Talking secretly, reliably and efficiently: A
“complete” characterization
Qiaosheng (Eric) Zhang1
Mayank Bakshi1
1
Sidharth Jaggi1
Chinese University of Hong Kong
Abstract—We consider reliable and secure communication
of information over a multipath network. A transmitter Alice
sends messages to the receiver Bob in the presence of a hidden
adversary Calvin. The adversary Calvin can both eavesdrop and
jam on (possibly non-identical) subsets of transmission links. The
goal is to communicate reliably (intended receiver can understand
the messages) and secretly (adversary cannot understand the
messages). Two kinds of jamming, additive and overwrite, are
considered. Additive jamming corresponds to wireless network
model while overwrite jamming corresponds to wired network
model and storage systems. The multipath network consists of
C parallel links. Calvin can both jam and eavesdrop any zio
number of links, can eavesdrop (but not jam) any zi/o number
of links, and can jam (but not eavesdrop) any zo/i number
of links. We present the first “complete” information-theoretic
characterization of maximum achievable rate as a function of
the number of links that can be jammed and/or eavesdropped
for equal and unequal link capacity multipath networks under
additive and overwrite jamming in the large alphabet regime. Our
achievability and converse proofs require non-trivial combination
of information theoretic and coding theoretic ideas and our
achievability schemes are computationally efficient. The PHaSESaving techniques1 are used for achievability while a “stochastic”
singleton bound is obtained for converse.
I. I NTRODUCTION
Suppose there are C computers in a computer lab (see
Fig 1). The administrator wishes to store an important file
by distributing it across the C machines in such a way
that a hacker who manages to obtain (potentially different)
read/write privileges on some of the machines cannot (a)
corrupt the file, and optionally (b) not decipher its contents.
Specifically, suppose that the hacker obtains read/write permissions on computers in a subset ZIO of size zio , can
only read the contents of zi/o computers belonging to subset
ZI/O , and only overwrite the contents of zo/i computers
belonging to ZO/I (perhaps because even though the hacker
has write permissions, the segment stored on these may be
encrypted and her/his best bet may be to just overwrite the
data). The administrator does not know the specific subsets
ZIO , ZI/O , ZO/I , but knows upper bounds on zio , zi/o , and
zo/i . Can the administrator ensure that the file stored is (a)
robust to corruption, and (b) secret from the hacker? If so,
what is the largest “rate” possible?
This problem may be modelled as a secure and reliable
network coding problem over an adversarial parallel edges
network (see Fig 2). The sender Alice (the administrator) has a
1 Pairwise
Hashing Stochastic Encoding
Swanand Kadhe2
2
Alex Sprintson2
Texas A&M University
message that she wishes to transmit to Bob (a legitimate user)
over C parallel edges (which correspond to the computers in
the preceding example). The adversary Calvin (the hacker)
eavesdrops on zi = zio + zi/o edges and can corrupt zo =
zio + zo/i edges (with zio edges being common to both the
subsets). This problem has been well studied in the past and
the best rate possible is characterized in special cases. When
zi = C, C 2zo is known to be the best achievable rate if
error correction is the sole objective – applying an MDS code
such as Reed-Solomon codes [8] gives the achievability and
the converse follows from Singleton bound [11]. Separately,
when Calvin can only eavesdrop on zi edges with zo = 0,
the best achievable rate is C zi [7]. When the goal is to
both be reliable and secure, “folklore” suggests that the rate is
C 2zo zi achievable by combining the above [6], [10]. It
is worth noting that the above results require that the scheme
be reliable and secure with probability one. If an “epsilon”
error probability is allowed, higher rates are achievable in
several settings. Under this criteria, [2] examines the maximum
achievable rate for reliable decoding when the zi/o = zo/i = 0.
They show the following two-part rate region. When the zio is
less than half of C, the maximum achievable rate R equals the
C zio . This is achieved by using erasure codes and "pairwisehashing" scheme to detect the corrupted edges. On the other
hand, when zio exceeds C/2, the maximum achievable rate
is restricted to be 0. Separately, in the setting when Calvin
can eavesdrop on and corrupt disjoint subsets of edges, i.e.,
zio = 0, [12] shows that the best rate for both reliable and
secure network coding is C ZO ZI . This rate is achieved by
erasure coding coupled with a “rank modulation” scheme. For
a summary of these and related papers, the reader is referred
to [3] in the context of network coding, and to excellent
surveys on AVCs [5].
In our work, we consider two ways in which Calvin could
corrupt the edges - additive jamming and overwrite jamming.
For additive jamming, Calvin can only add his own packets
to the transmitted packets. But for overwrite jamming, Calvin
can replace the transmitted packets with it’s own "malicious"
packets directly. The two kinds of attack corresponds to different physical model in reality. In wireless network, additive
jamming is a natural model, while in computer networks, overwrite jamming appears more natural. For both these settings,
we consider networks with equal link capacities as well as
unequal link capacities (also considered in [4], [9]). Given a
constraint on the adversary’s power in the form of zio , zi/o ,
Y1= X1
X1
ZIO
ZI/O
ZIO
ZI/O
k
random key
ZO/I
ZI/O
ZI/O
M
ZO/I
(a) A weak adversary (Ex. 1)
Y2= X2
X2
X
Enc(M, k)
message
ZI/O
Encoder
Transmitted
codeword
(b) A strong adversary (Ex. 2)
Fig. 1: A motivating example: Out of 7 computers in a lab, the
contents of an unknown subset of size zi/o are only read, zo/i are
only corrupted, and zio are both read and corrupted by a malicious
hacker. Can an administrator store a file across the 7 computers in
such a way that the file is both recoverable by the end user and secret
from the hacker?
and zo/i , we characterize the maximum achievable rates –
first for just reliable transmission, and next for both reliable
and secure communication for both additive and overwrite
jamming adversaries.
