Anonymous Coherent Network Coding Against Eavesdropping and Jamming

Available online at www.sciencedirect.com

Electronic Notes in Discrete Mathematics 57 (2017) 199–204 www.elsevier.com/locate/endm

Anonymous Coherent Network Coding Against Eavesdropping and Jamming Oksana Trushina 1,2 Ernst Gabidulin 1,3 Department of Radio Engineering and Cybernetics Moscow Institute of Physics and Technology Moscow, Russian Federation

Abstract This paper considers a problem of anonymous transmission against eavesdropping and jamming in coherent network coding. We propose an information-theoretical message unlinkability scheme based on coset coding. We show that if an incoming message is transformed to another message of the same coset by adding a random codeword then the incoming and outgoing messages are statistically independent and consequently, unlinkable. Keywords: Anonymity, Network Coding, Coset Coding.

1

Introduction

An anonymous coherent network coding method against eavesdropping was described in the paper [6]. This work addresses the problem of anonymity guarantee in coherent network coding system against both eavesdropping and jamming. 1 2 3

Supported in part by the Russian Foundation for Basic Research, project № 15-07-08480 Email: [email protected] Email: ernst [email protected]

http://dx.doi.org/10.1016/j.endm.2017.02.033 1571-0653/© 2017 Elsevier B.V. All rights reserved.

200

O. Trushina, E. Gabidulin / Electronic Notes in Discrete Mathematics 57 (2017) 199–204

Network coding [1] is a new idea of information transmission. Different network coding scenarios and network coding schemes providing secrecy of message content are widely studied. The other important information security issue is anonymity. In this work, we say that the transmission is anonymous if an adversary can not determine who communicates with whom. The task is to guarantee a message forwarding to be untraceable. A primary goal is to provide bitwise unlinkability or simply unlinkability. Unlinkability guarantees that incoming and outgoing messages “look” different, so an adversary can not correlate incoming and outgoing messages just by comparing symbols composing them. We consider linear coherent network coding. The relay nodes transmit linear combination of incoming packets with coefficients being specified in advance. This coefficients form coding vector. The linear dependence between incoming and outgoing packets may be used by an adversary to determine who sends message to whom. Consider a toy example (Fig. 1). There are two source nodes S1 and S2 and two sink nodes D1 and D2 . Node S1 sends message containing two packets a, b to node D1 , while node S2 sends packets c, d to node D2 . The coding vectors and corresponding linear combinations are pictured in the figure. An adversary may eavesdrop all incoming links of node r obtaining packets a + b, a + 2b from S1 and c + 3d, 2c + d from S2 . On eavesdropping link r → D1 an adversary obtains a message 5a + 7b. The link r → D1 has coding vector (3, 2). An adversary can see that 3(c + 3d) + 2(2c + d) = 5a + 7b, while 3(a + b) + 2(a + 2b) = 5a + 7b. This provides an adversary with convincing evidence that node D1 is a sink node for node S1 . The most straightforward way to provide unlinkability is encryption. The pioneer work on anonymous transmission [2] having evolved into famous Onion Routing is based on encryption. We propose scheme to provide unlinkability based on the coset coding idea. Coset coding allows us to change an incoming message in a very simple and elegant way so that an outgoing message “looks” very differently. Particularly, incoming and outgoing messages are statistically independent. So we propose information-theoretical model of anonymity in contrast to computational model based on encryption.

2

Preliminaries

2.1 Network Model A network is represented by a directed multigraph with error free unit capacity edges. There are several source nodes and several destination nodes. Data is

O. Trushina, E. Gabidulin / Electronic Notes in Discrete Mathematics 57 (2017) 199–204

a+

S1

(1, 1 )

7b

(3, 2)

(2, 0)

S2

) ,1 (2 3c (1 + ,1 4d )

v (1, 0)

