^{1}

^{2}

This paper analyzed the security of constant dimensional subspace code against wiretap attacks. The security was measured in the probability with which an eavesdropper guessed the source message successfully. With the methods of linear algebra and combinatorics, an analytic solution of the probability was obtained. Performance of subspace code was compared to several secure network coding schemes from the perspective of security, flexibility, complexity, and independence, etc. The comparison showed subspace code did not have perfect security, but it achieved probabilistic security with low complexity. As a result, subspace code was suitable to the applications with limited computation and moderate security requirement.

Wiretap attacks on networks denote an eavesdropper, named by Eve, intends to resolve the source message by wiretapping network transmissions. A wiretap attack is imperceptible since it does not disturb normal communications. For a communication network, the security performance against wiretap attacks is tightly related to the underlying transmission mechanisms. There are two types of transmission mechanisms of communication networks: routing and network coding. Traditional routing networks operate in the way of store and forward. A relay node is only allowed to faithfully forward the received packets. Accordingly, if Eve intercepts a routing packet, he will obtain the containing message. On the contrary, a linear network coding (LNC) system operates in the way of store, encode, and forward. In the LNC realm, an intermediate node is allowed to combine received packets to generate and pass on novel output packets. As a result, if Eve intercepts a LNC packet, he cannot resolve the source message except he can successfully decode. Two necessities are required for successful LNC decoding by a legal subscriber or Eve [

• Enough received packets.

• Full knowledge of coding rules, such as local coding vectors (LCV) or global coding vectors (GCV).

Both necessities demand stronger capabilities with Eve in LNC networks than in routing networks. Thus, LNC is inherently more secure than routing. In this paper, we name the intrinsic secure nature of LNC by basic security. An example of routing and LNC is shown in

Definition 1. (Wiretap Network Model) [

• A directed acyclic graph G = (V, E), with V and E representing the sets of nodes and edges, respectively.

• A source node S Î V.

• A set of receiver nodes R = { r i : r i ∈ V } .

• A collection of wiretap channel sets A = { A : A ⊂ E } . An enemy can wiretap only one instance of A.

If the number of wiretapped edges is limited, say |A| ≤ r, i.e., there are r wiretapped edges at most, but the wiretap pattern A is not fixed, it is called r-WNM [

Based on WNM or r-WNM, a variety of secure LNC schemes were proposed. According to the protection strength, we classify these schemes into three security grades: weak security, perfect security and strong security. Let m = (m_{1}, ∙∙∙, m_{n}) and y_{A} denote the source message and the set of symbols intercepted from the wiretap pattern A, respectively. Then, weak security [_{i} from being solved. There are two classes of weakly secure LNC schemes. The first depends on an elaborately designed LNC algorithm [_{1}, ∙∙∙, m_{n}) so that the knowledge of y_{A} with |A| < n is not enough to solve m_{i}. The second leverages classical cryptography to protect message by encryption [

an intra-generation coding encryption models to protect the information of m from leakage, i.e., H(m|y_{A}) = H(m). A perfectly secure LNC scheme can be built based on precoding [

A comparison between perfect security and weak security is shown in _{3}. It is concealed by a random symbol k. No matter which edge (upper or lower, but not both) is wiretapped, Eve gets no information about x. _{1} and x_{2} over F_{3}. It is easy to check that with only one symbol overheard from any edge, Eve can get an amount of information about m = (x_{1}, x_{2}), but he cannot guess the value of x_{1} or x_{2} precisely.

In this paper, we aim to analyze the security performance of subspace code against wiretap attacks. Subspace code is a kind of source coding strategy combined with random LNC. It was utilized and analyzed by Kötter and Kschischang [

The remainder of the paper is organized as the following: Section II introduces the concept of subspace code and its application on error correction; Section III presents detailed analysis to the security of subspace code against wiretap attacks. Some quantitative results are obtained; In Section IV, we compared subspace code with several LNC schemes; Finally, we summarize the conclusion in Section V.

Subspace code belongs to the family of array code [_{q} by F q n . See

The overall space is F 5 4 .

Subspace code is based on the vector space preserving property of LNC [

Kötter and Kschischang [

d S ( U , V ) = dim ( U + V ) − dim ( U ∩ V ) (1)

where the sum space U + V = { u + v : u ∈ U , v ∈ V } is the smallest subspace containing both U and V, and the intersection space U ∩ V is the biggest subspace contained in both U and V. A minimum distance decoding rule is defined in terms of d S ( U , V ) .