We show that in each of the settings that we examine, the adversary’s power (measured through the triplet (zio , zi/o , zo/i ))
may be classified into one of two possible regimes – weak
adversary and strong adversary. These two regimes are fundamentally different in that the set of edges corrupted by the
adversary are detectable in the weak adversary regime, but not
in the strong adversary regime. This leads to fundamentally
different achievable rates in the two regimes – in the weak
adversary regime, the corrupted codewords can be treated as
erasures, while in the strong adversary regime, the corrupted
codewords may undergo “worst-case” errors. To illustrate
this, consider the following examples based on the network
shown in Figure 1. For simplicity, we only examine the issue
of reliable decoding against an overwrite adversary in the
following examples – similar arguments also apply when we
also demand secrecy in addition to reliable decoding.
Example 1 (Weak adversary regime). Let zio = 1, zi/o = 2,
and zo/i = 1. Let us examine what the administrator could
potentially do to ensure reliable decoding. In order to avoid
being recoverable from the hacker’s attack, the administrator
may first encode the message into seven segments using a
(7, 5) Reed-Solomon Code and store each segment onto one
of the seven computers. This enables the end user to recover
the file from any five of the the seven computers. Next, the
administrator writes random headers onto each computer that
allows the end user to detect which of the machines have
been corrupted. Specifically, the random headers consist of
“pairwise-hashes” (see Section IV) that are used to “corroborate” the information of one computer from other computers.
To see how the above enables detection of the corrupted
computers, consider a worst case attack by the hacker. For
example, the hacker may first observe the any three segments
(zio + zi/o ) and replace two segments (zio + zo/i ) with
codewords that are correspond to a randomly chosen input
file that is consistent with the two computers that he can
only observe but not corrupt. Thus, in the worst case, the
hacker can ensure that the segments on each of the four
ZO/I
X3
ZIO
X4
E3
E4
Adversary
-- Calvin
Y3= f (X3, E3)
Y4=f (X4, E4)
X5
Y5= X5
X6
Y6= X6
X7
Y7= X7
Y
Received
codeword
Dec(Y)
Decoder
M’
M = M’ w.h.p.
Multipath network
Fig. 2: System diagram for a multipath network consisting of C
parallel links. Calvin can both jam and eavesdrop any zio links,
only eavesdrop any zi/o links, and only jam any zo/i links. Calvin’s
power can be concisely represented as ~z = (zio , zi/o , zo/i ). In this
example, we have C = 7 and ~z = (1, 1, 1). Calvin has chosen
ZIO = {L4 }, ZI/O = {L1 }, and ZO/I = {L3 }. For additive
~3 = X
~3 + E
~ 3 , whereas for overwrite Calvin, Y
~3 = E
~ 3,
Calvin, Y
~ 3 is any arbitrary noise packet.
where E
computers in ZIO [ ZI/O [ ZO/I can be corroborated by
the others. The end user can still detect these by forming
cliques corresponding to the computers whose headers are
consistent with each other. In this sense, the hacker can at most
force a fake “four-clique”. On the other hand, the segments on
five computers (except for zio + zo/i ) cannot be changed, and
hence, these five segments can be corroborate by each other
and form a “five-clique”. The end user who wants to retrieve
the file, can simply check the hashing result across every pairs
of computers and detect the safe computers by finding the
largest clique. After identifying the five uncorrupted segments
(corresponding to the five-clique), the user finally is able to
decode the original file by decoding the Reed-Solomon code.
In this regime, the rate can be as large as C (zio +zo/i ) = 5.
Example 2 (Strong adversary regime). Now, consider the case
when zio = 2, zi/o = 1, and zo/i = 1. In this case, if the
administrator were to use the same scheme as Example 1, the
hacker may form a larger clique. Observe that the hacker can
form a clique of size zio + zi/o + zo/i = 4 as earlier, but
the clique corresponding to the true message could also be as
small as C zio zo/i = 4. Thus, the end user can no longer
reliably determine which of the the two cliques correspond to
the attacked subset. In fact, by following a singleton bound
type of argument, we show (see Section IV) that the best
possible rate is C 2(zio + zo/i ) = 1.
II. P ROBLEM S TATEMENT
Figure 2 shows the system diagram. The main features of
the system are described in the following.
A. Network Model
We consider communication over a multipath network,
which consists of C parallel, directed links, denoted by
L1 , L2 , ..., LC . We consider two kinds of multipath networks,
equal link capacity networks and unequal link capacity networks. The capacity of the i-th link Li is denoted by ui bits
per use. For an equal capacity network, we assume that each
link has unit-capacity, i.e., ui = 1, 8i. Thus, the total capacity
of the network is C bits per use. On the other hand, for unequal
link capacities, the total capacity of the network is Ĉ :=
bits per use.
C
P
ui
i=1
B. Encoder
The transmitter Alice wants to transmit an nR-bit message
M to the receiver Bob over the multipath network. We assume
nR
that the message is uniformly distributed over {0, 1} . Alice
may use a stochastic encoding with a random key k that is
uniformly distributed over another finite field F2t . For equal
link capacity case, the encoding process can be represented
nR
nC
as e : {0, 1} ⇥ F2t ! {0, 1} . The codeword X =
e (M, k) can be viewed as a C⇥n matrix over F2 . Notice that
! !
!
we can represent the codeword as X = [ X T1 X T2 ... X TC ]T ,
!
where each X i is a length-n binary row vector. On each link
!
i (1  i  C), Alice transmits X i , which we refer to as a
packet.
For unequal link capacity case, Alice’s encoder
nR
nĈ
is
: {0, 1} ⇥ F2t ! {0, 1} .
The
codeword
!ueT
!T !T
!T
!
!
X = [ X 11 · · · X 1u1 X 21 · · · X 2u2 · · · X TC1 · · · X TCuC ]T ,
can be viewed as a Ĉ ⇥ n binary matrix, where each element
is a binary length-n row vector. The packet transmitted on
!
