Secrecy and Robustness for Active Attack
in Secure Network Coding
Masahito Hayashia,b , Masaki Owaric , Go Katod and Ning Caie
a
Graduate School of Mathematics, Nagoya University
Centre for Quantum Technologies, National University of Singapore
c
Department of Computer Science, Faculty of Informatics, Shizuoka University
d
NTT Communication Science Laboratories, NTT Corporation
e
the School of Information Science and Technology, ShanghaiTech University
Email: [email protected], [email protected], [email protected] & [email protected]
arXiv:1703.00723v1 [cs.IT] 2 Mar 2017
b
Abstract—In the network coding, we discuss the effect by
sequential error injection to information leakage. We show that
there is no improvement when the network is composed of
linear operations. However, when the network contains non-linear
operations, we find a counterexample to improve Eve’s obtained
information. Further, we discuss the asymptotic rate in the linear
network under the secrecy and robustness conditions.
Index Terms—secrecy analysis, secure network coding, sequential injection, passive attack, active attack
I. I NTRODUCTION
Secure network coding offers a method securely transmitting information from the authorized sender to the authorized
receiver. Cai and Yeung [1] discussed the secrecy for the malicious adversary, Eve, wiretapping a subset EE of all channels
in the network. Using the universal hashing lemma [2], [3], [4],
the papers [5], [6] showed the existence of a secrecy code that
universally works for any types of eavesdroppers under the size
constraint of EE . Also, the paper [7] discussed construction
of such a code.
As another attack to information transmission via the network, the malicious adversary contaminates the communication by contaminating the information on a subset EA of all
channels in the network. Using the method of error correction,
the papers [8], [9], [10], [11] proposed a method to protect
the message from the contamination. The correctness of the
recovered message by the authorized receiver is called robustness. Now, for simplicity, we consider the unicast setting.
When the transmission rate from the authorized sender, Alice
to the authorized receiver, Bob is m0 and the rate of noise
injected by Eve is m1 , using the result of the papers [12],
[13] the paper [14] showed that there exists a sequence of
asymptotically correctable code with the rate m0 − m1 if the
rate of information leakage to Eve is less than m0 − m1 .
However, there is a possibility that the malicious adversary
makes a combination of eavesdropping and the contamination.
That is, contaminating a part of channels, the malicious adversary might improve the ability of eavesdropping. In this paper,
we discuss the secrecy when Eve eavesdrops the information
on the channels in EE , and adds artificial information to
the information on the channels in EA sequentially based on
the obtained information. We call such an active operation
a strategy. When EA = EE , under this assumption Eve is
allowed to arbitrarily modify the information on the channels
in EA sequentially based on the obtained information.
The aim of this paper is the following. Firstly, we show
that any strategy cannot improve Eve’s information when the
any operations in the network are linear. Then, to clarify the
necessity of the linearity assumption, we give a counterexample for the non-linear network, in which, there exists a
strategy to improve Eve’s information. This example shows
the importance of the assumption of the linearity. Also, when
the transmission rate from Alice to Bob is m0 , the rate of noise
injected by Eve is m1 , and the rate of information leakage to
Eve is m2 , we discuss a code satisfying the secrecy and the
robustness. In the asymptotic setting, we show the existence
of such a secure protocol with the rate m0 − m1 − m2 .
The remaining part of this paper is organized as follows.
Section II formulates our problem and shows the impossibility
of Eve’s eavesdropping under the linear network. Section III
gives a counterexample in the non-linear case. Section IV
discusses the asymptotic setting, and show the achievability
of the asymptotic rate m0 − m1 − m2 .
II. S ECRECY
IN FINITE - LENGTH SETTING
We consider the unicast setting. Assume that the authorized
sender, Alice, and the authorized receiver, Bob, are linked via
a network with the set of edges E, where the operations on
all nodes are linear on the finite filed Fq with prime power q.
3
and Bob receives
Alice inputs the input variable X in Fm
q
4
the output variable YB in Fm
.
