Secure Physical Layer Network Coding versus Secure Network Coding

When a network has relay nodes, there is a risk that a part of the information is leaked to an untrusted relay. Secure network coding (secure NC) is known as a method to resolve this problem, which enables the secrecy of the message when the message is transmitted over a noiseless network and a part of the edges or a part of the intermediate (untrusted) nodes are eavesdropped. If the channels on the network are noisy, the error correction is applied to noisy channels before the application of secure NC on an upper layer. In contrast, secure physical layer network coding (secure PLNC) is a method to securely transmit a message by a combination of coding operation on nodes when the network is composed of set of noisy channels. Since secure NC is a protocol on an upper layer, secure PLNC can be considered as a cross-layer protocol. In this paper, we compare secure PLNC with a simple combination of secure NC and error correction over several typical network models studied in secure NC.


Introduction
Wireless communication networks with relay nodes have a risk for information leakage to untrusted relays. To resolve this problem, several studies [1][2][3][4][5][6] considered the relay terminals untrustworthy based on the result of secure computation-and-forward (CAF) tests [7][8][9][10][11], which is the main topic of the secure extension of physical layer network coding (PLNC), in short, secure PLNC. However, this type of security can be realized by the secure extension of network coding (NC), in short, secure NC, which is an upper-layered protocol to securely transmit a message via a noiseless network when a part of the edges and/or a part of the intermediate (untrusted) nodes are eavesdropped [12][13][14][15][16][17]. Since a wireless channel is disturbed by noise, an error correction needs to be applied to the channel. Then, secure NC is applied to noiseless channels virtually implemented by an error correction. In other words, the error correction and secure NC are separately performed in the different layers under the above scenario. In contrast, since secure PLNC combines both parts, it can be considered as a cross-layer protocol. In order to clarify the advantage of this cross-layer protocol, it is needed to compare secure PLNC with a simple combination of secure NC and error correction over wireless channels, and this comparison has not been studied yet. That is, this type of comparison is strongly required in the viewpoint of wireless communication networks.
Secure PLNC is based on PLNC [18][19][20], which efficiently transmits the modulo sum of two transmitters' messages via a Gaussian channel. To guarantee the security, the preceding studies [7][8][9][10][11]21] invented a secure extension of PLNC, i.e., secure PLNC, which is a scheme to securely transmit a message by a combination of coding operations on nodes when the network is given as a set of noisy channels. Secure PLNC can be classified into two types. In the first case, secure NC is applied to the noiseless CAF process realized by PLNC. This method can be considered as a simple combination of secure NC and PLNC. The other type is a direct method to realize security in the PLNC. The typical example is secure CAF. The code of the latter type cannot be made by such a simple combination. All existing studies [7][8][9][10][11]21] belong to the latter case and address only a two-hop relay scheme or its simple extension, the multi-hop relay scheme, which are based on secure CAF to securely transmit the modulo sum of two input message when the channel is a noisy multiple access channel (MAC). Indeed, a secure NC can guarantee the secrecy for the eavesdropper that eavesdrops the channels. Several typical secure NCs cannot guarantee the secrecy when one of the intermediate (untrusted) nodes is eavesdropped. In this way, secure PLNC has an advantage under attacks on intermediate (untrusted) nodes.
However, the network models studied in secure NC are more advanced and more complicated, and no study discussed secure PLNC over such typical network models in secure NC. That is, the network models studied in secure PLNC is too limited and too primitive in the comparison with typical network models in secure NC. In other words, no prior study investigated the application of secure PLNC to such typical network models. In order for secure PLNC to overcome secure NC, we need to demonstrate that secure PLNC can be used in more advanced network models. At least, it is needed to study secure PLNC over typical network models in secure NC.
Since no existing paper has made the comparison between secure PLNC and the simple combination of secure NC and error correction, this paper aims to make this type of comparison under typical network models in secure NC. That is, this paper is the first study for secure PLNC over typical network models in secure NC, the butterfly network model and the network model composed of three source nodes under certain assumptions for the attack. Unfortunately, secure PLNC has a completely different mathematical structure from the simple combination of secure NC and error correction. Hence, it is quite difficult to construct a general theory to compare them. Due to this reason, we address two typical network models in the area of secure NC, the butterfly network [22] and a network with three source nodes, which is a special network model studied in [23].Then, we make the above comparison numerically over these two networks. Indeed, many existing studies [7][8][9][10][11] for secure PLNC employed lattice codes. Only the reference [21] studied it with BPSK modulation. Notice that the QPSK modulation can be considered as twice the use of the BPSK modulation.
For PLNC, references [24][25][26][27] discussed CAF based on lattice codes. Indeed, 2 n -phase shift keying (PSK) modulation works for practical systems such as conventional satellite communications with LDPC codes [28]. In addition, references [29,30] demonstrated the efficiency of the CAF scheme composed of binary LDPC codes under the BPSK modulation. Reference [31] compared the BPSK modulation and the method based on lattice codes for CAF. Hence, to adopt the existing communication system, we focus on the BPSK modulation.
Although, this paper is the journal version of the preceding conference paper [32], this paper is different from the conference version as follows. First, the conference version gave the secure NC protocol only when q is not a power of 2. This paper additionally gives the secure NC protocol when q is a power of 2 (not 2). This kind of extension enables us to consider the new protocol given in Section 3.3.2. Second, the conference version discussed only one type of secure NC protocol. This paper additionally considers another type of protocol in secure PLNC (See Sections 3.3.2 and 4.2.2). Totally, this paper discusses two types of protocols in secure PLNC. This additional protocol clarifies the merit of use of CAF. Third, the conference version compared the number of times slots only for two cases: secure NC without Gaussian MAC and secure PLNC with Gaussian MAC. Also, it did not considered the protocol in Sections 3.3.2 and 4.2.2. This paper additionally considers another case: secure NC with Gaussian MAC. Further, this version discussed the transmission time by considering the information transmission rate when the asymptotically best code is employed. To make this additional comparison, analytical discussions are newly made in this version by using the mutual information. Also, this version newly contains numerical graphs (Figures 3 and 5) for this comparison. Due to this additional comparison, we can compare the transmission time.
The rest of this paper is organized as follows. First, Section 2 reviews the results in CAF and secure CAF, which is a typical example of secure PLNC. Next, Section 3 considers how secure communication can be implemented over the butterfly network based on secure PLNC. Finally, Section 4 discusses how secure communication can be implemented over a network with three source nodes based on secure PLNC. That is, Sections 3 and 4 are devoted to our contribution.