! !
!
the i-th link, X i = [ X i1 , X i2 , · · · , X iui ], is a length-(nui )
binary vector. Recall that the capacity of Li is ui .
Notice that it is possible to view the encoding process on
some extension field Fq of the binary field. In particular, if
we set q = 2b and N = nb , then a length-n binary vector can
be considered as a length-N vector with symbols over Fq .
Typically, we set b = log(N C) for equal link capacities and
b = log(N Ĉ) for unequal link capacities.
C. Adversarial Model
The adversary Calvin is computationally unbounded and
knows the coding schemes. Calvin can jam (but not eavesdrop)
a subset ZO/I of links of size zo/i , can eavesdrop (but not
jam) a subset ZI/O of size zi/o , and can both eavesdrop and
jam a subset ZIO of size zio . Note that Calvin is free to
choose arbitrary subsets of links of given sizes to jam and/or
eavesdrop. Calvin’s power can be concisely represented by a
vector ~z = (zio , zi/o , zo/i ) 2 (Z+ )3 .
!
An overwrite adversary can replace the original packet X i
!
on any link that he can jam with any arbitrary packet Y i . On
the other hand, an additive adversary can only add arbitrary
!
!
noise Ei on the link, resulting in Y i = X i + Ei . Note that
for the links in ZIO , both additive and overwrite adversaries
are equivalent. This is because to insert an arbitrary packet
!
Y i over a link in ZIO , the additive Calvin can first observe
!
!
the original packet X i and then corrupt it to Y i by adding
!
!
the noise Ei = Y i X i .
D. Decoder
For equal link capacities, the received codeword is
! !
!
!
denoted by Y = [ Y T1 Y T2 ... Y TC ]T , where Y i is the
length-n packet received on the i-th link. Bob’s decoder
nC
nR
can be stated as e (Y ): {0, 1}
! {0, 1} . We denote
the decoded message as M 0 = (Y ). For unequal link
capacities, the received codeword is denoted by Y =
!
!
!
!
!
!
[ Y T11 · · · Y T1u1 Y T21 · · · Y T2u2 · · · Y TC1 · · · Y TCuC ]T .
Bob’s decoder for this case can be represented as ue (Y ):
nĈ
nR
{0, 1} ! {0, 1} . For both cases, we measure reliability
in terms of the probability of error Pe = Pr{M 0 6= M }. We
are interested in ✏-error probability, i.e., Pe < ✏ for some
arbitrarily small ✏ > 0. Notice that the zero error requirement
would result in entirely different rate region.
For achieving security, we consider information-theoretic
perfect secrecy, which requires that the mutual-information
between Alice’s message and Calvin’s observations should
be zero. Let ZI = {i1 , i2 , · · · , izi } be the set of zi =
zi/o + zio links eavesdropped by Calvin. Let XZI =
! !
!
[ X Ti1 X Ti2 · · · X Tiz ]T be the sub-codeword transmitted on the
i
links in ZI . Then, for secrecy, we require that I (M ; XZI ) =
0.
III. M AIN R ESULTS
We show that for the rate region consists of two parts, which
we refer to as weak adversary regime and strong adversary
regime (see Fig. 3). For additive jamming, the weak and strong
adversary regimes are given as
Zwadd = ~z : zi/o + zo/i + 2zio < C ,
Zsadd
= ~z : zi/o + zo/i + 2zio
C ,
(1)
(2)
whereas for overwrite jamming, the two regimes are
Zwow = ~z : zi/o + 2zo/i + 2zio < C ,
Zsow
= ~z : zi/o + 2zo/i + 2zio
C .
(3)
(4)
In both additive and overwrite cases, the total number of links
that Calvin can access is more in the strong adversary regime
that in the weak adversary regime, which motivates the names
of the regions.
A. Achievable rates for reliable decoding
First, we consider only reliability without worrying about
secrecy. We completely characterize the reliable rate region
under additive as well as overwrite jamming for equal and
unequal link capacities. We denote the maximum achievable
reliable rate for additive (resp. overwrite) jamming as Rjadd
(resp. Rjow ).
Theorem 1 (Additive jamming for equal link capacities). For
an equal link capacity network, for any ~z = (zio , zi/o , zo/i )
such that zio + zi/o + zo/i < C, the maximum achievable
reliable rate for additive jamming is
(
C (zio + zo/i ),
if ~z 2 Zwadd ,
add
Rj (~z ) =
max (0, C (2zio + zo/i )), if ~z 2 Zsadd .
Theorem 2 (overwrite jamming for equal link capacities). For
an equal link capacity network, for any ~z = (zio , zi/o , zo/i )
such that zio + zi/o + zo/i < C, the maximum achievable
reliable rate for overwrite jamming is
(
C (zio + zo/i ),
if ~z 2 Zwow ,
ow
Rj (~z ) =
max (0, C (2zio + 2zo/i )), if ~z 2 Zsow .
ZIO
ZIO
A1
A1
A4
A4
O
A2
O
ZI/O
A2
ZI/O
A5
A3
|OA1| = |OA2| = |OA3| = 2|OA4| = C
A3
ZO/I
ZO/I
Additive Jamming
|OA1| = |OA2| = |OA3| = 2|OA4| = 2|OA5| = C
Overwrite Jamming
Fig. 3: Two regimes for additive and overwrite jamming. For additive (resp. overwrite) jamming, the tetrahedron A4 OA2 A3 (resp.
A4 OA2 A5 ) represents the weak adversary region, while the tetrahedron A1 A2 A3 A4 (resp. A1 A3 A5 A4 A2 ) represents the strong
adversary region.