We
also
assume that the
q
2
malicious adversary, Eve, wiretaps the information YE in Fm
q
on the edges of a subset EE ⊂ E. Now, we fix the topology
and dynamics (operations on the intermediate nodes) of the
network. When we assume all operations on the intermediate
m4 ×m3
3
nodes are linear on Fm
q , there exist matrices KB ∈ Fq
m2 ×m3
and KE ∈ Fq
such that the variables X, YB , and YE
satisfy their relations
YB = KB X,
YE = KE X.
(1)
That is, the matrices KB and KE are decided from the network
topology and dynamics. We call this attack the passive attack.
To address the active attack, we consider stronger Eve, i.e.,
1
we assume that Eve adds an error Z in Fm
on the edges
q
4 ×m3
of a subset EA ⊂ E. Using matrices HB ∈ Fm
and
q
m2 ×m1
, we rewrite the above relations as
HE ∈ F q
YB = KB X + HB Z,
YE = KE X + HE Z,
(2)
(3)
which is called the wiretap and addition model.
Now, to consider the time ordering among the edges in E,
we assign the numbers to all elements of E such that E =
{e(1), . . . , e(k)}. We assume that the information transmission
on each edge is done with this order. In this representation, the
elements of Z and YE are arranged in this order. Hence, the
elements of the subsets EE and EA are expressed as EE =
{e(ζ(1)), . . . , e(ζ(m2 ))} and EA = {e(η(1)), . . . , e(η(m1 ))}
by using two strictly increasing functions ζ and η. The
causality yields that
HE;j,i = 0 when η(i) ≥ ζ(j).
(4)
It is natural that Eve can choose the information to be added
in the edge e(i) ∈ EA based on the information obtained
previously on the edges in the subset {e(ζ(j)) ∈ EE |ζ(j) ≤
η(i)}. That is, the added error Z is given as a function α
of YE , which can be regarded as Eve’s strategy. We call this
attack the active attack with the strategy α.
Now, we consider the n-transmission setting, in which,
Alice uses the same network n times to send the message
to Bob. Alice’s input variable (Eve’s added variable) is given
as a matrix X n ∈ Fqm3 ×n (a matrix Z n ∈ Fqm1 ×n ), and Bob’s
(Eve’s) received variable is given as a matrix YBn ∈ Fqm4 ×n
(a matrix YEn ∈ Fqm2 ×n ). We assume that the topology and
dynamics of the network and the edge attacked by Eve are
not changed during n transmissions. Their relation is given as
YBn = KB X n + HB Z n ,
YEn = KE X n + HE Z n .
(5)
(6)
To discuss the secrecy, we formulate a code. Let M and
L be the message set and the set of values of the scramble
random number. Then, an encoder is given as a function φn
from M × L to Fqm3 ×n , and the decoder is given as ψn from
Fqm4 ×n to M. Our code is the pair (φn , ψn ), and is denoted
by Φn . Then, we denote the message and the scramble random
number by M and L. The cardinality of M is called the size
of the code and is denoted by |Φn |.
Here, we treat KB , KE , HB , HE as deterministic values,
and denote the pairs (KB , KE ) and (HB , HE ) by K and
H, respectively. In the following, we fix Φn , K, H, α. As
a measure of the leaked information, we adopt the mutual
information I(M ; YEn , Z n ) between M and Eve’s information
YEn and Z n Since the variable Z n is given as a function of
YEn , we have I(M ; YEn , Z n ) = I(M ; YEn ). Since the leaked
information is given as a function of Φn , K, H, α in this
situation, we denote it by I(M ; YEn )[Φn , K, H, α]. When we
always choose Z n = 0, the attack is the same as the passive attack. This strategy is denoted by 0. When K, H are treated as
random variables independent of M, L, the leaked information
is given as the expectation of I(M ; YEn )[Φn , K, H, α]. This
probabilistic setting expresses the situation that Eve cannot
necessarily choose her position to attack by herself while she
knows the position, and chooses her strategy dependently of
the position.
Now, we have the following theorem.
Theorem 1. For any Eve’s strategy α, Eve’s information YEn
with strategy α and that with strategy 0 can be simulated by
each other. Hence, we have the equation
I(M ; YEn )[Φn , K, H, 0] = I(M ; YEn )[Φn , K, H, α].
