Adversarial Models and Resilient Schemes for Network Coding

Adversarial Models and Resilient Schemes for Network Coding Leah Nutman ∗ Michael Langber g † November 2, 2018 Abstract In a recent paper, Jag gi et al. [12], presen ted a distrib uted polynom ial-time rate-o ptimal network- coding s cheme that works in the presence o f Byza ntine faults. W e revisit their ad versarial models and augmen t them with thr ee, arguably realistic, mode ls. In each o f the models, we p resent a distributed scheme that demonstra tes th e usefulne ss of the model. In particular, all o f th e schemes obtain optimal rate C − z , where C is the n etwork cap acity and z is a boun d on the numbe r of links contr olled by the adversary . 1 Introd uction Network coding is a powerful p aradig m for net work co mmunicatio n. In “tradit ional” networks , int ernal nodes simply transmit pack ets that arriv e to them (without an y substantia l change of th eir content). In contra st, when perfor ming netw ork coding, i nterna l nodes of the network are allo wed to mix the inf ormation from dif ferent packets they recei ve before transmitt ing on outgoing edges. This mixing may substantial ly impro ve the through put of a network, it can be done in a distrib uted manner with low complexity , and is rob ust to packe t losses and networ k failure s, e.g., [1, 17, 15, 13, 8]. The focus of this paper is network coding for multicast networ ks (where a single sender wants to trans- mit the same information to sev eral recei ve rs), at the presence of B yzant ine netwo rk faults. A Byzantine adv ersary that m ay maliciously introdu ce erroneo us messages into a network may be especially disrupti v e when networ k coding is applied. The simple reason is that any m essage (includin g the faulty ones) affect all messages on its path to the recipient. Therefore, a single faulty message may contamina te many more messages do wn the line. Moti v ated by the above difficul ty , there has been some work on detecting and c orrectin g Byza ntine fau lts. W e distinguis h between computa tionall y unbound ed and computation ally bounded adversari es. For computa tionall y unbounded Byzant ine adv ersa ries, error detection wa s fi rst address ed in [ 9]. This was follo wed by th e work of Cai an d Y eung [18, 2], who gen eralize s tandard bounds on error -co rrectin g codes to netwo rks, without prov iding any exp licit algorith ms f or achiev ing these boun ds. Jaggi et al. [11], consider an informat ion-the oretically rate-opt imal solution to B yzanti ne attacks , which howe v er requires a centralized design . Finally , a distrib uted polynomial- time rate-optimal netwo rk-codi ng scheme was recently obtaine d (indep endent ly) by Jaggi et al. [12] a nd Ko etter and Kschis chang [14]. E rror detection f or multicast network coding in the presen ce of computatio nally bounded Byzantin e adver saries was also considered in the past [16, 4, 3]. In these works vari ous authentic ation schemes are performe d at interna l nodes of the network. ∗ Computer Science Division, The Open Un iv ersity of Israel, Raanana, 43107, Israel. lnutman@g mail.com † Computer Science Division, The Open Un iv ersity of Israel, Raanana, 43107, Israel. mikel@ope nu.ac.il 1 In [16, 4] a centralize d trusted authori ty is assumed to provide hashes of the original pack ets to each node in the network , [3] obviates the need for a trusted entity under the assumption that the majority of packets recei v ed at terminal nodes is uncorrup ted. This paper bui lds on the scheme of [12 ] to obtain distrib uted polynomial-t ime r ate-opt imal network - coding schemes in three realistic advers arial models. Our schemes, as w ell as those of [12] assume no kno wledg e of the topolo gy of the network and follo w the distrib u ted network coding proto col of [8]. Namely , their implementatio n in v olv es only a slight modification of the source and destinatio n while the interna l nodes can continue to use the standar d protoco l of [8]. Before we mention our contrib uti on in detail, we presen t a brief descrip tion of the adversa rial models studied in [12]. In the followin g informal summary , a sender named ‘ Alice’ is interes ted in the transmission of information to a group of recei v ers named ‘Bob’ ov er a gi ven network . The Byzantine adver sary , ‘Calvin’, controls some of the links of the network and injects errone ous m essage s into the netwo rk in aim to corru pt the communication between Alice and Bob . Omniscient adversary model: In this model Calvin is all-po werfu l and all-kno win g, and is limited onl y by the number of links z under his control. [12] obtained a network coding scheme with optimal rate for this model of C − 2 z , where C is the netw ork capacity . Secr et channel model: T his model allo ws Alice to send to Bob a short (low rate) secret, whic h is completely hidden from Calvin (who is a gain all-po werf ul and all-kn o wing (exc luding the secret) , and is limited by the number of l inks z under his co ntrol) . [12] obt ained a netw ork coding sch eme with optimal rate o f C − z for this mode l. Notice that the rate achie v ab le in this mo del is strictly high er than th at in t he Omniscien t model. This secre t channel model was originally referred to in [12] as the ‘share d secret model’. W e rename it here to secret channel m odel as the secret shared in this model between A lice and Bob may depend on Alice’ s messa ge . W e elabo rate on this point in detail shortly . Limited ea ve sdro pping model: T he last model, w hich is the least rele v ant to our work, limits the number of links on which Calvin can ea vesdrop (it was orig inally named “limited adve rsary model” and we rename it here for con creten ess). In this model [12, 10] obtai ned a network codin g scheme with rate C − z , as long as Calvin can eavesd r op on at most C − z links (in addit ion to the z links under his complete contro l). Our Contrib ution In this work we introduce three additi onal advers arial models, and giv e optimal rate efficie nt distrib uted netwo rk-cod ing schemes in each of t he models . As menti oned abo ve, our sch emes (as well as those o f [12]) assume no kno wledge of the topolo gy of the network and follo w the distrib uted network codin g protocol of [8]. Roughly speaking, we obtain an optimal rate of C − z on all the adversa rial m odels describ ed belo w (the optimali ty of our schemes follo w , e.g., from [11]). Random-Secr et Model: The first model we present is the random secret model in which Alice and B ob share a short (uniformly distrib uted) random secret which is completely hidden from Calvin. Calvin is all- po w erful and all-kno wing (exc luding the secret), and is limited by the number of links z under his control. This model dif fers fro m the ‘secret channel’ model discusse d in [12] in the sense that the secret that is shared by Alic e and Bob is not co nstruct ed as a function of Alice’ s messag e, b ut rather i s uni formly dis trib uted and indepe ndent of Alice’ s message. The independ ence of the secret shared by Alice and Bob from the actual message M being transmit ted by Alice has sev eral advan tages. This allo w s Alice and Bob to share their secret prior to the act of communicat ing M . For example, one may consider the scenario where Alice and Bob are able to meet (or communicate) in adva nce and s hare a lar ge source o f compl etely rando m bits (s uch as a CD of u niformly genera ted b its). As long as these bits are unkno wn to Calvin, they can be used o vertime 2 to communicate at high rate ov er the netwo rk (with out the need of an ad dition al low rate cha nnel con nectin g Alice and B ob). Moreov er , a s we will see shortly , co mmunicati on in this model sets the foundation s for communica ting at high rate in the setting in which Cal vin is comp utation ally bounded (more specifical ly , in the symmetric ke y cryptograp hic setting). W e would