Notice that, for additive and overwrite jamming, the weak
and strong adversary regimes are different. Further, the rates
for strong adversary regime are also slightly different. To get
some intuition, observe that if adversary can corrupt zo =
zio + zo/i links, one cannot hope to get a rate better than
C (zio + zo/i ). In fact, to achieve this rate, one would need
to first detect jammed links, and recover the message from the
uncorrupted links. In the the weak adversary regime (for both
additive and overwrite jamming), we achieve this by using a
pairwise-hashing scheme together with an erasure code. The
pairwise-hashing is used to detect the corrupted links. Once
detected, the packets on the corrupted links can be considered
as erased, and the erasure code is used to decode the message.
In the strong adversary regime, we show that pairwisehashing can no longer be used to detect all the corrupted
links. Thus, we use an error correcting code with sufficient
redundancy to correct all the remaining corrupted links (which
cannot be detected using hashing). The converse for this
regime uses Singleton bound type arguments. We detail out
the achievability and converse for Theorem 1 in Section IV.
For unequal link capacities, Calvin can jam links with highest sum-rate to incur maximum damage. Thus, the maximum
achievable rate depends on the subset of links with smallest
sum-capacity. To take this into account, we define the capacity
of any subset of w links as Uw . The choice of different
subsets may result in different values of Uw , and hence, we
use (Uw )max to denote the largest sum-capacity among all the
possible subsets of size w. The maximum achievable rate is
given as follows.
Theorem 3 (additive jamming for unequal link capacities). For an unequal link capacity network, for any ~z =
(zio , zi/o , zo/i ) such that zio + zi/o + zo/i < C, the maximum
achievable rate for additive jamming is
achievable rate for overwrite jamming is
(
Ĉ (U
ow
n (zio +zo/i ) )max ,
o
Rj (~z ) =
max 0, Ĉ (U(2zio +2zo/i ) )max ,
if ~z 2 Zwow ,
if ~z 2 Zsow .
We use the same proof techniques as in the equal link
capacity case with a key difference that the packets on
different links are of different lengths. The computationally
complexity of achievable scheme for both types of jamming
is O((N Ĉ log(N Ĉ))2 ).
B. Achievable rates with reliable decoding and secrecy
In this section, we impose the secrecy constraint together
with reliability. We are concerned with the case where Calvin
tries to learn some information about Alice’s message from the
links he eavesdrops. Our aim is to prevent Calvin from gaining
any information about the message. We consider informationtheoretic perfect secrecy, which requires that I (M ; XZI ) = 0,
where XZI is the sub-codeword transmitted on the links in
ZI . In the following, we characterize the reliable and secure
rate region for the equal link capacity case under additive and
overwrite jamming.
Theorem 5 (additive jamming with secrecy, equal link capacities). For an equal link capacity network, for any ~z =
(zio , zi/o , zo/i ) such that zio + zi/o + zo/i < C, the maximum
achievable reliable and secret rate for additive jamming is
(
C (zo/i + zi/o + 2zio ) if ~z 2 Zwadd ,
add
Rj,s (~z ) =
0
if ~z 2 Zsadd .
Theorem 6 (overwrite jamming with secrecy, equal link
capacities). For an equal link capacity network, for any
~z = (zio , zi/o , zo/i ) such that zio + zi/o + zo/i < C, the
maximum achievable reliable and secret rate for overwrite
jamming is
(
C (zo/i + zi/o + 2zio ) if ~z 2 Zwow ,
ow
Rj,s (~z ) =
0
if ~z 2 Zsow .
The converse for the weak adversary regime (for both
additive and overwrite jamming) follows from the standard
information-theoretic inequalities, where we use the secrecy
condition that any subset of zi = (zio + zi/o ) links cannot
carry any meaningful information. In the achievable scheme,
Alice needs to mix her message with zi random keys and
then use the reliable encoding scheme consisting of pairwise
hashing and erasure coding. For the strong adversary regime,
converse is based on the Singleton type arguments similar to
the only reliability case.
IV. P ROOF OF T HEOREM 1
(
A. Achievability for weak adversary regime
Ĉ (U
if ~z 2 Zwadd
(zio +zo/i ) )max ,
add
n
o
Encoder: Throughout this section we work over a finite
Rj (~z ) =
max 0, Ĉ (U(2zio +zo/i ) )max , if ~z 2 Zsadd . field F , where q = 2b . We define N = n . First, we encode
q
b
the length-(N Rjadd ) message (with symbols over Fq ) using
Theorem 4 (overwrite jamming and unequal link capaci- a (N C, N Rjadd ) Reed-Solomon code to obtain a length-N C
ties). For an unequal link capacity network, for any ~z = codeword X. Note that X can be arranged as a C ⇥ N matrix.
(zio , zi/o , zo/i ) such that zio + zi/o + zo/i < C, the maximum The packet transmitted on i-th link is the i-th row of X
!
!
denoted p
as X i .pLet X i also represent the rearrangement of
!
X i as a N ⇥ N matrix (the distinction will be clear
p from
the context). For each link Li , we generate C length- N hash
keys ⇢~p
ij , which each key vector chosen uniformly at random
!
over Fq N . We define the value of p
the pairwise hash h( X j , ⇢~ij )
of link i with link j as a length- N column vector obtained
!
as h~ij = X j ⇢~ij . For each link Li , we get C hash vectors
!
h~i1 , h~i2 , ..., h~iC . We form a new packet X 0i for each link Li
by appending the hash keys ⇢~ij and the hash values to the
!
!
!
payload X i , i.e., X 0i = [ X i , ⇢~i1 , ⇢~i2 , ...,p⇢~iC , h~i1 , h~i2 , ..., h~iC ].
!0
Note that the length of X i is N + 2C N .
!
Decoder: For each link Li , let Y i denote the received
payload, ⇢
~0ij denote received hash keys, and ~h0ij received
hash values. For all i and j, we say that the links Li and
! 0
Lj are consistent if and only if ~h0ij = h( Y j , ⇢
~ij ) and
0
~h0 = h(!
Y i, ⇢
~ji ). We say that a link Li is self-consistent
ji
0
!