(7)
This theorem shows that the information leakage of the
active attack with the strategy α is the same as the information
leakage of the passive attack. Hence, to guarantee the secrecy
under an arbitrary active attack, it is sufficient to show the
secrecy under the passive attack.
n
Proof. We define two random variables YE,p
:= KE X n and
n
n
n
n
YE,a := KE X + HE Z . Eve can simulate her outcome YE,a
n
n
under the strategy α from YE,p , HE , and Z . So, we have
n
n
n
I(M ; YE,p
) ≥ I(M ; YE,a
, Z n ) = I(M ; YE,a
). Conversely,
n
n
since YE,p is given as a function of YE,a , Z n , and HE , we
have the opposite inequality.
Remark 1 (Number of choices). To compare the passive
attack with the active attack, we count the number of choices
of both attacks. In the passive attack, when we fix the rank of
KE (the dimension of leaked information), by taking account
into the equivalent class, the number of the possible choices is
upper bounded by q m2 (m3 −m2 ) . In the active attack case, this
calculation is more complicated. For simplicity, we consider
the case with n = 1. Now, we do not count the choice for the
inputs on the edge η(i) with η(i) ≥ ζ(m2 ) because it does not
effects Eve’s information. Then, even when we fix the matrices
KE , HE , the number of choices of α is
q
P
i:η(i)<ζ(m2 )
q Ti
(8)
,
where Ti := max{j|η(i) ≥ ζ(j)}. Notice that Ti = i when
EA = EE . If we count
the choice on the remaining edges, we
P
Ti
i:η(i)≥ζ(m2 ) q
on (8). For general n, the
need to multiply q
number of choices of α is
qn
P
i:η(i)<ζ(m2 )
qnTi
.
(9)
Remark 2 (Wiretap and Replacement). The above analysis
discusses the case when Eve adds the error Z. However, Eve
might replace the information on the edges in EA by another
elements U , which is called the wiretap and replacement
model. This situation has different network structure. By using
′
′
′
′
matrices KB
, KE
, HB
and HE
different from KB , KE , HB
and HE , the observations YB and YE are given as
′
′
YB = KB
X + HB
U,
′
′
YE = KE X + HE U.
(10)
(11)
However, when the set EA is the same as the set EE , it is
allowed to employ the original model (2) and (3) because any
strategy with the model (10) and (11) can be written as a
strategy with the original model (2) and (3).
Remark 3. Theorem 1 discusses the unicast case. It can be
trivially extended to the multicast case because we do not
discuss the decoder. It also can be extended to the multiple
unicast case, in which, there are several pairs of sender
and receiver. When there are k pairs in this setting, the
random variables M and L have the forms (M1 , . . . , Mk ) and
(L1 , . . . , Lk ). So, we can apply the discussion of Theorem 1.
III. N ON - LINEAR COUNTER EXAMPLE
To clarify the impossibility of Theorem 1 under the nonlinear network, we show a counter example composed of nonlinear operations. We consider the network given in Fig. 1,
whose edges are E = {e(1), e(2), e(3), e(4)}. Each edge e(i)
is assumed to send the binary information Yi . The intermediate
node makes the non-linear operation as
Y3 := Y1 (Y2 + Y1 ),
Y4 := (Y1 + 1)(Y2 + Y1 ).
e(1)
e(3)
e(2)
e(4)
(12)
(13)
Alice
Bob
To send the binary information M ∈ F2 , we prepare the
binary uniform scramble random variable L ∈ F2 . We consider
the following code. The encoder φ is given as
Y2 := M + L.
(14)
The decoder ψ is given as ψ(Y3 , Y4 ) := Y3 + Y4 .
Since Y3 and Y4 are given as follows under this code;
Y3 := LM,
Y4 := LM + M,
(15)
the decoder can recover M nevertheless the value of L.
Now, we consider the leaked information for the passive
attack. Eve is allowed to attack two edges of E except for the
pairs {e(1), e(2)} and {e(3), e(4)}. The mutual information
of these cases are calculated to
Y1 := M + L,
Y2 := L.