like to note that in the scheme of [12] for their ‘secret chann el’ model, the secre t informati on that Alice and Bob share indee d strong ly depends o n the m essage M Alice transmits to Bob and henc e cannot exte nd naturally to the examples mentione d above . For the random secret model w e obtai n a network codin g s cheme with optimal rate of C − z . Our scheme is obtained by a transformation of the scheme of [12] for the secret channe l model. In our proof we do not need to get into the finer details of the original scheme and instead observe and exp loit a useful propert y of the origina l secret composit ion. Causal-Omniscient Model: As in the Omniscient model of [12], in this m odel we assume Calvin is all- po w erful and all-kno w ing, and is again limited by the number of links z un der his control . Howe ver , to obtain rate greater than C − 2 z , we slightly rest rict Calvin. Namely , we assume that Calvin is ca usal. Specifically , when Calvin injects messages into the network at time step t , he only has access to m essage s sent by Alice at time steps at most t + ∆ . Here, ∆ is some parameter of the networ k w hich is consid ered small compared with the length of the communic ation stream. W e present an optimal rate distrib uted network coding scheme for this model. Just as in the omniscient adv ersary mod el, our sc heme requires C > 2 z . H o w e ver , in such a case we o btain a r ate of C − z (compa red with C − 2 z in the o mniscien t advers ary model). Our scheme is obtain ed by a fully modular c ompositi on of two network codin g schemes from [12]: one for the omniscient adver sary model and t he othe r for the sec ret chann el model. The study of the causal-omn iscient mod el will set the founda tions fo r communicating at high rate in yet an addition al setting in which Calvin is computationa lly bound ed, the public ke y cryptogra phic setting . W e would like to note that causal adv ersarie s were also implicitly studied in [11] in the central ized setting , while in this work we focus on the distrib uted setting. Nev erthel ess, the upper bounds proven in [11] imply that the requir ement of C > 2 z is necessary (otherwise no information can be transmitted). Computationally-Bounded A dvers ary Model: While our prev ious models did not make any computa- tional assumption s on the p arties in vo lved , we now turn to study the c ase in whic h Calvin is computation ally bound ed (as before C alvin is all-kno wing, exclu ding any secret keys, and limited by the number of links z under his co ntrol) . In this setti ng, w e present tw o results. The first result uses the notion of symmet- ric key cryptogr aphy and is based on our random secret model. Roughly speaking, in the case Calvin is computa tionall y bounded, one may replace the random secret in the random secret m odel, by a series of pseud o-ra ndom bits: bits that would still look completely random (i.e., unifor m) to Calvin. N o w , to gen- erate an (ef fecti vely) unlimited amount of shared pseudo- random bits, to be used in sever al ex ecutio ns of the random secret protocol , all Alice and B ob need to do is exchan ge a single short secret key prior to the communica tion process. This single key , and the bits it genera tes may be used ove r essentially unlimited time to communicat e at high rate. The second result addresses the public ke y crypto graph ic setting. In this setting, each of the parties, Alice and Bob, hold a pair of keys: a priv ate ke y (kno wn only to itself) and a public ke y (kno wn to all — includi ng Calvin). E ncryp ted point to point communication between A lice and B ob can be done using these public and priv ate ke ys; without Alice and Bob ev er meeting in advan ce to excha nge a shared secret ke y . Ho weve r , in the model we study , no point to point cha nnel is av ailable - and Alice would like to communica te at high rate to Bob over a gi ven network. W e present a network codin g scheme for the model 3 at hand. Our scheme is based on the scheme we present for the causal-omnis cience model, with the sole dif ference that public-k ey encrypti on is used to hide some of Alice’ s information from Calvin. As common in the study of cryptograph ic primiti ves, both our results are conditiona l — in the sense that they hold assuming that certain cryptogra phic primiti ves exist (such as the assumption that factorin g is hard). Under such assumptions , we prov e in the symmetric ke y setting that our scheme obtains an optimal rate of C − z , and in the (weak er) public ke y setting we obtain the same optimal rate under the condition that C > 2 z . In this mod el Calv in is n o longer cau sal, ho weve r , as in th e causa l-omnisci ent model, it can be seen that the upper bound s of [11] imply that the latter require ment of C > 2 z is necessary . W e note that in the public key scenario, we assume that Alice knows Bob’ s public ke y . For this reason, the public-ke y model seems particularl y suitabl e in settings where cryptogra phy is already in v olv ed (e.g., to ensure pri v acy and integri ty of the communica tion). In such a scenario , a public-k ey infrastruc ture m ay alread y be av ailable and computation al limitations on the adversar y are usually already assumed. The remainder of the paper is or ganize d as follo ws. Section 2 contains the model definition s and nota- tion. Sections 3, 4 and 5 discuss the three new model s and schemes presented abov e. 2 Pr eliminaries In this section we gi ve the definition s and notation that are require d to model network coding in vari ous adv ersaria l models. Our definitions and notatio n mostly follo w [12]. Network Model The netwo rk will be modelled as a graph. W e assume our graphs are acyclic , and the communica tion ov er them is done in a synchrono us m anner . Namely , in each time step a single packet of informat ion can tra ver se an edge of the netw ork. Network-co ding sc hemes W e will consider the ta sk of routing informatio n ov er th e network from a single sender A lice to multiple receiv ers Bob (the setting of multicast ). In fact, in our analys is, it will usually be suf fi cient to consider a single receiv er Bob . The reason is that in the schemes we sugge st, neither Alice nor the network need to be aware of the location of B ob in the network . Therefore, it w ill be possible to ext end each o ne o f our schemes from the ca se of a singl e recei ver to the case of multipl e recei vers (this state of aff airs is common in the study of multicast network coding, e.g. [12]). W e will therefo re contin ue the formaliza tion, assuming a single recei ver (and will address the setting of multicast separately for each one of our schemes ). W e will not a ssume t hat Alic e, Bob or an y other i nternal nod e is awa re of the n etwork topology or of the locatio n of Alic e and Bob in the network. T he network topolog y will only influence the maximal ach ie v able rate. A netwo rk-cod ing scheme is defined by Alice’ s encoder , Bob’ s decoder , an d the c oding perf ormed in intern al nodes. W e will now disc uss those three components. Let M be the message A lice wishes to transmit to Bob . The encoding algorit hm of A lice adds some redund anc y into the message, thus obtaining an encoded messag e X . This infor mation is routed thro ugh the netwo rk, where it is further encoded (as a result of the network coding) . B ob recei ves encoded information that m ay also encompass network faults. Bob’ s decodi ng algorith m, applied to the encoded informatio n, is suppo sed to factor out the netw ork faults and retrie ve the original message M . It is con venien t to as sume th at Alice ’ s encoded messag e X is represente d by a b × n matrix, where ev ery entry of t he matrix is an elemen t from a finit e field F q . W e refer to a column as a slice , to a row as a packe t , and to each entry as a symbol . It is also useful to note that in all of the schemes of [12], as well as ours, X 4 is composed of the original message M , and in addition some δ n slices of redundanc y . In other words, the size of M is (1 − δ ) that of X . The specific coding performed by internal nodes is less relev ant to our work, as it is inherit ed without chang e from [12]. For concrete ness, let us mention that intern al nodes, as well as Alice herself, perform random linear net work co ding a la [8]. Namely , for ea ch o f i ts outgoing links, a n ode s elects random coef ficients of a lin ear transformatio n ov er F q (the number of coefficien ts is b for A lice and equals the inde gree for any internal node). The network coding of each of the slices of X goes as follo ws: First Alice sends on each of her out-going edges the correspond ing linear transforma tion of the symbols in the slice. Whene ver an internal node recei ves a symbol on each of its incoming edges (which is in itself a linear transfo rmation of the slice’ s symbols) , it sends on its outgoing edges the corresp ondin g transformatio n of those sy mbols. As common in the literature o f netw ork coding , as our graphs are acycli c, we as sume that informat ion f rom dif ferent slices is not mixed throughout the communication process. T his can be establ ished by suf fi cient memory at interna l nodes of the network. Adversa rial Model Each one of the ad ver sarial models we co nsider in this pa per is spe cified by the e xact po w er of the adve rsary Calvin. W e mention here the common proper ties of Calvin. Calvin has under his control z netwo rk’ s links of his choice. 1 On these links Calvin may inject his own pack ets, disguis ed as part of the informatio n flow from Alice to Bob . Calvin succee ds if Bob decodes a message diff erent than Alice’ s original M . The goal of the network -codin g scheme is to ensure this only happe ns with very small probab ility while maximizing the rate in w hich information flo ws from Alice to Bob . W e do not as sume that Alice, Bob o r an y in ternal no de are aware of the links under Cal vin’ s control. O n the other hand, Calvin has full knowle dge of the network topolo gy as well as the identity of Alice and Bob . In all of our models we assume that Calvin has full eav esdropping capabilities (i.e., Calvin can monitor the entire communi cation on each o ne of the li nks). Calvin kno ws the enco ding and decod ing schemes of Alice and Bob, and the network code implemented by the internal nodes (includ ing the random linear coefficie nts). Furthermor e, in our proofs, we assume th at Calv in select s the mes sage M that Alice t ransmits. This ensu res that our schemes work for e ver y m essage M Alice sends to Bob . The network capacity , denoted by C , is the maximum number of symbols that can be deliv ered on a ver age, per time step, from A lice to Bob, assuming no adversar ial interferenc e (i.e., the max flow of infor - mation from Alice to Bob ). The network capa city is kn o wn to equal the min-cu t fr om Alice to Bob . (For the corres pondin g multicast case, C equals the minimum of the m in-cut s over all destin ations.) For a message M , the erro r p r obability e ( M ) is the probabili ty that B ob reconstruc ts a message differe nt from Alice’ s message M . The (maximum) error probab ility of the encoding scheme is defined to be e = m ax M { e ( M ) } (Here the maximization is taken over the message M of Alice). The rate is the number of informatio n symbols that can be deliv ered on a vera ge, per time step, from Alice to Bob . In the parameters abo ve, the rate equals (1 − δ ) · b (recall that δ is the fraction of redund ant slices). Rate R is said to be achie vab le if for any α > 0 and ǫ > 0 the re exi sts a coding sc heme of block len gth n with rate ≥ R − α and er ror prob ability e ≤ ǫ . 1 The parameter z represents C alvin’ s po wer . It i s possible to define z as the min cut between Calvin’ s links and Bob . This is at most, but ma y be strictly smaller than the number of links under Calvin’ s control. 5 2.1 Building Blocks of our Schemes Our network-co ding schemes rely on the schemes of [12], giv en in two adver sarial models: the omniscient adv ersary model and the secret channel model. W e discuss those schemes here. 2.1.1 A scheme in the omniscient-adver sary model In the omni scient adv ersary model, we p ut no restric tions on the kno wledge and ability of Calvin (see discus sion in Section 2). In this model, [12] gav e a distrib uted polynomia l-time scheme A omn , and prov ed for it the follo wing theorem: Theor em 2.1 ([12]) A omn ach ieve s a rate of C − 2 z , i n the omniscient- adver sary model, with code- comple xity O (( nC ) 3 ) . 2.1.2 A scheme in the secre t-channel model In the secret chann el mode l, we assume that Alice can secret ly sen d Bob a (short) message that is complete ly hidden from Calv in. W e put no addition al restr ictions o n the kno wledge a nd ability of Calvin (see discu ssion in Section 2). In this model, [12] ga ve a distrib uted polyno mial-time scheme A sc , and pro ved for it the follo wing theorem: Theor em 2.2 ([12]) A sc ach ieve s a rate of C − z , in the secr et-c hanne l mode l, w ith code-co mple xity O ( nC 2 ) . The communication on the secr et chan nel consists of at most C 2 + C symbols. In Section 3, we gi ve so me more details on the way the secret message is defined in A sc . 2.2 Pr oof techniques: re duction and worst case analysis A scheme is said to be (informati on theoretical ly) se cure against an adv ersaria l entity Calvin, if for any beha vior of Calvin, Alice is able to communicat e her information to Bob (with high probability ). Loose ly speaki ng, we think of Calvin as an algorith mic procedur e, w hich giv en certain inputs (such as the network topolo gy , Alice’ s information and the network code applied by the network ), computes which edges in the netwo rk to corrupt and which error message to transmit. There are sev eral proof paradigms that can be used in an attempt to establish the correct ness of a giv en coding scheme. In this work, the correctness of our coding schemes will be prov en by means of r educ- tion . N amely , we bui ld upon the results of [12], and pro ve that an y adver sarial entity C alvin that breaks our schemes will imply an addition al adve rsary (usually referred to as Calvin’) that will not allow communica- tion in one of the schemes present ed in [12]. More specifical ly , our proofs can be outlin ed as follows. W e fi rst define our coding schemes. W e will then assume for sake of contradic tion that they are not secure. As we would like our schemes to be secure for any message M of Alice, this will imply the existence of an adve rsary Calvin that first chooses which message M Alic e should send to B ob, and then is able to corrupt the communica tion of M between A lice and B ob . Thin king of Calvin as an algorithmic proced ure, we show how to define the additional adv ersary Calvin’ — w hich is a procedure based on Calvin. Finally we sho w that Calvin’ is able to break one of the (pro v ably secure) schemes presente d in [12] — this suffices to concl ude our proof. 