~
if hii = h( Y i , ⇢~ii 0 ).
For any link Li 2 ZO/I , since Calvin adds noise without
prior knowledge of payload and hash keys, it is easy to show
that the probability that Calvin can induce self-consistency is
at most 1q . This probability can be made arbitrarily small by
choosing sufficiently large field size. By checking the selfhashing results, Bob can detect the links that belong to ZO/I .
To detect links in ZIO , Bob constructs an auxiliary graph
with C vertices. If the links Li and Lj are consistent, Bob
connects the two vertices vi and vj by an undirected edge.
Then, Bob can detect the uncorrupted links by finding the
"largest-clique". Calvin can induce consistency on any two
links Li , Lj 2 ZIO as he can observe the payloads and hashes
first. Moreover, he can also induce consistency on any pair of
links Li 2 ZIO and Lj 2 ZI/O , as he can observe both the
links. Therefore, all the links that belong to ZIO and ZI/O can
be made consistent. Thus, Calvin can induce a fake clique of
size at most zi/o + zio . Clearly, all the links belong to ZI/O
and C \ (ZI/O [ ZO/I [ ZIO ) are consistent since Calvin
cannot jam on these links. The clique corresponding to these
links, referred to as correct clique, is of size zi/o +(C zi/o
zo/i zio ).
Bob can detect all the uncorrupted links by finding the
"largest clique" as long as the size of the correct clique is larger
that that of the fake clique, i.e. zi/o + (C zi/o zo/i zio ) >
zi/o + zio . It is easy to see that this would always be true
in the weak adversary regime. Thus, Bob can detect all the
zo = zo/i +zio corrupted links. The message can be recovered
from the C zo uncorrupted links by using the erasure code.
B. Converse for weak adversary regime
If Calvin adds uniform random noise independent of Alice’s
transmissions, the zo/i + zio corrupted links cannot carry any
useful information for Bob. Therefore, the rate can at most be
C (zo/i + zio ).
C. Achievability for strong adversary regime
Alice encodes the message using a Reed-Solomon code
which can handle up to zo/i erasures and zio errors. Notice
that the clique decoding does not work in this regime. Bob can
only detect the links in ZO/I by checking the self-consistency,
which can be treated as erasures. The error correcting code
can correct these zo/i along with the zio errors to recover the
message.
D. Converse for strong adversary regime
The converse relies on the Singleton bound type of arguments. Irrespective of the coding scheme, Calvin uses the
following observe-and-attack strategy. Calvin first eavesdrops
on the first (C 2zio zo/i ) links. He jams the next zo/i
links by adding random, independent noise. For the rest of
the 2zio links, Calvin chooses either the first zio set of links
or the second zio set of links with equal probability to attack.
The way to attack is to first choose a fake message and then to
intelligently find the sub-codeword based on the eavesdropped
data. We prove that, with probability bounded away form zero,
Calvin can always find a message M 0 (M 0 6= M ) such that
Bob cannot distinguish whether the codeword transmitted by
Alice was corresponding to M or to M 0 .
Since the subset ZO/I can be detected easily, we can ignore
it in the following proof and define C 0 = C zo/i . We assume
the message M is uniformly distributed from the whole set
M and let MR be the random variable of message. The
distribution of MR is PMR . Let X be the codebook where
the codeword X is uniformly distributed from X . Let XR be
the random variable of codeword X. The XR (M ) is defined
as the random variable of codeword X of message M . Then
we define the factor p = zio /C 0 and r = 1 2p+" (" > 0) . We
assume the rate R = C 0 ⇥ r = C 0 2zio + "C 0 and show that
Calvin can make it impossible to communicate under this rate.
After encoding, there are C packets in total and each packet
has m symbols over Fq (m N since encoder may add some
headers to the packet). For Calvin, the length of eavesdropped
symbols l = (C 0 2zio )m and the eavesdropped symbols are
denoted by xl . The distribution of xl is g(xl ). Our proof is
divided into two steps: (1) Calvin is able to find a message
M 0 based on xl (M 0 6= M ), (2) Bob cannot distinguish M
and M 0 when he receives the codeword Y .
1) Proof of (a): At the encoder side, message M is encoded
to X such that X = (M, k). According to the lemma 6.1 of
[1], we know
X
Hq (PMR ) 
g(xl )Hq (PM|xl ) + Hq (g(xl ))
xl
Since Hq (PMR ) = C rm = (1 2p+")C 0 m and Hq (g(xl )) 
l = (1 2p)C 0 m, we obtain
X
g(xl )Hq (PM|xl ) "C 0 m
0
xl
It shows that the mean value of Hq (PM|xl ) is larger than or
equal to " C 0 m so that
"C 0 m  E[Hq (PM|xl )]
 P r[Hq (PM|xl )
"C 0 m/2]C 0 m
+ P r[Hq (PM|xl ) < "C 0 m/2]"C 0 m/2
) P r[Hq (P M|xl )
) P r[Hq (P M|xl )
"C 0 m/2](1
0
"C m/2]
"/2)
"/2
"/2
This inequality shows Hq (PM|xl )
"C 0 m with probability
0
at least "/2. (Here Hq (PM|xl )  C m)
Alice and Calvin will choose their message independent at
random according to PM|xl . Let MA and MC be the random
variables that governing the choice of Alice and Calvin. We
want to show MA 6= MC w.h.p. and the probability is
X
P r[MA 6= MC ] =
PM|xl (M )PM|xl (M 0 ).
M 6=M 0
As proved above,
Hq (PM|xl ) = Hq (MA ) = Hq (MC ) = Hq (MA |MC )
Hq (MA |MC )  h(P r[MA 6= MC ])
+ log(|M| 1)P r[MA 6= MC ],
where h(·) is the binary entropy function. Usually the term
h(P r[MA 6= MC ])  1 and log(|M| 1) < log(|M|) 
C 0 m. Therefore
"C 0 m/2  Hq (MA |MC )  1 + C 0 mP r[MA 6= MC ]
"C 0 m 2
) P r[MA 6= MC ]
2C 0 m
"/4 iff C 0 m
4/"
The proof tells us that the message Calvin is able to find a
message M 0 such that M 0 6= M w.h.p. when the size of packet
m is large enough.