V ^ = arg min V ∈ codebook d S ( U , V ) (2)

If subspace code is implemented in a hostile environ, the designer and users may care about its security performance against various attacks. In this paper, we address the security of subspace code against wiretap attacks.

In a random LNC network [

Consider an error free random LNC network using k dimensional subspace code over F q n . The eavesdropper Eve wiretaps l network links and tries to restore the source message. Assume Eve masters the full knowledge of the subspace code, i.e., he knows the finite field F_{q}, the dimension parameters n and k, and the code book, etc. Thus, Eve behaves just like a valid subscriber except that he can only collect l vectors from the network. Obviously, l measures his wiretap capability. Specifically, if l = k, he can decode the source message just like a legal subscriber; If l < k, the number of intercepted packets is not enough to precisely identify the sending subspace, so Eve cannot decode the message correctly. However, he can guess the k dimensional sending subspace with the knowledge of l intercepted vectors. The method of guess is also used in [

Before analyses, we introduce a counting result of a constant dimensional subspace code. The number of k dimensional subspaces of F q n is denoted by ( n k ) q , which is called Gaussian coefficient in combinatorics [

( n k ) q = ( q n − 1 ) ( q n − 1 − 1 ) ⋯ ( q n − k + 1 − 1 ) ( q k − 1 ) ( q k − 1 − 1 ) ⋯ ( q − 1 ) (3)

WLOG, denote the l wiretapped vectors by V 1 , ⋯ , V l , ( l ≤ k − 1 ). Then, we have

Theorem 1: Within the vector space F q n , the number of distinct k dimensional subspaces containing V 1 , ⋯ , V l equals

M = ( q n − l − 1 ) ( q n − l − 1 − 1 ) ⋯ ( q n − k + 1 − 1 ) ( q k − l − 1 ) ( q k − l − 1 − 1 ) ⋯ ( q − 1 ) (4)

Proof: Assume the basis vectors of the k dimensional subspace are V 1 , ⋯ , V l , V l + 1 , ⋯ , V k . Because V_{l}_{+1} must take a value other than any linear combination of V 1 , ⋯ , V l , the number of possible choices of V_{l}_{+1} should be q n − q l . Similarly, we get the number of possible choices for V_{i} ( l + 1 ≤ i ≤ k ) and denote it by N(.). It is listed below.

N ( V l + 1 ) = q n − q l , N ( V l + 2 ) = q n − q l + 1 , ⋯ , N ( V k ) = q n − q k − 1 (5)

Thus, the number of possible k dimensional bases containing V 1 , ⋯ , V l should be

( q n − q l ) ( q n − q l + 1 ) ⋯ ( q n − q k − 1 ) (6)

Next, consider a specific k dimensional subspace S_{i} containing V 1 , ⋯ , V l . If we still denote the basis of S_{i} as V 1 , ⋯ , V l , V l + 1 , ⋯ , V k , then the number of possible choices of V_{i} ( l + 1 ≤ i ≤ k ), denoted by N'(.), should be

N ′ ( V l + 1 ) = q k − q l , N ′ ( V l + 2 ) = q k − q l + 1 , ⋯ , N ′ ( V k ) = q k − q k − 1 (7)

That is to say for the specific k dimensional subspace S_{i}, the number of possible choices of V 1 , ⋯ , V l , V l + 1 , ⋯ , V k is

( q k − q l ) ( q k − q l + 1 ) ⋯ ( q k − q k − 1 ) (8)

Connecting (6) and (8), the number of distinct k dimensional subspaces containing V 1 , ⋯ , V l equals

M = ( q n − q l ) ( q n − q l + 1 ) ⋯ ( q n − q k − 1 ) ( q k − q l ) ( q k − q l + 1 ) ⋯ ( q k − q k − 1 ) = ( q n − l − 1 ) ( q n − l − 1 − 1 ) ⋯ ( q n − k + 1 − 1 ) ( q k − l − 1 ) ( q k − l − 1 − 1 ) ⋯ ( q − 1 ) (9)

One may notice that (3) is a special case of (4) with l = 0. To calculate the guess probability, we assume the source messages are uniformly distributed, i.e., all k dimensional subspaces are equiprobable. With this assumption, the enemy can successfully guess the sending subspace with the probability of