6 3 Random-Secr et Model The random-sec ret model is similar to the secret-c hannel model of [12] with the diffe rence that the secret informat ion sent from Alice to Bob should be random and independ ent of Alice’ s input message M . For- mally , we a llo w Alice to sh are with Bob a short secr et (which is unifo rmly distrib uted). This secret will stay hidden from Calvin. Alice’ s secr et and message enco ding in A sc Recall t hat A sc is th e sche me presen ted in [12] for commu- nicatio n in the secret-chann el model. W e w ill show ho w to transfo rm A sc to a comparab le scheme which works in the random secret model. The only ingredients of A sc we need to recall is the structure of Alice’ s secret and of Alice’ s encoder . The encoding of M into X is very simple: W e assume that Alice’ s message M is a b × ( n − b ) matrix ov er F q . The matrix X is M concatenate d with the b × b identity matrix, I . Namely , X = [ M I ] . Alice’ s s ecret m essag e is computed in two steps. S he first choos es C parity symbols uniformly at random from the field F q . The parity symbols are labelled r d , for d ∈ { 1 , . . . , C } . W e denote by R the vector of parity symbo ls. Correspond ing to the parity symbols, Alice’ s parity-c hec k matrix P is defined as the n × C matrix w hose ( i, j ) th entry equals ( r j ) i , i.e., r j tak en to the i th po w er . The second part of Alice’ s secret message is the b × C hash matrix H , computed as the matrix product X · P . The secret message sent by Alice to B ob on the secret channel is composed of both R and H . As n ≤ C , we indeed ha ve a secret of at most C 2 + C symbols. A useful p r operty of A sc Note that the vecto r R of Alice’ s secret is already uniform and indep endent of the message M . On the other hand, the hash H is a determinis tic function of R and M (gi ven by the equati on H = X · P ). Our main observ ation (which we will prov e belo w) is the follo wing: for almost e very v alue of R , when M is uniform then H is uniform as well. Furthermore, it is enough that a small chunk of M will be uniform to guaran tee the uniformity of H . T his sugges ts the followin g idea: instead of selectin g H as a function of A lice’ s message, we can select both R and H unif ormly at random. Later , Alice can tweak the message a bit such that we indee d get H = X · P . W e conti nue to formaliz ing this idea. 3.1 Defining the new scheme A rs W e no w sho w how to transfo rm A sc into a scheme A rs with compara ble performance in the random secret model. T o define the scheme we now define the random secret, Alice’ s encode r , Bob’ s decodi ng, and the coding in interna l nodes. The random secr et The secret shared between Alice and Bob is composed of a length- C vect or R ove r F q and a b × C matrix H ov er F q . Both are selected u niformly at random (an d indepe ndentl y of each other). Even th ough R and H are selected uniformly , their function in A rs is ident ical to the function of R and H in A sc . W e therefore u se the same notation as gi ven abov e. In particu lar , we refer to H as the hash matrix. The elements of R are referred to as the parity symbols and denoted r d , for d ∈ { 1 , . . . , C } . Furth ermore, we define the corre spondi ng parity-c heck matrix P as bef ore. Alice’ s encoder W e allow Alice to encode a s lightl y shorter input message M assumed to be b × ( n − b − C ) matrix ov er F q . Alice encodes M into a b × n matrix X = [ L M I ] , where L is a b × C matrix and I is the b × b identity matrix. The matrix L is defined (arbitra rily) such that H = X · P . W e sho w shortly that this 7 system of linear equation s (on the elements of L ) will ha ve a unique solutio n with high probab ility over H and P . If this system has no solution or more than a single solution we define L arbitrari ly (say , to be the all-zer o m atrix). Network c oding and Bob’ s decoder Both the ne twork codi ng and Bob’ s decoder are defined in the s ame way as in A sc [12]. Once Bob decode s a matrix [ ¯ L ¯ M ] , Bob discards of the b × C prefix ¯ L and outpu ts ¯ M . 3.2 Pr operties of A rs W e no w state and prov e the propert ies of A rs that are almost identi cal to those of A sc : Theor em 3.1 A rs is a distrib uted polynomial- time scheme. A rs ach ieve s a rate of C − z , in the rand om- secr et model, with code-compl e xity O ( nC 2 ) . The rando m secr et consists of at most C 2 + C symbols. Pro of: W e will prov e that the probability that Bob decode s correctly in A rs is almost identi cal to the probab ility th at Bob decod es correctly in A sc . The th eorem will then follo w immediate ly from the definition of A rs and from Theorem 2.2. W e note that ev en thoug h Alice is able to send to Bob a litt le bit less informat ion in A rs than in A sc (speci fically , Alice sends b · C fe wer elements of F q ), the rate in both schemes is identi cal (as we consid er the rate as n goes to infinity). Let us consider an adve rsary Calvin that makes A rs fail with probab ility ǫ . In particula r , Calvin may chose a messag e M for Alice to send s.t. with probabi lity ǫ , Bob recon structs ¯ M which is dif ferent than M . W e will d efine an a dve rsary Calvin’ that mak es A sc fail wit h pro babilit y ǫ ′ ≥ ǫ − C 2 /q . This will conclude our proof. Calvin’ is defined as follo ws. First Calvin’ imitates the message selection of Calvin (namely , Calvin’ uses the message M ′ Calvin would hav e chosen giv en the topolo gy and the code of the networ k). If Calvin sets Alice’ s input to the message M then Calvin’ sets Alice’ s input to M ′ = [ L M ] , w here L is a u niformly chosen b × C m atrix. T hen Calvin’ continu es to mimic Calvin, an d beha ves i dentica lly (in particu lar Calvin’ sends the same message s as Calvin would on the same corru pted links). As we see, Calvin’ tries to fail A sc by mimicking an attack of Calvin on the execut ion of A rs . T he succes s of Calvin’ s attack on the ex ecution of A rs depen ds both on the message X = [ L M I ] transmitted by Alice and the secret information R , H shared by Alice and Bob . Let D be the distrib ution over triplets ( R, H, L ) obtained when R and H are selected unifor mly at random (and independen tly of each other) and the mat rix L is defined to satisfy H = X · P if a sing le such L exists, a nd is defined to be t he all-zero matrix otherwis e. Let A be the set of triplets ( R , H , L ) on which Calvin’ s attack succeed s (here we are assuming Calvin to be a determinis tic adv ersary , ho wev er our analysis exte nds naturally to the case in which Calvin may act based on random decisions also). Namely , the success probabil ity of Calvin can be formalized as Pr[ A ] , where the probab ility is ov er the distrib ution D . No w conside r the success probab ility of Calvin’ on A sc a ver aged ov er messages of the form M ′ = [ L M ] (where L is chosen at random). As before this probabil ity depends on the message X = [ L M I ] sent by Alice and by the information R , H shared by A lice and Bob . Let D ′ be the distri b ution over t riplets ( R, H, L ) obtain ed when R and L are selected uniformly at random (and independen tly of each other) and H is defined to be X · P . Recal l that Calvin’ mimics the beha vior of Calvin, thus Calvin’ succeeds on the triplet ( R, H , L ) iff Calvin succeeds on ( R , H, L ) . Hence, the av erage success probabilit y of Calvin over messages of th e f orm M ′ = [ L M ] can be formalized as Pr [ A ] , where the probabili ty is no w o ver D ′ . Notice that the subset A of triplet s ( R, H , L ) is the set used abov e in the discuss ion on A rs . In what follo ws we sho w that D and D ′ are almost identic al. T his will suf fice to pro ve our assert ion. 8 Definition 3.2 T he event E bad on R happens either if one of the parity symbols is selected to be zer o or if any two of the parity symbols ar e identica l. In other w or ds, E bad happe ns if ther e exi sts d ∈ { 1 , . . . , C } suc h that r d = 0 , or if for two distinc t d, d ′ ∈ { 1 , . . . , C } , we ha ve that r d = r ′ d . Note that E bad is defined both for D and for D ′ . In both cases, R is uniformly distrib uted. Therefore Pr D [ E bad ] = Pr D ′ [ E bad ] . Furthermo re, it is easy to arg ue that this probabili ty is at most C 2 /q (simply , each of the C parity symbols is zero or identical to a pre viously selecte d parity symbol with probab ility at most C / q ). W e are no w able to formalize our main observ ation: Lemma 3.3 Conditioned on E bad not happe ning , the two distrib utions D and D ′ ar e identical . Pro of: (of lemma) Let us fix any valu e of M . Let us also fix any valu e of R such that E bad does not h appen. W e will sho w that conditi oned on ev ery such fixings, the distrib utions D and D ′ are iden tical. Let us decompose the n × C