D1

) ,1 (1

) (1, 3 d + 2c

LAN3 LAN1 l4

l2 l1

R 3c + 4d

4a + 6b

u

+

r

3d

6d + 7c 3) (1,

2a

3b

2b

5a +

(1 ,2 )

a+

c+

b

D2

Fig. 1. Example of coherent network coding

201

l3

l5 l6 LAN2

LAN4 Fig. 2. Example of network structure

transferred over a network using packets. A packet is a m-length vector over a finite field Fq . The network nodes exchange messages being represented as matrix. An information message S ∈ Fk×m is a matrix of k packets and q n×m is encoded to message X ∈ Fq of n ≤ m packets. A relay node receives message Y = AX where A is a matrix of coding vectors or a transfer matrix, A ∈ Fqn×n , RkA = n. It is convenient to describe a coding process in terms of operations in the extended field Fqm . Given some basis Ω of the extended field Fqm over the field Fq , the messages S, X can be described as vectors SΩ = S ∈ Fkqm , XΩ = X ∈ Fnqm and Y = AX . 2.2 Adversary Model An external local active adversary is considered. Let consider adversary features one by one. First, “external” means that all relay nodes are assumed to be trusty. Second, “local” means that an adversary can not eavesdrop all links of intermediate node, but up to μ input links and up to μ output links. It is quite realistic due to the geographic and jurisdictional diversity of a network. Consider an example (Fig. 2). An adversary wants to eavesdrop input and output links of node R. Node R belongs to local network LAN4, which is beyond the scope of adversary control as well as LAN3. An adversary has access to links inside LAN1 and LAN2. Consequently, an adversary can eavesdrop two input links l1 , l2 and two output links l5 , l6 . Such adversary can be modeled as two collaborating adversaries, one acts inside LAN1 and the other in LAN2. Finally, “active” means that he can inject its own packets. An adversary is assumed to inject up to t packets in the whole network.

202

O. Trushina, E. Gabidulin / Electronic Notes in Discrete Mathematics 57 (2017) 199–204

2.3 Source Coding The main idea of coset coding [4] is to map an information message not to particular codeword but to a coset of this code, actually to a syndrome associated with the coset. Then a random word of the coset is passed into a network. Maximum security rate is known to be achieved when the code is maximum distance code. A message is perfectly secure if an adversary eavesdrops a number of packets not greater then size of information set of the code. The actions of an active adversary can be considered as transmission with errors. An explicit coset coding scheme for erroneous transmission is proposed in [5]. This scheme uses codes C1 and C2 , which are a pair of nested rank metric codes C2 ⊂ C1 . Code C1 is (n, k + μ) maximum rank distance (MRD) code (k+μ)×n with a generator matrix G1 ∈ Fqm . Code C2 is (n, μ) MRD code with a . C is Gabidulin code [3], which guarantees that generator matrix G2 ∈ Fμ×n 1 qm any μ consecutive rows of generator matrix form generator matrix of subcode,     then G1 = ΔG . An information message S ∈ Fkqm can be encoded 1 G2 n to X ∈ Fqm as              S S ΔG S  S    =T = = ΔG ΔG1 G2 X = G1 G1 V V V V        0    = ΔG ΔG + G 1 S + G2 V = ΔG ΔG1 2 V. S A matrix ΔG is such that a matrix T ∈ Fqn×n is invertible, V ∈ Fμqm is m uniformly distributed and independent from S. Vector S  is a syndrome of code C2 and G 2 V is a random vector of code C2 . So X is a random vector of C2 coset defined by syndrome S  . If an adversary eavesdrops up to μ packets it is impossible to determine message S. If rank distance of code C1 satisfies dR (C1 ) ≥ 2t + 1, then up to t errors can be corrected.

3

Unlinkability

Let X in = X . Consider vector         X out = X in + G 2 V = ΔG ΔG1 S + G2 (V + V ),

(1)

where V  is uniformly distributed over Fμqm and independent of X in . Vector X out belongs to the same coset as X in does, thus it transmits the same information. Equation (1) defines a basic operation providing unlinkability. Lemma 3.1 Given S  , X out is uniform and independent of X in .

