choose our non-local code by applying Theorem 4 to the case with , , , , and . Since the non-local code does not depend on the choice of and , this non-local code works well in this situation.

## Vii Conclusion

We have discussed how sequential error injection affects the information leaked to Eve. As the result, we have shown that there is no improvement when the network is composed of linear operations. However, when the network contains non-linear operations, we have found a counterexample that improves the information obtained by Eve. Moreover, as Theorem 2, we have shown the achievability of the asymptotic rate for a linear network under the secrecy and robustness conditions when the transmission rate from Alice to Bob is , the rate of noise injected by Eve is , and the rate of information leakage to Eve is . The converse part of this rate is an interesting open problem. In addition, as Theorem 3, we have discussed the secrecy and the asymptotic transmission rate when Eve has a possibility to inject noise into the network.

Further, we have applied our results to network quantum key distribution. Then, we have clarified what type of network will enable us to realize secure long-distance communication based on short-distance quantum key distribution. However, when we consider only the case given in Fig. 3, we can employ a classical (non-quantum) secret sharing protocol [44] instead of network coding because all of the communications of this case are routing. In particular, cheater-identifiable secret sharing against rushing cheaters [45, 46, 47, 48, 49] enables us to share secure keys without using public channels or prior shared randomness.

In this way, this paper has discussed the application of secure network coding to a network model whose communications on the edges are realized by quantum key distribution. Replacing the role of quantum key distribution by physical layer security, we can consider a secure network based on physical layer security. In particular, we can use secure wireless communication [41, 50, 51, 52, 53, 54, 55, 56, 57, 58] as a typical form of physical layer security, which provides us with a secure network based on secure wireless communication. A crucial weak point of physical layer security is the possibility that the eavesdropper might break the assumption of the model. Such an attack might be realized in the following cases. (1) The eavesdropper concentrates his/her resources on one point. (2) The eavesdropper luckily encounters a situation that the assumption is broken. When we combine physical layer security and secure network coding in the above way, to eavesdrop our information, the eavesdropper needs to break the model of physical layer security in multiple communication channels. In case (1), to realize this condition, the eavesdropper has to distribute his/her resources, which increases the difficulty of eavesdropping. For case (2), the eavesdropper must be lucky in multiple communication channels, and this probability is very small. In this way, this kind of