(18)
Replacing M + L by L, the analysis can be reduced to the
presented analysis. Other encoders clearly leaks the message
M to e(1) or e(2).
In this model, Eve can perfectly contaminates the message
M . When Eve take the choice (i), and replace Y3 by Y3 + 1,
Bob’s decoded message is M + 1. Under the choice (ii), Eve
can perfectly contaminates the message M in a similar way.
Next, under the same assumption as Section II, we consider
the asymptotic setting by taking account into robustness as
well as secrecy. We have assumed that the topology and
dynamics of network and the edge attacked by Eve are not
changed during n transmission. Now, we assume that Eve
knows these matrices and Alice and Bob know none of them
because Alice and Bob often do not know the topology and
dynamics of the network the edge attacked by Eve.
When Eve adds the error Z n , there is a possibility that
Bob cannot recover the original information M . This problem
is called the robustness, and may be regarded as a kind
of error correction. Under the conventional error correction,
the error Z n is treated as a random variable subject to the
uniform distribution. However, our problem is different from
the conventional error correction. Since the decoding error
probability depends of the strategy α. So, we denote it by
Pe [Φn , K, H, α]. In the following, we assume that
rank KB = m0
I(M ; Y1 , Y3 ) = I(M ; Y1 , Y4 )
=I(M ; Y2 , Y3 ) = I(M ; Y2 , Y4 ) =
Remark 4. Our analysis covers the optimal codes. As another
encoder, we can consider
IV. A SYMPTOTIC SETTING
Fig. 1. Non-linear network.
Y1 := L,
When EA = EE = {e(1), e(3)}, Eve replaces Y1 by
1. Then, I(M ; Y1 , Y3 ) = 1 because Y3 +Y1 +1 = M .
(ii)
When EA = EE = {e(1), e(4)}, Eve replaces Y1 by
0. Then, I(M ; Y1 , Y3 ) = 1 because Y4 + Y1 = M .
(iii) When EA = EE = {e(2), e(3)} or {e(2), e(4)}, Eve
has no good active attack.
To see the difference from the linear case, we adopt a weak
secrecy criterion in this section. When YE is Eve’s information
and I(M ; YE ) < 1 for all of Eve’s possible attack, we say that
the code is secure. Otherwise, it is called insecure.
When Eve is allowed to use the above passive attack, (16)
shows that the code is secure. When Eve is allowed to use the
above active attack, the above calculation shows that the code
is insecure. Therefore, this example is a counter example of
Theorem 1.
(i)
1
,
2
d1 (M |Y1 , Y3 ) = d1 (M |Y1 , Y4 )
(16)
1
.
(17)
2
In this section, we choose the base of the logarithm to be 2.
Now, we consider the active attack with EA = EE of the
above four cases.
=d1 (M |Y2 , Y3 ) = d1 (M |Y2 , Y4 ) =
(19)
as well as (4). Since any algebraic operation on the finite field
Fq can be regarded as an algebraic operation on t-dimensional
algebraic extension Fq′ of the finite field Fq , where q ′ = q t .
So, the matrices KB , HB , KE , HE on Fq can be regarded as
matrices on Fq′ . By choosing n to be tn′ , the matrices X n ,
n′
n′
n′
YBn , YEn , Z n on Fq is converted to matrices X ′ , YB′ , YE′ ,
n′
Z ′ on Fq′ , which also satisfy (5) and (6) by regarding the
same matrices KB , HB , KE , HE on Fq as matrices on Fq′ .
Proposition 1 ([14], [12], [13]). Assume that m2 + m1 <
m0 . When the size q ′ of the finite field increases such ′that
m
m +1
log n
⌉.),
n′ 0 = o(q ′ ), (e.g., q ′ = n′ 0 , i.e., t = ⌈ (m0 +1)
log q
there exists a sequence of codes Φn′ ′of block-length n′ on
k
finite field Fq′ whose message set is Fq′n′ such that
for any x ∈ X and y ∈ Y.
