Secure Network Code for Adaptive and Active Attacks with No-Randomness in Intermediate Nodes

12/25/2017
by   Ning Cai, et al.
0

We analyze the security for network code when the eavesdropper can contaminate the information on the attacked edges (active attack) and can choose the attacked edges adaptively (adaptive attack). We show that active and adaptive attacks cannot improve the performance of the eavesdropper when the code is linear. Further, we give an non-linear example, in which an adaptive attack improves the performance of the eavesdropper. We derive the capacity for the unicast case and the capacity region for the multicast case or the multiple multicast case in several examples of relay networks, beyond the minimum cut theorem, when no additional random number is allowed as scramble variables in the intermediate nodes.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

03/27/2020

Secure network code over one-hop relay network

When there exists a malicious attacker in the network, we need to consid...
10/15/2018

Denial of Service Attack in Cooperative Networks

In Denial of Service (DoS) attack the network resources are either delay...
03/26/2020

Reduction Theorem for Secrecy over Linear Network Code for Active Attacks

We discuss the effect of sequential error injection on information leaka...
04/28/2018

Secure Computation-and-Forward with Linear Codes

We discuss secure transmission via an untrusted relay when we have a mul...
01/10/2019

On Secure Capacity of Multiple Unicast Traffic over Two-Layer Networks

This paper studies the problem of secure communication over two-layer ne...
12/20/2021

Forensic Issues and Techniques to Improve Security in SSD with Flex Capacity Feature

Over-provisioning technology is typically introduced as a means to impro...
07/05/2021

The Curious Case of the Diamond Network

This work considers the one-shot capacity of communication networks subj...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Secure network coding is a method securely transmitting information from the authorized sender to the authorized receiver. Cai and Yeung [1, 2, 3] discussed the secrecy for the malicious adversary, Eve, wiretapping a subset of all channels in the network. The papers [4, 5, 6, 7, 8, 9, 10] developed several types of secure network coding. The papers [11, 12, 13, 14] showed the existence of a secrecy code that universally works for any types of eavesdroppers under the size constraint of . In particular, the papers [13, 14] constructed it by using the universal hashing lemma [15, 16, 17]. Further, the papers [11, 12, 18] evaluated errors when the information on a part of network is changed, but they evaluated the secrecy only when the information on a part of network is not changed or Eve did not know the replaced information. The recent paper [19] discussed the secrecy as well as the error when Eve contaminates the eavesdropped information and knows the replaced information. (For the detailed relation, see [19, Remark 8].) The effects of Eve’s contamination depend on the type of the network code. When the code is linear, the contamination does not improve her performance. However, when the code is not linear, there exists only one example where the contamination improves her performance [19].

Despite these developments, there are still some problems in existing studies. Although these existing studies achieved the optimal rate with secrecy condition, their optimality relies on the minimum cut theorem. That is, they assumed that the eavesdropper may choose any -subset channels to access, and did not address another type of conditions for the eavesdropper. For example, the studies [11, 12, 13, 14] optimized only the codes in the source and terminal nodes and did not optimize the coding operations on the intermediate nodes. Also, in other existing studies, the intermediate nodes do not have as complicated codes as the source and terminal nodes. In this paper, to achieve the optimal rate beyond the minimum cut theorem, we address the optimization of the coding operations on the intermediate nodes as well as on the source and terminal nodes.

Further, we consider a new type of attacks, adaptive attacks. Assume that distinct numbers are assigned to the edges, and the communication on edges are done in the decreasing order for the assigned numbers. Usually, Eve cannot decide the edges to be attacked depending on the previous observation. Now, we allow Eve to choose the edges to be attacked based on the previous observations. Indeed, the channel discrimination, it is known that such an adaptive strategy does not improve the asymptotic performance [20]. Then, we find two characteristics for adaptive attacks, which are similar to the case of active attacks. First, we find a non-linear code where an adaptive attack significantly improves Eve’s performance. Using this characteristic, we find an example of a non-asymptotic network model, which has no secure code for adaptive attacks, but has no secure code for conventional attacks. Second, we show that any adaptive attack cannot improve Eve’s performance when the code is linear. Using this fact, we derive the asymptotic performance in several typical network models in the following way when Eve is allowed to use adaptive and active attacks.