2) Proof of (b): We suppose event (M, k, M 0 , k 0 ) represents Alice choose a message M and a random key k as well
as Calvin choose a message M 0 and a random key k 0 . we
also define P (xl ) as the probability that the first l symbols of
Alice’s codeword are xl . Then we obtain
P r[ (M, k, M 0 , k 0 )]
=PMR (M )PXR (M ) (X)PMR |xl (M 0 )PXR (M 0 )|xl (X 0 )
=P (xl )PMR |xl (M )PXR (M )|xl (X)PMR |xl (M 0 )PXR (M 0 )|xl (X 0 )
0
0
=PMR (M )PXR (M 0 ) (X )PMR |xl (M )PXR (M )|xl (X)
(M,k) (M 0 ,k0 )|xl
=
✓
"C 0 m/2.
By Fano’s inequality, we obtain
P r[MA 6= MC ]
(M, k, M 0 , k 0 ) and (M 0 , k 0 , M, k) are the same. Finally,
we obtain the error probability P r(error) is equal to
X
X
Pr[ (M, k, M 0 , k 0 )]
X
·
X
(M,k) (M 0 ,k0 )|xl
Pr
Y 2Y(M,k,M 0 ,k0 )
1 X
2
Pr[ (M, k, M 0 , k 0 )] ·
[ (Y ) 6= M ] +
X
Pr
Y 2Y(M,k,M 0 ,k0 )
(M,k) (M 0 ,k0 )|xl
2
[ (Y ) 6= M ]
1
·
2
Pr
Y 2Y(M,k,M 0 ,k0 )
0
[ (Y ) 6= M ]
◆
P r[ (M, k, M 0 , k 0 )] · IM 6=M 0
1 " "
"
· · =
.
2 4 2
16
IM 6=M 0 is equal to one when M and M 0 are different and
equal to zero otherwise. The results above show that Bob
cannot distinguish M and M 0 since the probability of decoding
incorrectly is a constant given a certain " and therefore we
complete our proof.
V. PROOF SKETCH FOR THEOREM 2, 3, 4
A. Theorem 2 (overwrite jamming for equal link capacities)
As mentioned in additive jamming section, the links belong
to ZO/I can be detected by checking self-hashing easily. However, it is hard to detect by using the same way under overwrite
jamming since Calvin can replace the original packets with his
own packets directly. In this sense, the behavior of ZO/I is
almost the same as ZIO and the detection of ZO/I will also
rely on the pairwise-hashing scheme. The code construction is
the same as additive case. During transmission, Calvin could
form a fake clique of size zio + zi/o + zo/i . In order to detect
errors by "finding largest clique", the size of the correct clique
should be larger than the size of fake clique, resulting in
zio + zg > zio + zo/i + zi/o ) 2zio + 2zo/i + zi/o < C
For overwrite jamming, the rate R = C zio zo/i can
also be achieved under the weak adversary regime. However,
the weak adversary regime and strong adversary regime are
The equations show that the probability of event changed. It’s also not hard to check that no higher rate is
(M, k, M 0 , k 0 ) is the same as the probability of event possible.
(M 0 , k 0 , M, k). Then we define Y(M, k, M 0 , k 0 ) as the
For the strong adversary regime, rate R = C 2(zio + zo/i )
distribution of received codeword Y conditioned on the
can
be achieved by using Reed-Solomon Codes. Since the
event (M, k, M 0 , k 0 ). When (M, k, M 0 , k 0 ) happens, the
behavior
of ZO/I is the same as ZIO in overwrite jamming,
distribution Y(M, k, M 0 , k 0 ) of received codeword Y could
we substitute (zio + zo/i ) for zio in the proof of "converse for
be
strong adversary regime" in Section IV and therefore, we can
!
!
!
!
!
!
[ Y 1 , ..., Y C 2zio ; Y C 2zio +1 , ..., Y C zio ; Y 0C zio +1 , ..., Y 0C ] also prove that no rate higher than C 2(zio +zo/i ) is possible.
In addition, the rate is restricted to 0 when 2(zio + zo/i ) C.
or
!
!
!
!
!
! B. Theorem 3 (additive jamming for unequal link capacities)
[ Y 1 , ..., Y C 2zio ; Y 0C 2zio +1 , ..., Y 0C zio ; Y C zio +1 , ..., Y C ]
1) weak adversary regime: Next, we consider the netwith equal probability. When (M 0 , k 0 , M, k) happens, work with additive jamming for unequal link capacithe distribution Y(M 0 , k 0 , M, k) is exactly the same as ties. The two-part rate-region of equal link capacities
Y(M, k, M 0 , k 0 ). since the first C
2ZIO packets of and unequal link capacities for additive jamming are the
=P r[ (M 0 , k 0 , M, k)]
same (Zwadd = ~z : zi/o + zo/i + 2zio < C and Zsadd =
~z : zi/o + zo/i + 2zio C ).
Encoder: The encoding function
maps the message M
and random key k such that (M, k) = X, where X =
!
!
!
!
!
!
[ X T11 · · · X T1u1 X T21 · · · X T2u2 · · · X TC1 · · · X TCuC ]T is
the codeword before pairwise-hashing. As mentioned above,
the capacity of the i-th link Li is ui and therefore Li can
! !
!
be used to transmitted ui packets ( X i1 , X i2 , ... , X iui ).
In terms of encoding and decoding, the "pairwise-hashing"
scheme is still effective. For unequal link capacities, only
the first packet of each link is used to do the pairwisehashing. For example, C random vectors ⇢~11 , ⇢~12 , ..., ⇢~iC
are generated for L1 and the first packet of all the
! !