For s ∈ (0, 1], we define the conditional Rényi entropy
H1+s (X|Z) for the joint distribution PXZ as [4]
X
X
−1
log
PZ (z)
PX|Z (x|z)1+s , (28)
H1+s (X|Z) :=
s
k′ ′
lim n′ = m0 − m1
n→∞ n
lim max max Pe [Φn , K, H, α] = 0
↑
which is often denoted by H1+s
(X|Z) in [16], [17]. When X
obeys the uniform distribution, we have
n→∞ K,H
α
(20)
(21)
where the maximum is taken with respect to
2 ×m3
(KB , HB , KE , HE ) ∈ Fqm4 ×m3 × Fqm4 ×m1 × Fm
×
q
m2 ×m1
with (4) and (19).
Fq
The optimality of the rate m0 − m1 was also shown in [18],
[19]. Proposition 1 requires the finite field Fq with infinitely
large. The paper [15, Appendix D] discussed the construction
of F2t whose multiplication and inverse multiplication have
calculation complexity O(t log t)1 .
log n′
⌉ and ln′ := tn′ n′ ,
By choosing tn′ = ⌈ (m0 +1)
log q
Proposition 1 can be rewritten as follows.
Corollary 1. Assume that m2 + m1 < m0 . There exists a
sequence of codes Φln of block-length ln on finite field Fq
whose message set is Fkq n such that
lim
kn
n→∞ ln
= m0 − m1
(22)
lim max max Pe [Φn , K, H, α] = 0,
n→∞ K,H
α
(23)
where the maximum is taken in the same way as Proposition
1.
Combining Theorem 1 and Corollary 1, we obtain the
following theorem.
Theorem 2. Assume that m2 + m1 < m0 . There exists a
sequence of codes Φn of block-length ln on finite field Fq
whose message set is Fkq n such that
lim
kn
= m0 − m1 − m2
(24)
lim max max Pe [Φn , K, H, α] = 0
(25)
lim max max I(M ; YEn )[Φn , K, H, α] = 0,
(26)
n→∞ ln
n→∞ K,H
n→∞ K,H
α
α
where the maximum is taken in the same way as Proposition
1.
Before our proof, we prepare basic facts of informationtheoretic security. We focus on a random hash function fR
from X to Y with random variable R deciding the function
fR . It is called universal2 when
Pr{fR (x) = y} ≤
1 The
|Y|
|X |
(27)
multiplication of elements v and z of F2t is essentially given in
(124) of [15] by using the Fourier transform via the calculation on circulant
matrices. For the inverse multiplication of an element v of F2t , we calculate
F −1 [−F v.∗F z] instead of F −1 [F v.∗F z] in (124), where F is the discrete
Fourier transform.
z∈Z
x∈X
H1+s (X|Z) ≥ log
|X |
.
|Z|
(29)
Proposition 2. [2], [3][4, Theorem 1]
I(fR (X); Z|R) ≤
es log |Y|−H1+s (X|Z)
s
(30)
for s ∈ (0, 1].
Proof. We choose a sequence of codes {Φn =√(φn , ψn )}
given in Corollary 1. We fix k̄n := kn − m2 ln − ⌈ ln ⌉. Now,
we choose a universal2 linear random hash function fR from
Fkq n to Fk̄q n .
To make our code, we consider a virtual protocol as follows.
First, Alice sends her larger message M by using the code
Φn , and Bob recovers it. Second, Alice randomly chooses R
deciding the hash function fR and sends it to Bob via public
channel. Finally, Alice and Bob apply the hash function fR to
their message, and denote the result value by M̄ so that Alice
and Bob share the information M̄ with probability almost
close to 1.
Since the conditional mutual information between
M̄ and YEln depends on Φn , K, H, α, we denote
it by I(M̄ ; YEln |R)[Φn , K, H, α]. Theorem 1 shows
I(M̄ ; YEln |R)[Φn , K, H, α] = I(M̄ ; YEln |R)[Φn , K, H, 0],
which does not depend on KB , HB , HE and depends only
on KE . Now, we evaluate this leaked information via a
similar idea to the paper [5]. Since Inequality (29) implies
that H1+s (M |YEln ) ≥ (kn − ln m2 ) log q, Proposition 2 yields
that
ln
es(k̄n log q−H1+s (M|YE
s
I(M̄ ; YEln |R)[Φn , K, H, 0] ≤
√
))
q −s⌈ ln ⌉
q s(k̄n −kn +ln m2 )
≤
.