In this paper, we discuss the asymptotic securely transmittable rate over the above attacks not only for a unicast network but also for a multiple multicast network, in which, multiple senders are intended to send their different messages to different multiple receivers. Under these settings, we define the capacity and the capacity regions for given network models, and calculate them in several examples. For the definition, we define two types of capacity regions depending on the requirement on the code on the intermediate nodes. Usually, a secure network code employs scramble random numbers, which need to be physical random numbers different from pseudo random numbers. In the first capacity region, we allow each node to introduce new scramble random numbers unlimitedly. Here, the scramble random numbers of each node are not shared with other nodes and should be independent of random variables in other players and other nodes before starting the transmission. In the second capacity region, only source nodes are allowed to employ scramble random numbers due to the following reason. To realize physical random numbers as scramble random numbers, we need a physical device. If the physical random number has sufficient quality, the physical device is expensive and/or consumes a non-negligible space because it often needs high level quantum information technologies with advanced security analysis

[21, 22]. It is not so difficult to prepare such devices in the source side. However, it increases the cost to prepare devices in the intermediate nodes because networks with such devices require more complicated maintenance than a conventional network. Therefore, from the economical reason, it is natural to impose this constraint to our network code. Unfortunately, only a few papers [23, 24, 25] discussed such a restriction. Hence, this paper addresses the difference between the capacities with and without such a restriction by introducing the no-randomness capacity and the full-randomness capacity. Further, as an intermediate case, by introducing the limited-randomness capacity, we can consider the case when the number of available scramble random numbers in each intermediate node is limited to a certain amount. Then, the relation between our capacities and the existing studies is summarized as Table I. In addition, for both types of capacities and capacity regions, we define the linear codes version, in which, our codes are limited to linear codes. We also show that the linear version of capacities and capacity regions are the same as the original capacities and capacity regions under the above examples because the optimal rate and rate regions in the original setting can be attained by linear codes.

The remaining parts of this paper is organized as follows. Section II gives the formulation of our network model. Section III gives an example of network model, in which, an adaptive attack efficiently improves Eve’s performance. To discuss the asymptotic setting, Section IV defines the capacity region. Section V discusses the relay network model and derives its capacity. Section VII discusses the homogenous multicast network model and derives its capacity. Section VIII discusses the homogenous multiple multicast network model and derives its capacity. In Section VI, we give an important lemma, which is used in the converse part in the above models.

Active Adaptive Node Linearity
attack attack randomness
Papers [1, 2, 3, 6] not allowed not allowed not allowed scalar
Paper [4] not allowed not allowed allowed non-linear
Papers [9, 10, 23, 24, 25] not allowed not allowed allowed scalar
Papers [5, 8] not allowed not allowed not allowed scalar
Papers [13, 14, 11] not allowed not allowed not allowed vector
Papers [12, 35] semi active attack not allowed not allowed vector
Paper [19] allowed not allowed not allowed vector/
non-linear
Our non-linear example not allowed allowed not allowed non-linear
No-randomness capacity allowed allowed not allowed vector
Limited-randomness capacity allowed allowed partially vector
Full-randomness capacity allowed allowed allowed vector

Node randomness expresses the random number generated in intermediate nodes, which is independent of the variables in other nodes and other players before starting the transmission. Linearity expresses whether the code is linear or not. When it is linear, the column expresses which linearity condition is imposed, scalar or vector linearity. These two kinds of linearity conditions are explained in Section V-E

. Semi active attack means that Eve injects the noise in several nodes and eavesdrops several nodes, but she estimates the message only from the eavesdropped information on the node without use of the information of the noise. For the detailed relation for active attack, see Remark 8 of

[19].

TABLE I: Summary of comparison with existing results

Ii Adaptive and active attack for general network

Ii-a Formulation and reduction to non-adaptive attack

Now, we give the most general formulation of network coding and adaptive and active attacks. We consider an acyclic general network with multiple multicast setting as follows. The network has source nodes, terminal nodes, several intermediate nodes, and edges, where each edge is assigned to a distinct number from . Hence, can be regarded as the set of edges. Each edge transmits a single letter on a finite set . Our task is the following. The -th source node securely sends the message to the

-th terminal node, where the messages are subject to independent uniform distribution. Here, the tuple of all messages are denoted by

.