parity-c heck matrix P into a C × C matrix V and an ( n − C ) × C matrix P ′ , such that P =  V P ′  . B y the definition of P , the matrix V is the V an der Monde matrix that correspond s to the parity symbols in R . S ince we assumed that E bad does not happen, we hav e that the parity symbols are all distin ct and non zero. Therefore V is in vertib le. W ith this notation, we can rewrite the equ ation H = X · P as follo ws: H = [ L M I ] ·  V P ′  = L · V + [ M I ] · P ′ . Since we al ready fix ed M and R , we hav e that [ M I ] · P ′ is a fix ed matrix, which we will denote as H ′ . W e also ha ve that V is a fi xed in vertible matrix. W e denote by V − 1 its in ver se. Now w e hav e that H = L · V + H ′ , or alternati vely that L = ( H − H ′ ) · V − 1 . W e can conclud e that for eve ry va lue of H there is exact ly one val ue of L for which H = X · P . W e therefo re ha ve that the equatio n H = X · P forces a one-to-o ne correspond ence between the valu es of L and the valu es of H . Theref ore, the uniform distrib ution ov er L induces the uniform distrib ution over H and vise versa . The lemma follo ws. Recall that we defined A be the set of triplets ( R , H , L ) on which Calvin’ s attack succeeds. It follows from the lemma that conditi oned on E bad not happeni ng, Pr[ A ] is identic al under D and D ′ . Since w e alread y argu ed that Pr D [ E bad ] = Pr D ′ [ E bad ] ≤ C 2 /q , we can conclude that the probability that E bad does not hap pen and A does hap pen is at le ast ǫ − C 2 /q (regard less of whether the p robabi lity is tak en ov er D or D ′ ). W e can fi nally conc lude that Calvin’ succeeds in failing A sc with proba bility at least ǫ − C 2 /q . The case of m ulticast In the abov e description of A rs , we considered for simplicity the case of a single Bob . In the setting of multicast, there are two possible scenarios . First, it may be the case that A lice and each of the Bobs share the sa me random s ecret. A rs ext ends to t his scenario with no change (simply because A rs complete ly ignore s the location of Bob in the network). W e now address the more general scenar io, where Alice may share a dif ferent secret with each one of the Bobs. Our main observ ation is that almost all of th e info rmation Alice tran smits (the ma trix X ) is independ ent of the r andom se cr et . The only par t o f X that do es d epend on th e secret is the matri x L . T his matrix is rather small and its size is indepe ndent of the block-len gth n . Therefore to extend A rs to the setting of multicast, all we need to do is to hav e Alice send a diffe rent matrix L i for each of the secrets she shares. Since the number of Bobs is bou nded by the siz e of the gr aph, this only resul ts in neglig ible rate loss. T o decode, each 9 one of the Bobs ignores t he communicat ion which relate s to other s ecrets and only keeps the communicati on related to his L i . Bob then decod es exactly as in A rs . It remains to argue that w ith high probability each one of the Bobs w ill decode Alice’ s message M correc tly . L et us consid er Calvin’ s attempt to fail the recei ver Bob whose secret correspo nds to the matrix L i . Our previ ous analys is implies that each one of the matrices L j for j 6 = i are with high proba bility unifor m and indep endent of both L i and M . Therefore, these ad dition al matrices cannot assist Cal vin in the attempt to fail this particul ar Bob . W e conclude that each of the recei vers will decode correct ly with high probab ility , and therefo re all of them are likel y to decode correctly . Remark 3.4 In the abov e we assumed that the secret shared between A lice and eac h receiv er Bob includes the index i , suc h tha t L i corres ponds to their s hared se cret. It is possible to av oid this assumptio n as follo ws: (1) Let the random secret between Alice and Bob also contain a random (almost pair -wise indepe ndent) h ash functi on g i . A lice augments the message M with g i ( M ) for all of those hash functio ns g i . (2) Continue as before and ha ve Bob decode according to each of the L j ’ s (as no w we assume that Bob does not kno w i such th at L i corres ponds to his secret) . Some of thes e decod ings m ay re sult in ¯ M 6 = M . But with very hig h probab ility none of the erroneous decodings will be authenti cated by a correct hash g i ( ¯ M ) (as for eve ry M and ¯ M we hav e that g i ( ¯ M ) is almost unifo rm and indepen dent of g i ( M ) ). 4 Causal-Omniscient Model Recall tha t in ou r model of commun ication , the column s of the matri x X (namely , each slice o f informati on from X ) is enco ded indep endent ly ov er time. Given the ne twork’ s latencies (the number of steps it takes fo r a message to tr a vers e the netw ork), we ha ve that while an i nterna l node v sends message s that correspon d to the t th column of X , Alice may already be sending messages that correspond to column t ′ > t . Therefore , in the model in which Calvin can ea ves drop on all links, it inherentl y has a “pick into the future” . Namely , when sendi ng messages which corres pond to the t th column of X , we assume that Calvin kno ws all the columns of X up to colu mn t + ∆ , where ∆ is some fixed para meter of the netwo rk. It is not hard to v erify that ∆ is at most the size of the edge set E . Howe ver , it may be the case that Calvin does not necessar ily kno w any later columns of X . This motiv ates the definition of the Causal-Omniscie nt model. In the Causal-Omnisci ent model, Calvin has unlimited computatio nal power . He has under his control z network links of his choice . O n these links Calvin may inject his o wn packets, disguis ed as part of the informat ion flow from Alice to Bob . W e do not assume that Alice, B ob or any internal nodes are aware of the links under C alvin’ s control. On the other hand, Calvin has full kno w ledge of the network topology as well as the identity of A lice and Bob . Calvin has full eav esdro pping capabiliti es (i.e., Calvin can m onitor the entire communicatio n on each one of the links). Calvin kno ws the encoding and decod ing schemes of Alice and Bob, and the network code implemented by the internal nodes (including the random linear coef ficients). F urther more, w e assume that Calvin kno ws which message M Alice is sending to Bob . The only limitation on Calvin is the follo w ing: while Calvin is allo w ed access to the interna l state and randomn ess of all parties , he does not get such access to Alice’ s state and randomness. N ote that such a limitation is implicit in all other limited adversari al models considered here and in [12]. 2 The desired implicati on of this limitation for the Causal-Omniscie nt model is the follo wing: let ∆ be a fi xed paramete r of the network that specifies a bound on the latency of the networ k. By the discussio n abov e, if Calvin’ s 2 For example, in the random-secret model, one has to hide the secret-key which is expressed in various computation s of both Alice and Bob . 10 messages cor respon d to columns of X up to i ts t th column then we assume tha t all colu mns bey ond column number t + ∆ are hidden from Calvin. 