CAF
As the first step, we review existing results for secure CAF. For this aim, we prepare an important notation. The symbol ⊕ expresses the arithmetic sum over a finite field, and the symbol + denotes the sum over the real numbers. A typical setting for secure CAF has two transmitters, V 1 and V 2 , and one receiver, R. Suppose that Transmitter V i has message M i ∈ F q , and Receiver R is linked by a (noisy) MAC that has two input variables from the two transmitters V 1 and V 2 . In this scheme, Receiver R is required to obtain the modulo sum M 1 ⊕ M 2 via the (noisy) MAC, as depicted in Figure 1. Many papers proposed a protocol for CAF over a Gaussian MAC. Suppose that the transmitter V i sends the complex-valued variable X i for i = 1, 2. When the channel fading coefficients are given as h 1 , h 2 ∈ C, Receiver R receives the complex-valued variable Y as: where N is a complex Gaussian random variable with zero mean and a variance of one. The remaining part of this section assumes multiple uses of the above Gaussian MAC. References [24,33,34] obtained an achievable rate under the energy constraint by using lattice codes. This rate is called the computation rate. Here, to seek a practical scheme, we consider the BPSK scheme, in which X i is coded to (−1) A i with A i ∈ F 2 . Hence, (1) can be rewritten as: The reference [35] showed that the rate I(Y; A 1 ⊕ A 2 ) Equation(2) is achieved when the task of CAF is imposed, where the mutual information is given by the independent and uniform random numbers A 1 and A 2 . (More precisely, the quantityI(Y; A 1 ⊕ A 2 ) Equation (2) is defined as the mutual information when A 1 and A 2 are independently subject to the uniform distribution. This rule will be applied later when the equation number such as Equation (2) is given as a subscript of a mutual information). Then, references [29,30] studied LDPC codes, in particular, spatial coupling LDPC codes and regular LDPC codes, to achieve this task under the BPSK scheme. In fact, the method introduced by references [29,30] can be efficiently implemented with a rate close to I(Y; A 1 ⊕ A 2 ) Equation (2) . Furthermore, the recent reference [36] studied its quantum extension.