Next, we assume that as scramble random numbers, each intermediate node can use additional uniform random numbers, which are independent of other random variables. They might be realized as physical random numbers. The -th source node converts the pair of the messages and the scramble random numbers to the tuple of the letters on the outgoing edges. Each intermediate node converts the pair of the letters on the incoming edges and the scramble random numbers to the tuple of the letters on the outgoing edges. The -th terminal node converts the pair of the letters on the incoming edges to the tuple of the recovered messages . We denote a network code by . We denote the cardinality of the message by . When , we simply denote it by . In particular, when , we simply denote it by . We denote the set of codes by .

Now, we consider two conditions for our network code .

(C1)

[Linearity] Any message, any scramble random number, and information on any edge can be given as elements of vector spaces over the finite field All of the conversions in source, intermediate, and terminal nodes are linear over , i.e., they are written as matrices whose entries are elements of . Then, the code is called linear with respect to 111This type of linear code is often called vector linear [26] because these random variables are given as elements of vector spaces over the finite field . Although the paper [26] assumes that all the messages, the scramble random numbers, and the variables on the edges have the same dimension, we do not assume this condition..

Here, to apply the linearity condition, we choose a subset of whose cardinality is a power of . Then, the information on any edge can be given as an element of vector space over the finite field . While all edges sent the information on the same set , the above subset might depend on the edge. This is because the dimension of the information to be sent depends on the edge in general. Since the cardinality of the set is an arbitrary number, we can apply this linearity condition to the case when is a given as the -th power of a certain set.

(C2)

[No-randomness] All of intermediate nodes have no scramble random numbers.

(C2’)

[Limited-randomness] Each limited intermediate node has limited scramble random numbers. When each group is composed of one node, as a typical example, we assume that the node in -th group can use random numbers per transmission.

Next, we define Eve’s attack. The conventional attack is modeled by a collection of subset of . That is, in the conventional attack, Eve chooses a subset , and eavesdrops the edges in the subset . This types of attack is called a deterministic attack. Hence, the set of deterministic attacks is identified with . The following discussion depends on the collection of subset of . That is, our problem is characterized by the structure of network and the collection . Also, Eve can randomly choose her choice

. Such an attack is written as a probability distribution

and is called a randomized attack. We denote the set of randomized attacks by .

In this paper, we allow Eve to adaptively choose the edges to be eavesdropped. For simplicity, we assume that all subsets in the collection have the same cardinality . While Eve is allowed to eavesdrop edges, she can adaptively choose them as follows. She chooses the first edge to be eavesdropped, and obtains the information on the edge. Based on the information , she chooses the second edge to be eavesdropped and obtains the information on the edge. In this way, based on the information , she chooses the -th edge to be eavesdropped and obtains the information on the edge. Since the choice of the set of attacked edges is given as a function of outcomes , it is often written as to clarify this point. Here, for any data , is required to belong to the family . This type of attack is called a general adaptive attack. In this type of attack, the order of eavesdropped edges has no relation with the numbers assigned to the edges. A general adaptive attack is called a time-ordered adaptive attack when . Although a general adaptive attack has less practical meaning than a time-ordered adaptive attack, we consider a general adaptive attack due to its mathematical simplicity. We denote the sets of time-ordered adaptive attacks and general adaptive attacks by and , respectively. The sets of their randomizations are written as and , respectively. Now, we identify the set of deterministic attacks with the collection . Considering a constant function , which does not depend on outcomes , we can consider the collection as a subset of while .