4.1 The scheme A co W e no w define the scheme A co for the Causal-Omnisc ient model. The scheme is obtaine d by a completely modular compositi on of two schemes: A scheme A sc in the secret-chan nel model, and a scheme A omn in the o mniscien t-adv ersary model. See more det ails on the sche mes in Section 2. The idea o f the compositio n is simple: first Alice, Bob (and the network) exe cute A sc with Alice’ s input M , but without Alice sending the messag e on the secr et chann el (simply becaus e a secret channel is not av ailable in this model). Unfor - tunate ly , without the secret message, Bob cannot decode M correctly yet. Therefor e, to transmit this secret informat ion, we sugges t that Alice and Bob execu te A omn with the secret message as Alice’ s ne w input. Unfortun ately , A omn may rev eal the secret m essage to C alvin as w ell. O ur simple observ ation is that as long as the secret message is rev ealed after the execu tion of A sc ends , it is too late for Calvin to cause any harm. Therefore, all that we need (so that A co works ) is for A lice to send ∆ “garbage” columns between the ex ecutio ns of A sc and of A omn . W e turn to a formal definition of A co : Alice’ s encoder Alice in v okes the encodi ng an d secret genera ting algorithms of A sc on her input M . Denote by X M the output of the encoding and S the message to be sent on the secret channel. Now Alice in v oke s an indepen dent execu tion of th e encod ing algorit hm A omn on S as inpu t. Denote by X S the outp ut of the encoding . F or reasons that will be made clear shortly , Alice encodes a secret S such that X S will be of block length n S = ( n/C ) 1 / 3 (here n is the block length of our scheme and C is the capacity). Reca ll, that the size of S (and thus the block length of X S ) in the secret channel scheme is independ ent of n and significa ntly smaller than n S . Hence, such a blowup in the size of X S can be obtaine d for example by an arbitra ry padding of S with irrelev ant informatio n. A s we will see, this blo wup will enabl e our scheme to ha ve a low probability of error (without significantl y increasing the code-co mplex ity). As n S is much smaller than n , our rate remains optimal. Alice’ s encode r now outputs X = [ X M 0 X S ] , where 0 denotes the zero matrix with ∆ columns. Network coding As in A sc and A omn , the network cod ing is the standa rd random-linear coding of [8]. Bob’ s decoding Bob fi rst uses the decod er of A omn on the suffix of the communicatio n (which corre- spond s to the columns of X S ). D enote by ¯ S the decoded message. Bob now applies the decoder of A sc on the prefix o f the communic ation (which corresp onds to the co lumns of X M ), with the (relev ant parts of the) secret message set to ¯ S . Bob output s the decode d message, which we denote by ¯ M . 4.2 Pr operties of A co W e state the parameter s obtained by A co in the follo wing theorem. Theor em 4.1 A co is a distrib uted polynomial-t ime sc heme. A co ach ieve s a rate of C − z , as long as C > 2 z , in th e Causal-Omniscie nt model, with code-comple xity O ( nC 2 ) . Pro of: Most of the properties of A co follo w from the related properti es of A sc and A omn , as giv en by Theorems 2.2 and 2.1. T he restricti on that C > 2 z guarante es positi ve rate for A omn (as the rate of A omn is C − 2 z ). Other than that, A co inheri ts its rate fr om A sc . There is some loss o f rate in A co (compare d with 11 A sc ) due to the communication related to the zero columns and to X S . Nev ertheless, this loss is neglig ible as n tends to infinity . The choice of n S (the block length of X S ), guarantees that the code comple xity due to both b uildin g blocks ( A sc and A omn ) will equal O ( nC 2 ) . It remains to bound the error probabi lity ǫ of A co . Obviously , ǫ ≤ ǫ 1 + ǫ 2 , where ǫ 1 is the probabil ity that ¯ S 6 = S w hile ǫ 2 is the probabil ity that ¯ S = S but ¯ M 6 = M . It follo w s that ǫ 1 is bounded by the error probab ility of A omn when applie d to messages of block length n S that correspond s to X S . In [12 ] this error is shown to be vanish ing as the block length tends to infinity (note that w hen n tends to infinity so does n S = ( n/C ) 1 / 3 ). T o bound ǫ 2 notice that Calvin does not get acc ess to X S until he is done corr upting X M . T hus ǫ 2 is bounde d by the error probabili ty of A sc when applied to messages of block length that corres pond to X M . As the block length of X M is propo rtiona l to n , we conclude our assertion . Remark 4.2 While we describ ed A co for the case of a single Bob, it also applies with no chang e to the setting of multicast (simply because A co complete ly ignores the location of Bob in the network , and there is nothi ng that disting uishes one Bob from the other). 5 Computationally-Bounded Adversary Model In th is sectio n we con sider a limitation of a dif ferent fla v or o n the s trength of the adv ersary C alvin. Namely , we assume that Calvin is computation ally bounded. Assuming so allows us to emplo y powerf ul crypto- graphi c tools. The two results in this section corresp ond to cryptogra phic tools that are applica ble in two dif ferent settings: (1) Symmetric-ke y cryptograp hy (discus sed in S ection 5.1), and (2) P ublic- ke y cryptog - raphy (discussed in Section 5.2 ). As common in the study of cryptogra phic primiti ves, both our results are condit ional — in the sense that they hold assuming that certain cryptogra phic primiti ves exist (such as the assumpti on that facto ring is hard). Note that apart from the computa tional limitation s on Calvin his po w ers are intact. In particular , C alvin has f ull ea vesd roppin g capabilit ies and has fu ll kno wledge of the netw ork top ology as well as the ident ity of Alice and Bob . Calvin knows the encoding and decoding schemes of Alice and Bob, and the network code implemente d by the internal nodes (includ ing the random linear coef ficients). 5.1 Symmetric-k ey cryptography Recall our scheme A rs in the random secret model. Assuming that Alice and B ob share a short random secret, this scheme allows them to communicate a significa nt amount of information which is specified by the block l ength n . Unfortuna tely , Bob will on ly be able to decode Alice’ s message a fter r ecei ving the entire block of communicati on. Therefore, it is natural to assume that eve ry time slot (e.g., ev ery hour or ev ery day , de pendin g on the rate of communication ), Alice and Bob would like to terminate the pre vious ex ecutio n of A rs and to start a ne w ex ecutio n. Let S 1 , S 2 , . . . S ℓ be the sequence of secrets used in these ex ecutio ns. In general, the secrets should be independent of each other , which implies that Alice and B ob may need to share a long secret if the y communicate ov er a long period of time. In the Computation ally-Bou nded Adversary m odel, Alice and Bob can exec ute A rs many times while still only exchan ging a short random string s . For that purpos e, Alice and Bob may use a pseudorandom generato r . For a definition and thorough discussio n of pseudor andom generato rs see [5 ]. E ssenti ally , an ef ficiently computable function G is a pseudorand om generator , if (1) G is length increas ing (i.e., for ev ery input its output is longer than its input) and (2) G ( x ) is computationa lly indisting uishab le from a uniform string , as long as x is uniformly distrib uted. In other words G ( x ) is effe cti vely random. It is kno wn that the e xistence of p seudor andom generator s is essen tially the mini mal cry ptogra phic assumption (as i t is 12 equi vale nt to the assumptio n that one-way functions exi st). A pseudoran dom generato r that expand s the length o f its input implie s a p seudo random generato r with arbitr ary polyno mial expan sion (again , the re ader is referr ed to [5] for a detailed discus sion and reference s therein). The relation to our contex t is now simple: Alice and Bob can exchan ge a single short secret key s prior to th e commun ication pro cess. Applying a pseudo random generato r to this single k ey , they c an ob tain man y pseud orando m ke ys G ( s ) = S 1 , S 2 , . . . , S ℓ to be used in repeated ex ecution s of A rs (in fact, ℓ need not be kno wn in adv ance as it is po ssible to k eep on e xpanding G ’ s out put on the fly). The proo f that s uch rep eated ex ecutions of A rs are still secure is rather immediate from the definition of a pseudoran dom generator and we therefo re only sketch it here. For any i , if S i is truly random Calvin will fail the execu tion of A rs with ver y small probabi lity . Assume for the sake of contradictio n that this is not the case when S i is taken from the output of G . This giv es a way to distingu ish the output of G from random. The distinguis her simply simulate s the repeated execu tion of A rs (playi ng the roles of Alice, Bob, internal nodes, and Calvin ). N o w if Calvin succeeds then the disting uishe r can deduce with non-ne gligib le probabil ity th at S i is not truly random. Remark 5.1 As discusse d in Section 3, the scheme A rs can be exten ded to the case of multicast . The idea descri bed h ere, of replacing the random key s in multiple ex ecutio ns o f A rs with pseudorand om key s, applies in the setting of multicast as well (in that setting, Alice and each one of the Bobs will share a short ke y that will be expa nded to many pseu dorand om keys using the pseudo random generato r). 