P = 1 M = ( q k − l − 1 ) ( q k − l − 1 − 1 ) ⋯ ( q − 1 ) ( q n − l − 1 ) ( q n − l − 1 − 1 ) ⋯ ( q n − k + 1 − 1 ) (10)

With the setting of (n = 8, q = 2, k = 6), the probability P is calculated and shown in

To observe the relation between P and k, set l = k − 1. This is corresponding to the case that the number of wiretapped vectors is just one less than the dimension of the subspace code. With this setting, P reduces to

P = ( q − 1 ) ( q n − k + 1 − 1 ) (11)

The curve related to (11) is delineated in

Finally, with the notation of information theory, we can calculate the amount of information leakage. Prior to being wiretapped, all k-dimensional subspaces, i.e., all code words, are equiprobable, so the average uncertainty for Eve equals the logarithm of the Gauss coefficient. After Eve wiretapped V 1 , ⋯ , V l , only M codewords are left with equal probability, which become potential sending codewords. So, the average uncertainty reduces to log(M). As a result, the information leakage, which is equivalent to the decrease of the average uncertainty, equals

I ( m ; y A ) = H ( m ) − H ( m | y A ) = log ( ( n k ) q ) − log ( M ) = log [ ( q n − 1 ) ⋯ ( q n − l + 1 − 1 ) ( q k − 1 ) ⋯ ( q k − l + 1 − 1 ) ] ( bits / l vectors ) (12)

Different from perfect security and weak security, the security of subspace code is evaluated by the guess probability. Because there is an amount of information

leakage, subspace code is not perfectly secure. Its security performance is not as competent as perfectly secure codes and may be inferior to some weakly secure codes. However, we mention that these schemes achieve security at the cost of extra operations, such as precoding [

Take [_{i} from being exposed on any edge, it is sufficient to force the GCV not to be multiples of a unit vector; Or else, the wiretapped symbol will become a multiple of m_{i}. To this end, [_{i} by wiretapping two symbols from network links.

Compared to [

Except for complexity gains, subspace code is more scalable and flexible than many secure coding schemes. For example, most LNC schemes with perfect security or weak security need a private link to share confidential components, such as symmetric key, precoding matrix, hash function or permutation function, etc. This adds extra cost and may not be implementable in some cases. However, there is no need of confidential channels in subspace code. Moreover, many secure coding schemes are only effective to fixed networks. On the contrary, subspace code can work in both fixed and mobile networks, so it is more flexible with the underlying network. The comparison of subspace code with some secure LNC schemes is listed in

Schemes | Performance Metrics | ||
---|---|---|---|

Topology | Complexity | Feasibility | |

[ | Fixed | High | 1-WNM |

Subspace Code | Variable | Low | r-WNM |

Schemes | Security | Topology | Method | Private Link |
---|---|---|---|---|

[ | Perfect | Fixed | Precoding | Need |

[ | Weak | Variable | Encryption | Need |

[ | Weak | Variable | Hash function | Need |

[ | Weak | Fixed | LNC algorithm | No need |

[ | Weak | Variable | Permutation | Need |

[ | Weak | Variable | Permutation | Need |

Subspace Code | Basic | Variable | None | No need |

In this paper, we analyze the security performance of a constant dimensional subspace code against wiretap attacks. The analysis is developed with the method of combinatorics. The attacking capability of the enemy is measured by the number of wiretapped packets and the security is measured by the guess probability. A quantitative solution of the probability is obtained. The result shows that subspace code is not perfectly secure, but it gets probabilistic security with low complexity. Still, subspace code is characterized by high flexibility, no need of private link, and topology independence, etc. In conclusion, subspace network coding is suitable to the security applications with limited computation and moderate security requirement. It has the properties of low complexity, high flexibility and extendibility, as well as little bandwidth consumption, etc. Future work can be done on effectively integrating subspace network coding with existing security techniques, such as encryption, to further strengthen network security.

This work is supported in part by NSFC with No. 61471045 and Natural Science Foundation of Liaoning Province with No. 20170540008.

Liu, Y.T. and Morgan, Y. (2018) Security Analysis of Subspace Network Coding. Journal of Information Security, 9, 85-94. https://doi.org/10.4236/jis.2018.91007