Next, we consider a more powerful attack than a time-ordered adaptive attack . Although Eve decides the eavesdropped edges in the same way as the time-ordered adaptive attack , she is allowed to change the information on the -th eavesdropped edge to , which is a function of her observations . This kind of attack is called an adaptive and active attack and is written as the pair of and . We denote the set of adaptive and active attacks (such functions) by . The sets of the randomizations are written as . When does not depends on her observations , is a deterministic attack and the pair is called an active attack. Indeed, when active attack is made, the information on the network is changed. However, in this paper, we do not care about the correctness of the recovered information when active attack is made. We consider the correctness in the decoding only when no active attack is made, i.e., we discuss only the secrecy when active attack is made.

Hence, we have the relations , and . We also assume that there is no error in any edges except for the eavesdropped edge.

Under a code and an attack , we denote the mutual information between the messages and Eve’s observations by . Also, under an attack we denote it by . In addition, an attack with , we denote it by . Then, for any attack for and a network code , we can choose an attack such that . That is, we have

(1)

for .

First, we consider the case when the network code is not necessarily linear. Then, we have the following theorem222 Even when the cardinality of each channel is different from , this theorem still holds. when expresses the information on the edge .

Theorem 1.

Assume that a network code satisfies the following condition. Given an arbitrary element , we have

(2)

for any element . Then, any general adaptive attack satisfies

(3)

Theorem 1 will be shown in the next subsection. Since for any implies the condition (2), we have the following corollary.

Corollary 1.

When the relation

(4)

holds for an arbitrary element , any general adaptive attack satisfies

(5)

This corollary guarantees that perfect security for any deterministic attack (4) implies perfect security for any general adaptive attack (5) without the linearity condition. Notice that the mutual information leaked to wiretapper is not zero in the counter example given in Section III.

In the case of linear network codes, we have the following lemma, which will be shown in the next subsection.

Lemma 1.

Let be the message and be the scramble random variable. We assume that they are subject to the independent uniform distribution. For a linear function , we define the variable . We choose a linear function such that . Then,

(6)

When the message and the scramble random variable are subject to the independent uniform distribution, applying Lemma 1 to the case when , we have

(7)

which implies the condition (2). Hence, Theorem 1 guarantees the following theorem.

Theorem 2.

Assume that a network code is linear with respect to a certain finite field . When the message and the scramble random variable are subject to the independent uniform distribution, any general adaptive attack satisfies (3).

Further, we have the following proposition.

Proposition 1 ([19, Theorem 1]).

Assume that a network code is linear. Any adaptive and active attack satisfies

(8)

Although the paper [19] shows Proposition 1 only for an active attack, the proof can be extended to an adaptive and active attack. That is, the reduction from an adaptive and active attack to an adaptive attack can be shown in the same way as [19, Theorem 1]. Therefore, when is a linear code, combing the above fact and (1), we find the relations

(9)

That is, when a network code is linear, we can restrict Eve’s attacks to deterministic attacks.

Remark 1.

Here, we remark the difference between our adaptive attack and the adaptive attack in [34]. The paper [34] considers the following attack when the code has block length and the sender sends information to the receiver times. The eavesdropper can change the nodes to be attacked on the -th transmission by using the information obtained by the previous attacks. However, in our setting, the eavesdropper can change the node to be attacked during one transmission from the sender to the receiver.

Ii-B Proofs of Theorem 1 and Lemma 1

Proof of Theorem 1:    We have

(10)

This relation implies (3).

Proof of Lemma 1:    Given , we have

(11)

So, we have

(12)

Hence, we have (6).

Iii Network with powerful adaptive attack

In this section, to consider when adaptive attack is more powerful than deterministic attack, we address the single shot setting, in which, the sender sends only one element of , which is called the scalar linearity. Although this section addresses the scalar linearity, Theorem 1 holds under vector linearity.

It is known that there exists a linear imperfectly secure code over a finite field of a sufficiently large prime power when Eve may access a subset of channels that does not contain a cut between Alice and Bob even when the linear code does not employ private randomness in the intermediate nodes [36]333In contrast, the paper [11] discussed a similar code construction by increasing (vector linearity) while it did not increase the size of . The paper [37] extended this type of vector linearity setting of imperfectly secure codes to the case with multi-source multicast.. Theorem 1 guarantees that such a linear code is still imperfectly secure even for active and adaptive attack over the same network. However, it is not clear whether there exists such a linear imperfectly secure code over a finite field of prime . We consider this problem over the finite field in order to investigate the importance of the linearity condition in Theorem 1. The previous paper [19, Section VII] showed that there exists no imperfectly secure code over active attacks under a toy network while there exists a imperfectly secure code over deterministic attacks. In that network model, non-linear code realizes the imperfect security over active attacks. In this section, we show that there exists no imperfectly secure code over adaptive attacks in the same network model.