5.2 Public-key cryptograph y A disadv antage of the scheme A rs is that Alice and Bob need to share a common ke y . In this section we relax this set up requirement and only ask that Bob holds a pair of key s: a pri v ate ke y (known only to itself) and a public ke y (known to all — includin g Calvin). In such a setup, without A lice and Bob ever meeting or exc hangin g private information , we are able to giv e a netwo rk-cod ing scheme, A pk , against a computationa lly-bounded Calvin w ith very similar parameters to those of A co (which was giv en in the Causal-Omnis cient model). 5.3 The scheme A pk W e present a network codin g scheme, A pk , for the public-k ey model, that is very similar to our scheme for the Causal-Omniscien t model. A gain, w e compose two schemes: A scheme A sc in the secret-chan nel model, and a scheme A omn in the omniscient-ad vers ary m odel. (See more details on the schemes in Sec- tion 2.) Alice, Bob (and the network ) e xecute A sc with Alice’ s in put M , b ut with out Alice sending the secr et messa ge S on the se cr et channel (simply bec ause a secre t channel is not a vai lable in this model). W e would like to e xecute A omn with S as Alice’ s ne w inpu t. Unfortuna tely , as i n this model a ll of the in formation sent by Alice (i.e., the m atrix X in its entirety ) is kno w n to Calvin from the start, S will be av ailable to Calvin during the exe cution of A sc and the scheme may fail. The solutio n is simple: instea d of sending S , A lice will fi rst encrypt S using Bob’ s public ke y , and send the encryption to B ob using A omn . W e now describe our scheme and proof in more detail. Public-key encryption A central ingredient in b uilding A pk is a public -ke y encrypti on (PKE) scheme. For a thorough discussi on of public- ke y encryptio ns see [6]. W e describe here the rele vant definitions for complete ness. 13 A P KE scheme gi ve s a way for two parties to communicate securely e ven thoug h t hey did not pre viously meet and excha nge secr ets. The sc heme is composed of three pro babilis tic polyno mial time algorit hms – the ke y gener ating algorith m Gen and the encryp tion and decryption alg orithms E nc and D ec : (1) The inpu t of Gen is the security parameter k (we will shortly discuss the role of k ), and its output is a pair of key s – the secret key sk and the public key pk (both are of length polynomial in k ). (2) T he public ke y pk (which is kno wn to e veryo ne) is used for encrypti on. The encry ption of a messag e m is a cipher text y = E nc ( pk , m ) . The pla inte xt m may b e of ar bitrary leng th and the length of y is polyno mial is the len gth of m and in k . (3) The secret ke y sk allo ws decryptio n. For e very y as abov e we hav e that D ec ( sk , y ) = m . The security require ment from a PK E scheme is that a cipherte xt y giv es no information on the plain- tex t m to a computa tionall y bounded adversary . More formall y , we will use a PKE scheme which is semantic ally-se cure against chosen-pla inte xt attack (CP A) [7]. 3 There are variou s equi valen t formaliza- tions of this security requiremen t and the one that seems most con ven ient for us is based on the notion of indist inguish ability . Loosely , this means that no efficie nt adve rsary Adv can distinguish an encryp tion of a message m 0 from an encryptio n of a message m 1 , (w here Adv is also allo wed to select m 0 and m 1 ). In other words, giv en an encryptio n y = E nc ( pk, m σ ) , where σ is a unifor mly selected bit, an adver sary canno t guess σ with proba bility significan tly better than half. This is exactl y where t he se curity para meter k comes into play: the adv antage ov er half of the adve rsary in guessing σ is smaller than 1 /pol y ( k ) for ev ery polyn omial pol y (under s tronge r assumption s we may require th e adv antage to b e e xpone ntially small in k ). W e are no w ready to define A pk formally . Security parameter In this model, the network coding scheme is defined per security parameter k . This paramete r should be chosen as to make the encryptio n scheme h Gen, E nc, D ec i secur e enough. A s the errors we seek are of the order of 1 /n , it is enough to take k < n α for some small constant α > 0 (under strong er assumptio ns, k may ev en be logarithmic in n ). Thi s will imply that all the cipherte xts used in our scheme are of negl igible length compared with n (e.g. smaller than n α ′ for any α ′ > 0 of our choosin g). Bob’ s keys Bob runs Gen and gets as output the pair ( sk , pk ) . Bob publish es pk as his public key and sa ves his secret key sk . Alice’ s encoder Alice in v okes the encodi ng an d secret genera ting algorithms of A sc on her input M . Denote by X M the o utput of the encoding and S the mess age to be sen t on the s ecret ch annel. Alice in v oke s E nc ( pk, S ) and gets as output Y . No w Alice in vok es (using fresh randomness) the encoding algorithm of A omn on Y as input. Denote by X S the output of the encoding . Alice no w outputs X = [ X M X S ] . As in Section 4 we will pad X S if necessar y to ensure that it has block length n S = ( n/C ) 1 / 3 . Network coding As in A sc and A omn , the network cod ing is the standa rd random-linear coding. Bob’ s decoding Bob fi rst uses the decod er of A omn on the suffix of the communicatio n (which corre- spond s to the columns of X S ). Denote by ¯ Y the decoded message. Bob in vok es D ec ( sk , ¯ Y ) , and recei ves ¯ S as output . Bob no w applies the decoder of A sc on th e prefix o f the communicatio n (which correspo nds to the columns of X M ), with the secret message set to ¯ S . Bob output s the decoded message, which we denote by ¯ M . 3 In Remark 5.3 we n ote that in som e cases one may c hoose to require security against chosen-cip hertext attack (CCA security). 14 5.4 Pr operties of A pk W e state the parameter s obtained by A pk in the follo wing theorem. Theor em 5.2 A pk is a distrib uted polynomial-t ime sc heme. A pk ach ieve s a rate of C − z , as long as C > 2 z , in th e public-k ey model, with code-co mple xity O ( nC 2 ) . Pro of: Similar to the proof of Theorem 4.1, mo st of the propert ies of A pk follo w from the related properties of A sc and A omn , as gi ve n by Theorems 2.2 and 2.1. It remains to bound the error probabil ity ǫ of A pk . Obviously , ǫ ≤ ǫ 1 + ǫ 2 , where ǫ 1 is the probability that ¯ Y 6 = Y while ǫ 2 is the probabilit y that ¯ Y = Y but ¯ M 6 = M . A s in the proof of T heorem 4.1, it is not hard to ar gue that ǫ 1 is bounded by the error probability of A omn (when applied to messages of block length n S ). W e would no w like to ar gue that ǫ 2 is bo unded by the error prob ability of A sc (when app lied to messages of bl ock length correspon ding to X M ). This will turn out to be correct up to a negli gible additiona l error (which relates to the securit y property of the PKE scheme). T o bound ǫ 2 we must arg ue that Calvin cannot use the encrypti on Y of S to increase his probability of corrupt ing the communication between A lice and Bob . Intu iti vely , this is clear - as the encryption S is computa tionall y sound. Ho wev er , to prov e our argu ment formally , we need to present our claim under the sole ass umption that our enc ryptio