!
links ( X 11 , X 21 , ..., X C1 ) will be hashed with these
random vectors respectively. As a result, C hash results
h~11 , h~12 , ..., h~1C are obtained. Therefore the transmitted vector
!
!
X10
is [ X 11 , ..., X 1u1 , ⇢~11 , ⇢~12 , ..., ⇢~iC , h~11 , h~12 , ..., h~iC ].
Similar transmitted vectors X20 , ..., XC0 are obtained for the
other links. After this construction, the transmitted codeword
! !0T
!0T T
X 0 = [ X 0T
1 X 2 ... X C ] .
Decoder: To detect links in ZIO , Bob first constructs an
auxiliary graph with C vertices. In order to check consistency,
Bob extracts the first packet of each link. If the links Li and
Lj are consistent, Bob connect the two vertices vi and vj by
an undirected edge. Then he can detect the uncorrupted links
by finding the "largest-clique" and recover the message from
the C zo uncorrupted links.
Result: The weak adversary regime for unequal link capacities is exactly the same as the equal link capacities, which is
Zwadd = ~z : zi/o + zo/i + 2zio < C . In the weak adversary
regime, rate R = Ĉ (U(zio +zo/i ) )max can be achieved since
Calvin may corrupt the links with maximum capacities in the
worst case.
2) strong adversary regime: In this region Zsadd =
~z : zi/o + zo/i + 2zio C , only links belong to ZO/I can
be detected by checking self-consistency. In order to make
the rate as large as possible, Alice may not make full use
of the total capacities so that the encoding scheme is slightly
different from the general one described in Section II. Alice
first chooses C 2zio zo/i links with minimal capacities and
loads these links with fully according to their capacities. For
the rest of the links, Alice finds the minimal capacity among
these links and denote it by . For each link, Alice will load
it with only packets. According to the construction of our
codes, the rate R = Ĉ (U(2zio +zo/i ) )max can be achieved.
Moreover, the rate is restricted to zero when zo/i + 2zio C.
If we make full use of the total capacities, Calvin may
choose subset ZIO (which is not detectable) with maximum
capacities. As a result, more than 2zio links will be used to
offset the errors so that the rate above is not achievable. We
also give an example for achievability.
Example 3. Consider a 7-link network shown in Figure 4.
The capacity of L1 , L2 , ..., L7 is 1, 2, ... , 7 respectively. Let
zio = 2, zo/i = 1 and zi/o = 2 so that zio +zi/o +zi/o 7. At
the encoder side, Alice load the first two links (7 2 ⇥ 2 1)
with one packet and two packets. For the other links, only
u1=1
X21
X22
X31
X32
X33
u4=4
X41
X42
X43
u5=5
X51
X52
X53
X61
X62
X63
X71
X72
X73
u2=2
u3=3
X
X11
u6=6
u7=7
Y
ZO/I
ZIO
Fig. 4: 7-link network with unequal link capacities
three packets are loaded on each link. Therefore, the rate R =
18 3 6⇥2 = 3 is achieved in the worst case. Imagine if Alice
make every links fully loaded, the rate R will be restricted to
28 5 (6 + 7) ⇥ 2 < 0 in the worst case.
The converse of the strong adversary regime is similar
with the proof in Section IV. If the rate is higher than
Ĉ (U(2zio +zo/i ) )max , Calvin uses the following observe-andattack strategy irrespective of the coding scheme. Calvin first
eavesdrops on the first (C 2zio zo/i ) links. He jams the
next zo/i links by adding random, independent noise. For the
rest of the 2zio links, Calvin chooses either the first zio set
of links or the second zio set of links with equal probability
to attack. The way to attack is to first choose a fake message
and then to intelligently find the sub-codeword based on the
eavesdropped data. It can also be proved that, with probability
bounded away form zero, Calvin can always find a message
M 0 (M 0 6= M ) such that Bob cannot distinguish whether the
codeword transmitted by Alice was corresponding to M or to
M 0.
C. Theorem 4 (overwrite jamming for unequal link capacities)
The rate R for the weak adversary regime is still Ĉ
(U(zio +zo/i ) )max . However, the weak adversary region is
slightly difference (Zwow = ~z : zi/o + 2zo/i + 2zio < C )
since ZO/I can be regarded as ZIO in overwrite jamming. On the other hand, both the rate and the region for
strong adversary regime is changed. The maximum rate R =
Ĉ (U(2zio +2zo/i ) )max can be achieved for strong adversary
regime, which is Zsow = ~z : zi/o + 2zo/i + 2zio C .
VI. P ROOF S KETCH FOR T HEOREM 5
1) Strong Adversary Regime:
Converse: Consider a strategy for Calvin wherein he adds
on ZO links uniform random noise that is independent of
the codewords on the other links and he eavesdrops all the
ZI links. We show that, using standard information-theoretic
inequalities, that it is not possible for Alice to reliably and
secretly transmit at any rate more than C zo zi . Notice
that Calvin can jam any zo links and can eavesdrop any zi
links.
any subset of zi or less number of links does not carry any
information. This results in a contradiction.