The toy network model given in [19, Section VII] is the network of Fig. 1, whose edges are . Each edge is assumed to send the binary information . No scramble random variable is allowed in the intermediate node, which is the condition (C2). Eve is allowed to attack two edges of except for the pairs and . That is, . We adopt a imperfect security criterion in this section. When is Eve’s information and for all of Eve’s possible attacks, we say that the code is imperfectly secure. Otherwise, it is called insecure. That is, when there exists no function such that , our code is imperfectly secure. We consider the case when the sender transmits only the binary message and any edge can transmit only a binary information. As shown in [19, Theorem 4 of Section VII], there is no imperfectly secure linear code over finite field with prime for deterministic attacks. In other words, no linear code over finite field can realize the situation that Eve cannot recover the message perfectly with deterministic attack.

Fig. 1: Non-linear code.

Now, we prepare the binary uniform scramble random variable . We consider the following code. The encoder is given as

(13)

Then, we consider non-linear code in the intermediate node as

(14)
(15)

The decoder is given as . Since and are given as follows under this code;

(16)

the decoder can recover nevertheless the value of .

The leaked information for the deterministic attack is calculated as follows. As shown in [19, Appendix B], the mutual information and the norm security measure of these cases are calculated to

(17)
(18)

where the norm security measure is defined as by using the cardinality of the set of outcomes of the variable . In this section, we choose the base of the logarithm to be . Therefore, we find that this code is secure for deterministic attacks. That is, we find that there exists a secure code over deterministic attacks. Further, as shown in [19, Lemma 3 of Section VII], when Eve cannot recover the message perfectly with any deterministic attack in the code, the network code is limited to this code or a code equivalent to this code. This fact shows that there exists no imperfectly secure code over active attacks.

Now, we show that there exists no imperfectly secure code even for adaptive attacks without active modification. Due to the above observation, it is sufficient to show that there exists an adaptive attack to recover the message for the above given code. Here, we give two types of adaptive attacks to recover the message as follows.

(i)

First, Eve eavesdrops . When , she eavesdrops . Then, she recovers as . When , she eavesdrops Then, she recovers as .

(ii)

First, Eve eavesdrops . When , she eavesdrops . Then, she recovers as . When , she eavesdrops Then, she recovers as .

Therefore, we find that this code is not imperfectly secure even for adaptive attacks without active modification. That is, there exists no imperfectly secure code over adaptive attacks in this network model. This fact shows that an adaptive attack is powerful for this kind of non-linear code as an active attack even when it has no active modification. The discussion in this section is summarized as Table II.

Code deterministic attack adaptive attack
linear code over with prime insecure insecure
linear code over with imperfectly secure imperfectly secure
sufficiently large prime power
non-linear code over imperfectly secure insecure
TABLE II: Summary for one hop relay network (Fig. 1) with single shot setting

Iv Asymptotic formulation

Next, given a network and the collection , we consider the capacity and the capacity region depending on the restrictions on the codes. Due to (1), in the following, we do not consider randomization of Eve’s attack. We assume that each edge transmits when we use channel at times, where the number is called the block-length. Given integers and , we apply the formulation (including the linearity) given in Section II-A to the case when is given as . In this sense, the linearity condition (C1) is defined with block-length , and Theorem 1 can be applied in this discussion. Then, dependently of the block length , we denote and by and , respectively, although the collection does not depend on . First, we focus only on an adaptive attack . Since there is no noise, we denote the decoding error probability depends only on our code . Hence, we denote it by . Then, we impose the following two conditions to our code .

(C3)

[Reliability] The relation .

(C4)

[Secrecy] The relation holds for .