n is secure ag ainst a chosen-pl ainte xt attack. T o this end , we con dition on the fact that ¯ Y = Y (and hence Bob kno ws S ) and show that a successful Calvin in our setting will imply a successfu l Calvin in an imaginary setting in which B ob is giv en S (e.g., via a side channel ) and the v alue of X S transmitt ed ov er the net work is the enco ding of an all zero message . This in turn, implies that Calvin can corrup t the origina l secret-cha nnel protocol A sc of [12], a contrad iction. W e now sk etch the details. Let Cal vin b e a n adversa ry that ca uses ¯ Y = Y a nd ¯ M 6 = M in an exe cution o f A pk , with pro babili ty ǫ 2 . As a menta l experimen t assume that Bob ’ s de coder re cei ves S as an additio nal input. Bob ca n then igno re ¯ Y and simply in vo ke the decoder of A sc . In this exper iment we ha ve that the probabil ity that Calvin m anages to cause ¯ Y = Y bu t ¯ M 6 = M is still ǫ 2 . This follo w s imm ediate ly from the properties of a PKE scheme (as if ¯ Y = Y we also hav e that ¯ S = S ). Further re vising this mental ex periment , let us no w assume that Alice define s Y a s the encr yption of the zero-mes sage (or any other fi xed message), rather than the encryptio n of S . It is not hard to argue that in this case, the pro babili ty that Calvin ca uses ¯ M 6 = M is at least ǫ 2 − neg ( k ) where neg ( · ) is so me ne gligible functi on (that is asymptotica lly smaller than 1 /poly ( · ) for eve ry polynomial pol y ( · ) ). If this is not the case then we can easily devi se an advers ary Adv that breaks the security of the PK E scheme. Adv will simulate all p arties of the net work-c oding scheme (Alice, Bob , Calvin and the i nternal nod es). When Alice generat es S then Adv will set m 1 = S and will set m 0 to be the all-zer o m essag e. Adv then recei ves y w hich is an encryp tion of one of these messages. Adv can now continue the simulation of the networ k-codi ng scheme with Y = y . F inally , when the simulation is ov er , Adv will outpu t one if ¯ M 6 = M and zero otherwise. Summing up, we hav e a n adv ersary Calvin that causes ¯ M 6 = M with probabil ity ǫ ′ 2 = ǫ 2 − neg ( k ) , in the re vised mental experimen t base d on A pk . Note that in this mental e xperiment X S is completel y ind epend ent of S . T herefo re, it is po ssible to define an ad vers ary Calvin’ tha t fails A sc with pr obabili ty ǫ ′ 2 by si mulating the attack of Calvin in the setting of the mental exp eriment. The theorem theref ore follo ws. Remark 5.3 In the definition of A pk we used a P KE scheme which is secure against a chosen-pla inte xt attack . W e prov ed that one in vo cation of A pk works when the public- ke y is only used for this in voc ation. In case the same public-k ey is used many times, and especi ally if it used for messages sent from dif ferent 15 sender s it may be safer to use a PK E scheme that is secure against a chosen-cip herte xt attack (see [6] for more informatio n). The case of m ulticast In the abov e description of A pk , we consider ed for simplicity the case of a single Bob . The scheme can be extended to the setting of multicast, in a similar manner to the ext ension of A rs to multicast (see discussion in Section 3 ). In fact the exte nsion is a bit simpler in the case of A rs as we descri be no w . W e assume that the i ’th recei ver kno w s a pair consistin g of a secret key sk i and public ke y pk i . The public key is known to ev eryone including Alice. No w , for ev ery i , Alice will transmit (using A omn ) the pair ( pk i , Y i ) , where Y i = E nc ( pk i , S ) (recall that in the basic scheme, Alice transmits a single Y ). Based on the properties of A omn we can assume that each of the Bobs correctl y retrie ves all of the pairs. T he i th recei ver can decode Y i (which correspond s to its public ke y pk i ) and continue the decodi ng of M as in the basic scheme. T o argue that with high probab ility each one of the Bobs w ill decod e Alice’ s message M correctly , we note that the concat enation of all the differ ent encryptions of S still does not rev eal any informat ion on S . 6 Conclusions In this paper we ha ve introdu ced three adv ersari al models and hav e ar gued that (1) The models may be realist ic. (2) The models are useful in the sense that they allo w n on-tri vial impro vements in th e paramet ers of netwo rk coding schemes. W e feel that this calls for m ore attention into the assumption s regardi ng advers arial limitatio ns and set-up assumpt ions that apply in “real life” scen arios. Are the model s sugge sted here indeed applic able? Are there any other realisti c and useful models to conside r? Refer ences [1] R . Ahlswede, N. Cai, S.-Y . R. Li, and R. W . Y eung. Network Information F lo w . IEEE T ran sactio ns on Informati on Theory , 46(4):12 04–12 16, 2000. [2] N . Cai and R. W . Y eung . Network error correcti on, Part 2: Lo wer bounds. Communications in Informat ion and Systems , 6(1):3 7–54, 2006. [3] D . Charles, K. Jain, and K. Lauter . Signatu res for network coding. In Pr oceed ings of the fortiet h annua l C onfer ence on Information Sciences and Systems , Princeton, NJ, US A, 200 6. [4] C . Gkan tsidis and P . R odrigu ez. Cooperati ve securi ty for netwo rk codin g file distrib ution. In Pr oceed- ings of IEEE Confer ence on Computer Comm unica tions (INFO COM) , Barcelo na, April 2006. [5] O . Goldreich. F oundatio ns of Cryptogr aphy: Basic T ools . Cambridge U ni ve rsity Press, New Y ork, NY , USA, 2000. [6] O . Goldreich . F oundation s of Cryptogr aphy: V olume 2, Basic A pplica tions . Cambridge Univ ersity Press, Ne w Y ork, NY , USA, 2004. [7] S . Goldwasser and S . Micali. Probabilis tic encryp tion. J. of Computer and System Scienc es , 28:270– 299, 1984. 16 [8] T . Ho, M. M ´ edard, R. K oetter , D. R. Kar ger , M. Ef fros, J. Shi, and B. Leong. A rand om line ar netwo rk coding appro ach to multicas t. IEEE T ransacti ons on Informatio n Theory , 52(10):4 413–4 430, 2006. [9] T . C. Ho, B. Leong, R. Ko etter , M. M ´ edard , M. E f fros, and D . R . Kar ger . B yzant ine m odificati on detect ion in multicast networks using randomized network coding. In Internationa l Symposium on Informat ion Theory , Chicago, USA, June 2004. [10] S. Jaggi and M. Langbe rg . Resilient network cod es in the presen ce of eav esdropping byzant ine adve r - saries. In IEE E In ternati onal Symposium on Information Theory , 2007. [11] S. Jagg i, M. Lan gber g, T . Ho, and M. Effros. Correction of adv ersaria l errors in n etwor ks. In Pr oceed- ings of Interna tional Symposium in Informa tion Theory (ISIT 2005) , Adelaide, Australia, 2005. [12] S. Jaggi, M. L angber g, S. Katti, T . H o, D . Katabi, and M . M ´ eda rd. Resilient networ k coding in the presen ce of byzant ine adve rsaries . In INFOCOM , pa ges 616–624. IEE E, 200 7. [13] S. Jaggi, P . S ander s, P . A. Chou, M. Effros, S. E gner , K. Jain, and L. T olhuiz en. Polynomial time algori thms for multicast network c ode constructio n. IEEE T ransac tions on Informatio n Theory , 51(6): 1973– 1982, June 2005. [14] R. K oetter and F . Kschischan g. Coding for errors and erasures in random net work co ding. In Pr oceed- ings of Interna tional Symposium on Informatio n Theory (ISIT 2007) , 2007. [15] R. K oetter and M. Medard. An Algebraic Approach to Network Coding. IEEE/A CM T ran sactio ns on Networking , 11(5):78 2 – 795, 2003. [16] Maxwell N. Krohn, Michael J. Freedman, and D a vid Mazires. On-t he-fly verificatio n of rateless era- sure codes for efficien t content distrib ution. In Pr oceedings of the IEEE Symposium on Security and Privacy , 2004 , Oakland, California . [17] S. -Y . R. Li, R. W . Y eung, and N. Cai. L inear Network Coding. IEEE T ra nsactio ns on Information Theory , 49(2): 371 – 381, 2003. [18] R. W . Y eung and N. Cai. Network error correction, Part 1: B asic concepts and upper bound s. Com- municati ons in Informatio n and Systems , 6(1):19– 36, 2006. 17