(31)
≤
s
s
We set s = 1. Since the number of matrices KE satisfying
rank KE = m1 is bounded by q m2 (m3 −m2 ) , Markov inequality guarantees that the inequality
√
I(M̄ ; YEln )[K, H, 0]|R=r ≤ q −⌈
ln ⌉+m2 (m3 −m2 )+1
(32)
holds for any matrix KE satisfying for any matrix KE ∈
2 ×m3
at least with probability 1− 1q . Therefore, there exists
Fm
q
a suitable hash function fr such that
√
I(M̄ ; YEln )[Φn , K, H, 0]|R=r ≤ q −⌈
ln ⌉+m2 (m3 −m2 )+1
,
which goes to zero as n goes to infinity because m2 (m3 −
m2 ) + 1 is a constant.
Now, we back to the construction of real √codes. We choose
m l +⌈ ln ⌉
, respectively.
the sets M and L to be Fk̄q n and Fq 2 n
Since the linearity and
the
surjectivity
of
f
r implies that
√
|fr−1 (x)| = q m2 ln +⌈ ln ⌉ for any element x ∈ M, we can
define the invertible function f¯r from M × L to the domain
of fr , i.e., Fkq n such that f¯r−1 (fr−1 (x)) = {x} × L for any
element x ∈ M. This condition implies fr ◦ f¯r (x, y) = x for
(x, y) ∈ M×L. Then, we define our encoder as φ̄n := φn ◦ f¯r ,
and the decoder as φ̄n := fr ◦ φn . The sequence of codes
{(φ̄n , ψ̄n )} satisfies the desired requirements.
Remark 5 (Efficient code construction). We discuss an efficient construction of our code from a code (φn , ψn ) given
in Corollary 1 with q = 2. A modified form of the Toeplitz
matrices is also shown to be universal2 , √
which is given by a
concatenation (T (S), I) of the (m2 ln + ⌈ ln ⌉) × k̄n Toeplitz
matrix T (S) and the k̄n × k̄n identity matrix I [15], where S is
the random seed to decide the Toeplitz matrix and belongs to
F2kn −1 . The (modified) Toeplitz matrices are particularly useful
in practice, because there exists an efficient multiplication
algorithm using the fast Fourier transform algorithm with
complexity O(ln log ln ).
When the random seed S is fixed, the encoder for
our code is given as follows. By √using the scramm l +⌈ ln ⌉)
, the encoder
ble random variable L ∈ F2 2 n
I −T (S) M because
φ̄n is given as φn
0
I
L
I −T (S)
(I, T (S))
= (I, 0). (The multiplication of
0
I
Toeplitz matrix T (S) can be performed as a part of circulant
matrix. For example, the reference [15, Appedix C] gives a
method to give a circulant matrix.). More efficient construction
for univeral2 hash function is discussed in [15]. So, the
decoder ψ̄n is given as YBln 7→ (I, T (S))ψn (YBln ).
Remark 6. If we do not apply Theorem 1 in (32), we have to
multiply the number of the choices of the strategy α. As the
generalization of (8), this number is given in (9), which glows
up double-exponentially. Hence, our proof of Theorem 2 does
not work without use of Theorem 1.
V. C ONCLUSION
We have discussed the effect by sequential error injection
to Eve’s obtained information. As the result, we have shown
that there is no improvement when the network is composed
of linear operations. However, when the network contains
non-linear operations, we have found a counterexample to
improve Eve’s obtained information. Further, we have shown
the achievability of the asymptotic rate m0 − m1 − m2 for
a linear network under the secrecy and robustness conditions
when the transmission rate from Alice to Bob is m0 , the rate
of noise injected by Eve is m1 , and the rate of information
leakage to Eve is m2 . The converse part of this rate is an
interesting open problem.
ACKNOWLEDGMENTS
The works reported here were supported in part by the JSPS
Grant-in-Aid for Scientific Research (C) No. 16K00014 and
(B) No. 16KT0017, the Okawa Research Grant and Kayamori
Foundation of Informational Science Advancement.