We denote the set of codes satisfying the above two conditions by . Additionally, we denote the set of codes satisfying the no-randomness condition (C2) as well as these two conditions by . In the unicast case, i.e., the case with , we define the full-randomness capacity and the no-randomness capacity as

(19)

Here, we should remark that we impose no linearity condition for our code. From the definition, we have the relation

(20)

In the multiple multicast case, we define the full-randomness capacity region and the no-randomness capacity region as

(21)

Similar to (20), we have the relation

(22)

Next, we consider the case when each node has limited randomness, which is given as the condition (C2’). Since this generalized case is complicated, we discuss this generalized setting only with the unicast case. Further, we suppose that each group is composed of one node. Then, as in the condition (C2’), we assume that the node in -th group can use random numbers per transmission. We denote the set of codes satisfying this condition with length by . Then, we define the capacity with limited randomness as

(23)

To clarify the effect by the linearity restriction, we denote the capacity and capacity region by and , respectively when the linearity restriction (C1) is imposed to our codes. Then, we have the relation and . Also, the capacity with limited randomness with linearity restriction (C1) to our codes is denoted by .

Restricting Eve’s attack to the deterministic attacks , we define the above type of capacities and capacity regions, which are denoted by and , respectively. Then, we have the relations , , , , and the similar relations.

Now, we address the case when an adaptive and active attack is allowed for Eve. In this case, we replace the condition (C4) by the following condition;

(C4’)

[Secrecy] The relation holds for .

However, we do not replace (C3) by the following robustness condition;

(24)

where is the decoding error probability with our code when Eve makes the attack . This situation can be justified in the following way when free public channel with no error is available. In this case, to communicate each other securely, they need to share secret random variables. To generate secret random variables, they send secret random variables via the secure network coding. The secrecy of the generated random variables is guaranteed by the secrecy condition (C4). That is, condition (4) is definitely needed. However, the robustness condition (24) is not necessary because they can check whether the transmitted random number is correct by the error verification test with the public channel after the transmission [27, Section VIII] [28, Step 4 of Protocol 2]. Hence, we impose the condition (C3) instead of (24). Replacing the condition (C4) by the condition (C4’), we define the above type of capacities and capacity regions, which are denoted by and , respectively. Then, we have the relations , , , , and the similar relations. In summary, for each , we have

(25)

That is, when the equality holds, all the capacities have the same value. In other cases, we have similar relations.

Example 1.

Now, as a typical example, we consider a single source acyclic network where Eve may choose any -subset channels to access, which we call -wiretap network [1, 2, 30, 31]. That is, is given as

. To discuss the capacities of the given network, we introduce two kinds of minimum cuts. To define them, we define a pseudo source node as a node that has only out-going edges but has no original message to be transmitted. A pseudo source node is classified as an intermediate node because it is not the source node nor the terminal node. The first type of minimum cut

is the minimum number of edges crossing a line separating the source node and the terminal node. The second type of minimum cut is the minimum number of edges crossing a line separating the source node and the terminal node with removing all edges out-going from pseudo source nodes. That, while edges out-going from pseudo source nodes are ignored in , they are counted in . For -wiretap network, we have

(26)
(27)

When the network has no pseudo source node, , which implies the equalities in (27). For example, the network given in Fig. 2 shows a network has different rates and . This network has a linear code to realize when , which implies the equalities in (27).

Fig. 2: Network with equality in (27). Node 1 is the source node and Node 5 is the terminal node. Node 4 is a pseudo source node. Hence, and . It also shows a linear code to achieve when . The source node (Node 1) has the message and a scramble variable . The pseudo source node (Node 4) has another scramble variable . Even when Eve wiretaps any one edge, she cannot obtain any information for the message .

The relations (26) and (27) can be shown as follows. It was shown in [2, Section III] that the rate is achievable by a linear code where only source node generates randomness when Eve is allowed to use deterministic attack. However, any adaptive and active attack is reduced to deterministic attack under a linear code. Hence, we obtain .