O. Trushina, E. Gabidulin / Electronic Notes in Discrete Mathematics 57 (2017) 199–204

203

Proof. We need to prove that H(X out |X in S  ) = H(X out|S  ). According to [5] H(X in |S  ) = μ. Similarly H(X out |S  ) = μ. Let     s s n−μ μ μ  n |s ∈ Fqm , v ∈ Fqm }, Vs ,x = {v ∈ Fqm |T = x, s ∈ Fn−μ Xs ,v = {T q m , x ∈ Fq m }. v v Since RkT = n, then |Xs ,v | = q m(n−Rk(T)) = 1 and |Vs ,x | = 1. In expanding H(X in X out VV  |S  ) in two ways, we get H(V|S  ) + H(V  |S  V) + H(X in |S  VV  ) + H(X out |S  VV  X in ) = =H(V  )=μ

=H(V)=μ



H(X |S ) + H(X in

out

=μ

H(X

out



=0

≤logqm |Xs ,v |=0





|S X ) + H(V|S X X in

in

out

≤logqm |Vs ,x |=0

) + H(V |VS  X in X out ). =0

|S X ) = μ. in

2 Consider some relay node i. Let an adversary eavesdrops μ input links obtaining W in = Bin X in , where Bin ∈ Fμ×n is a matrix of coding vectors of q in eavesdropped links. Matrix B can be expressed as Bin = Ein Ai , RkEin = μ. Matrix Ein defines which components of Ai X in are eavesdropped by an adversary, for example, if a length of Ai X in is equal to 3 and an adversary eavesdrops first and third components of Ai X in , then   100 in . E = 001 An adversary uses other input links to inject error packets. Without loss of generality, we assume that an adversary injects here maximum available number of packets, i.e. t error packets. So a relay node receives a message Y in = Ai X in + Di Z, where Di ∈ Fn×t is a transfer matrix of the malicious q packets Z ∈ Ftqm . On the assumption that next relay node is j, an output message is Y out = Ai−j (Ai X out + Di Z), where Ai−j is a transfer matrix from i to j. An adversary eavesdrops μ output links observing W out = Eout Y out , where Eout is defined in the same way as Ein . The scheme is said to provide unlinkability if I(W in ; W out |S  ) = I(Ein Ai X in ; Eout Y out |S  ) = 0.

(2)

Condition (2) is met if I(Ai X in ; Y out |S  ) = 0. According to data processing lemma I(Ai X in ; Y out |S  ) ≤ I(Ai X in ; Ai X out + Di Z|S  ). Recall very wellknown lemma stating that sum of two independent statistical variables x and

204

O. Trushina, E. Gabidulin / Electronic Notes in Discrete Mathematics 57 (2017) 199–204

y from finite field, where x is uniformly distributed over the field, has uniform distribution and is independent of y. According to this lemma and lemma 3.1 vector Ai X out + Di Z is uniform over the coset defined by syndrome S  and independent of Ai X in regardless of distribution of malicious packets. Consequently, I(Ai X in ; Ai X out + Di Z|S  ) = 0. Recall that the network nodes transmit matrices. A relay node converts an incoming message to vector form Y in Ω = Y in , chooses random vector V  ,  out prepares output message as Y out = Ai−j (Y in +Ai G = 2 V ) and transmits Y in  −1 Y Ω(Ω Ω) . There is no need for the relay nodes to decode and re-encode incoming message. A transformation from Y in to Y out can be performed by a relay node with O(nm2 ) arithmetic operations in Fq .

4

Conclusion

In this paper, we have addressed the problem of anonymous transmission against eavesdropping and jamming in coherent network coding. We have proposed information-theoretical unlinkability scheme. The main tool we use is coset coding.

References [1] Ahlswede, R., N. Cai, S.-Y. Li and R.W. Yeung, Network Information Flow, IEEE Trans. Inf. Theory. 46 (2000), 1204–1216. [2] Chaum, D., Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms, Communications of the ACM. 24 (1981), 84–88. [3] Gabidulin, E.M., Theory of Codes with Maximal Rank Distance, Probl. Inf. Trans. 21 (1985), 1–12. [4] Ozarow, L.H., and A.D. Wyner, Wire-Tap Channel II, Advances in Cryptology. Proceedings of EUROCRYPT 84. 209 (2000), 33–50. [5] Silva, D., and F.R. Kschischang, Universal Secure Error-Correcting Schemes for Network Coding, Proceedings of IEEE ISIT 2010. (2010), 2428–2432. [6] Trushina, O.V., and E.M. Gabidulin, A new method for ensuring anonymity and security in network coding, Probl. Inf. Trans. 51 (2015), 75–81.