R EFERENCES
[1] N. C. N. Cai and R. Yeung, “Secure network coding,” Proc. 2002 IEEE
Int. Symp. Information Theory (ISIT 2002), Lausanne, Swiss, July 2002,
p. 323.
[2] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized
privacy amplification,” IEEE Trans. Inform. Theory, vol. 41, no. 6, pp.
1915–1923, (1995).
[3] J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, “A Pseudorandom
Generator from any One-way Function,” SIAM J. Comput. 28, 1364
(1999).
[4] M. Hayashi, “Exponential decreasing rate of leaked information in
universal random privacy amplification,” IEEE Trans. Inform. Theory,
vol. 57, no. 6, pp. 3989–4001, (2011).
[5] R. Matsumoto and M. Hayashi, “Secure Multiplex Network Coding,”
2011 International Symposium on Networking Coding (2011): DOI:
10.1109/ISNETCOD.2011.5979076.
[6] R. Matsumoto and M. Hayashi, “Universal Strongly Secure Network
Coding with Dependent and Non-Uniform Messages,” Arxiv preprint,
arXiv:1111.4174 (2011).
[7] J. Kurihara, R. Matsumoto, and T. Uyematsu, “Relative generalized rank
weight of linear codes and its applications to network coding,” IEEE
Trans. Inform. Theory, vol. 61, no. 7, pp. 3912–3936 (2013).
[8] R. W. Yeung and N. Cai, “Network error correction, part 1: Basic concepts and upper bounds,” Submitted to Communications in Information
and Systems (2006).
[9] N. Cai and R. W. Yeung, “Network error correction, Part 2: Lower
bounds,” Commun. Inf. and Syst., vol. 6, no. 1, pp. 37-54, (2006).
[10] T. Ho, B. Leong, R. Koetter, M. Médard, M. Effros, and D. R.
Karger, “Byzantine modification detection for multicast networks using
randomized network coding,” Proc. 2004 IEEE Int. Symp. Information
Theory (ISIT 2004), Chicago, IL, June/July 2004, p. 144.
[11] S. Jaggi, M. Langberg, T. Ho, and M. Effros, “Correction of adversarial
errors in networks,” Proc. 2005 IEEE Int. Symp. Information Theory
(ISIT 2005), Adelaide, Australia, Sept. 2005, pp. 1455-1459.
[12] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, and M. Médard,
“Resilient network coding in the presence of byzantine adversaries,” in
Proc. IEEE INFOCOM 2007, Anchorage, AK, May 2007.
[13] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, M. Medard, and
M. Effros, “Resilient Network Coding in the Presence of Byzantine
Adversaries,” IEEE Transactions on Information Theory, vol. 54, no. 6,
pp. 2596–2603, (2008).
[14] S. Jaggi and M. Langberg, “Resilient network coding in the presence
of eavesdropping byzantine adversaries,” Proc. 2007 IEEE Int. Symp.
Information Theory (ISIT 2007), Nice, France, June 2007, p. 541 – 545.
[15] M. Hayashi and T. Tsurumaru, “More Efficient Privacy Amplification
with Less Random Seeds via Dual Universal Hash Function,” IEEE
Transactions on Information Theory, vol. 62, no. 4, pp. 2213 – 2232,
(2016).
[16] M. Tomamichel, M. Berta, and M. Hayashi, “Relating different quantum
generalizations of the conditional Renyi entropy,” J. Math. Phys., vol.
55, no. 8, p. 082206, 2014.
[17] M. Hayashi and S. Watanabe. (2013). “Non-asymptotic and asymptotic
analyses of information processing on Markov chains,” Arxiv preprint,
arXiv:1309.7528, 2013.
[18] N. Cai and T. Chan, “Theory of Secure Network Coding,” Proceedings
of the IEEE, vol. 99, no. 3, pp 421-437 (2011).
[19] N. Cai and R. W. Yeung, “Secure Network Coding on a Wiretap
Network,” IEEE Transactions on Information Theory, vol. 57, no. 1,
pp. 424-435, (2011).