Using a idea similar to [2, Section IV], we show . For this aim, we choose edges crossing a line separating the source node and the terminal node such that these edges contains the eavesdropped edges. Let be the variable on the eavesdropped edges, and be the variable on the above edges crossing the separating line. Let be the message to be securely transmitted. Due to the security condition, we have When an edge has an information with cardinality , the receiver’s information satisfies

(28)

which implies . Therefore, using (20) and (25) and combining these facts, we obtain (27).

When no intermediate node is allowed to generate randomness, any pseudo source node plays no role. Hence, the above discussion yields that . Thus, we obtain (26).

Example 2.

Next, we consider the case when is given by using the following group structure of the intermediate nodes. The intermediate nodes are divided into groups, from the first group to the -th group. Here, source nodes and terminal nodes are regarded as the -th group and the -th group, respectively. For , there are several edges between the -th group and the -th group. We call the set of these edges the -th edge group. As seen later, this grouping of edges is essential to define the collection . Each intermediate node has incoming edges and outgoing edges.

Eve is assumed to eavesdrop a part of edges from the -th edge group. Eve’s ability is characterized by the collection of subsets of the -th edge group to be eavesdropped, which is called the -th tapped-edge collection and is denoted by . When an intermediate node of -th group is directly linked to an intermediate node of -th group, we consider that the intermediate node of -th group is connected to intermediate node of -th group with an edge that is not contained in any member of the -th tapped-edge collection . Similarly, when an intermediate node of -th group is directly linked to an intermediate node of -th group, we can apply the same reduction. Hence, without loss of generality, we can assume that an outgoing edge of an intermediate node of -th group is linked only to an intermediate node of -th group. Hence, the collection is given to be .

V Relay network

V-a Formulation and capacities

Now, as a special case of Example 2, we consider the relay network given in Fig. 3 as a generalization of the network of Fig 1. This network is a unicast network, and only one intermediate node in each intermediate group. That is, it has intermediate nodes. We have edges between the and -th nodes. In one channel use, each edge can transmit the information for and that takes values on .

Fig. 3: Unicast relay network.

Here, we assume that Eve can eavesdrop edges among edges between the and -th nodes. In this notation, the function expresses the edges eavesdropped by Eve. That is, she can eavesdrop edges totally. In this paper, we allow stronger attacks for Eve than conventional attacks, i.e., adaptive attacks and active attacks.

Then, we have the following capacity theorem.

Theorem 3.

Defining

(29)

we have

(30)
(31)
(32)

Here, we discuss the relation to existing results with respect to the difference between two capacities and . A larger part of studies discuss the capacity (or capacity region) with no restriction of randomness generated in intermediate nodes. For example, in -wiretap network, which is a typical network model, as explained in Example 1, the capacity with no restriction can be achieved without use of randomness generated in intermediate nodes. However, the paper [23] showed an example, in which randomness generated in intermediate nodes improves the capacity. In this example, the source node is connected only with one edge. Usually, the secure transmission can be done by use of the difference between information on different edges connected to the same node. Hence, it is natural that randomness generated in intermediate nodes improves the capacity when each source node is connected only to one edge.

The papers [24, 25] addressed the difference between the existence and non-existence of randomness generated in intermediate nodes in another network only for deterministic attacks. However, they did not derive the capacities and exactly. Their analysis depends on special codes. Therefore, our analysis is the first derivation of the difference between the capacities and except for the case when the source node is connected only with one edge.

V-B Converse part

For any , the rate of secure transmission from the -th intermediate node to the -th intermediate node is . Taking the minimum with respect to , we obtain .

Next, we consider (31). For the amount of leaked information, we have the following theorem.

Theorem 4.

Under the condition (C2), we have

(33)

Therefore, to realize the condition

(34)

the message needs to satisfy the condition

(35)

When use the same network times, the condition (34) requires the condition

(36)

which implies .

Theorem 4 can be generalized to the limited randomness case as follows. Hence, it is sufficient to show Theorem 5.

Theorem 5.

Under the condition (C2’), we have

(37)

Proof of Theorem 5:    Now, we independently choose the sets subject to the uniform distribution. We denote the expectation is with respect to this random choice by . We prove Theorem 5 by using Lemma 4, which will be shown in the latter section. Application of Lemma 4 to shows the inequality

(38)

for . Then we have for ,