H (M ) = H (M |Y ) + I (M ; Y )
(a)
 n✏n + I (M ; Y )
(b)
 n✏n + I (M ; Y1zo ) + I M ; YzCo +1 |Y1zo
(c)
 n✏n + I M ; XzCo +1
(d)
+zi
+zi
 n✏n + I M ; Xzzoo+1
+ I M ; XzCo +zi +1 |Xzzoo+1
(e)
+zi
 n✏n + H XzCo +zi +1 |Xzzoo+1
(f )
 n✏n + C
zo
zi ,
(5)
where ✏n ! 0 as n ! 1. Here, (a) follows from Fano’s
inequality. Inequalities (b) and (d) follow from the chain rule
of mutual information. To obtain (c), we assume without loss
of generality that Calvin jams first zo links. Then, we get
I (M ; Y1zo ) = 0, as Calvin adds uniform random noise independent of Alice’s transmissions. Also, I M ; YzCo +1 |Y1zo =
I M ; YzCo +1 due to independence of added noise. Finally,
we use the fact that for the set of uncorrupted links, we have
YC\ZO = XC\ZO . For getting (e), we use the fact that for any
subset ZI of links of size zi , the secrecy requirement imposes
+zi
that I (M ; XZI ) = 0. Thus, I M ; Xzzoo+1
= 0. In addition,
zo +zi
+zi
C
we have I M ; Xzo +zi +1 |Xzo +1  H XzCo +zi +1 |Xzzoo+1
.
zo +zi
C
Lastly, (f) follows from the fact H Xzo +zi +1 |Xzo +1 
H XzCo +zi +1  C zo zi , where the second inequality
is due to unit link capacities.
Achievability: We only sketch the achievable scheme here,
for details see []. Roughly speaking, Alice first mixes n(C
zo
zi ) message symbols with nzi uniform random key
symbols to form n(C zo ) super-message symbols. Then,
she uses the achievable scheme mentioned in the proof of
Theorem 1 (case 1) composed of a (C, C zo ) Reed-Solomon
code together with the pairwise hashing scheme. Now, Bob can
locate the set ZO of corrupted links using pairwise hashing
and uses the Reed-Solomon code to decode the super-message
symbols from the remaining links. Then, Bob separates the
random keys and the message symbols from the super-message
symbols (we construct an invertible mixing scheme). For
secrecy, we show that when the mixing is carefully performed,
the codeword on each of the zi links that Calvin eavesdrops
consists of a linear combination of keys and messages. Thus,
messages are effectively padded by random keys and Calvin
cannot gain any information from the ZI codewords.
2) Weak Adversary Regime: We show that no reliable and
secret communication is possible by contradiction. Suppose
there exists a scheme using which Alice can transmit at ✏ rate
reliably and secretly. Consider Calvin’s strategy is that he adds
uniform random noise independent of Alice’s transmission on
each of the zo links that he can jam and he listens to each of
the zi links that he can eavesdrop. Since Calvin adds uniform
and independent noise on ZO links, Bob cannot use them for
decoding and he must be able to decode ✏ rate of information
from the C zo links. Notice that in this regime C zo 
zi . However, as Alice’s scheme satisfies secrecy requirement,
VII. P ROOF FOR T HEOREM 6
For the weak adversary case, the converse and achievability
proofs are the same as that of Theorem 5.
For the strong adversary regime, we show that Calvin’s waitand-attack strategy used in the converse of Theorem 2 (case
2) makes it impossible for Alice to communicate reliably and
secretly using any scheme. Suppose there exists a scheme
using which Alice can transmit at some rate ✏ (✏ > 0)
reliably and secretly. Then, Calvin follows the wait-and-attack
strategy. He first listens to l = C 2zo links. Notice that
since C  zi + zo + zo/i , we have C 2zo  zi . Thus,
for any scheme satisfying the secrecy requirement, we have
H M |xl = H (M ) = ✏ for any xl that Calvin observes.
Thus, Calvin can choose any of the q n✏ messages according to
the conditional distribution PM|xl . The rest of the arguments
in the proof of Theorem 2 (strong adversary case) hold and
we can show that reliable transmission is impossible.
R EFERENCES
[1] BK Dey, S Jaggi, and M Langberg. Codes against online adversaries,
part i: Large alphabets. IEEE Transactions on Information Theory,
59(6):3304–3316, 2013.
[2] S. Jaggi, M. Langberg, T. Ho, and M. Effros. Correction of adversarial
errors in networks. In Proceedings of International Symposium in
Information Theory (ISIT 2005), pages 1455–1459, Adelaide, Australia,
2005.
[3] Sidharth Jaggi and Michael Langberg. Network security. In Muriel
Médard and Alex Sprintson, editors, Network Coding: Fundamentals
and Applications. Academic Press, 2012.
[4] S. Kim, T. Ho, M. Effros, and S. Avestimehr. New results on
network error correction: capacities and upper bound. In Proceedings
of Information Theory and Applications Workshop, UCSD, San Diego,
CA, 2010.
[5] A. Lapidoth and P. Narayan. Reliable communication under channel
uncertainty. IEEE Transactions on Information Theory, 44(6):2148–
2177, October 1998.
[6] Chi-Kin Ngai and Raymond W Yeung. Secure error-correcting (sec)
network codes. In Network Coding, Theory, and Applications, 2009.
NetCod’09. Workshop on, pages 98–103. IEEE, 2009.
[7] L. H. Ozarow and A. D. Wyner. Wire-tap channel II. In Proc.
EUROCRYPT 84 workshop on Advances in cryptology: theory and
applicationof cryptographic techniques, pages 33–51, New York, NY,
USA, 1985. Springer-Verlag New York, Inc.
[8] I. Reed and G. Solomon. Polynomial codes over certain finite fields.
Journal of the Society for Industrial and Applied Mathematics, 8(2):300–
304, 1960.
[9] M. Effros S. Kim, T. Ho and S. Avestimehr. Network error correction
with unequal link capacities. In Proceedings of 47th Annual Allerton
Conference on Communication, Control, and Computing, Monticello,
IL, 2008.
[10] D. Silva and F. R. Kschischang.
On metrics for error correction in network coding. IEEE Transactions on Information Theory,
55(12):5479ÃŘ–5490, 2009.
[11] Richard C. Singleton. Maximum distance q -nary codes. Information
Theory, IEEE Transactions on, 10(2):116–118, Apr 1964.
[12] H. Yao, D. Silva, S. Jaggi, and M. Langberg. Network codes resilient
to jamming and eavesdropping. In Proc. Workshop on Network Coding
Theory and Applications, Toronto, Canada, June 9–11 2010.