Secure CAF
Next, we consider the secrecy condition for each message to Receiver R in addition to the correct decoding. This problem setting is called secure CAF. Here, Receiver R is required to obtain the modulo sum M 1 ⊕ M 2 while the variable Y in Receiver R's hand is required to be independent of M 1 and M 2 . References [7][8][9][10][11] proposed an approach using lattice codes. Using an efficiently implementable algebraic for CAF given in [29,30], the reference [21] proposed an efficiently implementable code for secure CAF. (Here, a code is called an algebraic code when the encoding map preserves algebraic operation. For example, Reed Solomon codes and LDPC codes are algebraic codes.) It also showed that the rate 2I(Y; (2) is achievable in the BPSK scheme ( [21], (29)), where the mutual information is given with the independent and uniform random numbers A 1 and A 2 . That is, when the channel (2) is prepared and Receiver R colludes with no transmitter, secure CAF guarantees no information leakage of each message to Receiver R while Receiver R can recover the sum M 1 ⊕ M 2 . In the code in [21], I(Y; A 1 ⊕ A 2 ) Equation (2) is the rate of CAF, and I(Y; A 1 , (2) is the rate of sacrifice bits for the privacy amplification. Hence, the achievable rate of secure CAF is the difference between these two rates.
In fact, all the references [7][8][9][10][11]21] for secure CAF addressed only the case when the number of transmitters is two. Only reference [37] addresses secure CAF when the number of transmitters is larger than two. Unfortunately, these existing studies proposed no application for secure CAF except for a secure two-way relay channel with untrusted relays. The remaining part of this paper discusses its further application.

Concrete Expressions for Mutual Information
In this paper, we employ mutual information I(Y; A 1 , Although their concrete descriptions were presented in ( [21], Section IV-A), we give these concrete descriptions here. Assume that φ a is the Gaussian distribution with average a and a variance of one. By using the differential entropy H, the mutual information I(Y; A 1 ⊕ A 2 ) Equation(2) is calculated as: when n → ∞, this value goes to log 2.
In addition, the mutual information I(Y; A 1 , A 2 ) Equation(2) is calculated as: when n → ∞, this value goes to 3 2 log 2.

Conventional Protocol
A typical method for NC is the butterfly NC [22], which efficiently transmits information in the crossing way as explained in Figure 2. The goal of this problem setting is composed of the following two requirements: One is the reliable transmission of the message M 1 from V 1 to V 6 , and the other is the reliable transmission of the message M 2 from V 2 to V 5 . When each channel transmits only one element of F q , the bottleneck of this network is the channel e 3 from V 3 to V 4 . Here, no signal is transmitted between disconnected nodes. Hence, no cross talk occurs between disconnected nodes. However, cross talk occurs between e 5 and e 6 if the signal on e 5 is different from that on e 6 . Hence, if they are different, the transmission on e 5 has to be performed on a different time from the transmission on e 6 . However, when they are the same, these transmissions can be performed simultaneously. In this network model, only the node V 3 has a freedom to choose the transmitted information because other nodes receive only one information so that they have no other choice for the transmitted information except for transmitting the received information. To resolve the bottleneck in e 3 , the node V 3 transmits the modulo sum to the node V 4 via channel e 3 . Then, both destination nodes can recover their respective intended messages while the information transmission over e 3 is performed only once. That is, the destination node V 5 decodes the message M 2 from the received information

Secure NC
Under the network code given in Section 3.1, the node V 3 obtains both messages M 1 and M 2 . The destination node V 5 recovers the unintended message M 1 as well as the intended message M 2 , and the other destination node V 6 the unintended message M 2 as well as the intended message M 1 . Next, we impose the secrecy against an attack to one of the intermediate (untrusted) nodes. In other words, the information of all intermediate (untrusted) nodes are required to be independent of M 1 and M 2 , and the information of destination node V 5 (V 6 ) is required to be independent of the unintended message M 1 (M 2 ). This kind of secrecy can be realized under the following assumption. When messages M 1 and M 2 are elements of F q and q is not a power of 2 in the following way ( [38], Figure 2): (A1) Two source nodes V 1 and V 2 share a secret number L, when the information Z i transmitted on the edge e i is given as: whereM 2 (M 1 ) is the recovered message by V 5 (V 6 ). Any intermediate edge and any intermediate node obtain no information about the messages M 1 and M 2 . In addition, the destination node V 5 (V 6 ) obtains no information for the message M 1 (M 2 ) while it obtains the message M 2 (M 1 ). Hence, this code guarantees the following types of security: (S1) When the eavesdropper attacks only one of the edges, she obtains no information for each message M i .
(S2) When the nodes do not collude, each node obtains no information for the unintended messages.
When q ≥ 4 is a power of 2, the above code can be modified as follows. We choose an element e ∈ F q such that e 2 ⊕ e = 0, i.e., e = 1, 0. Then, we define our code as: This modification realizes the required security in this case.

Use of Secure CAF
If no shared secret number is assumed between V 1 and V 2 , it is difficult to realize the type of secrecy for the butterfly network presented in Section 3.2 under the problem setting of secure NC. Then, we consider the following assumption: (A2) The pairs (e 1 , e 2 ), (e 4 , e 5 ), and (e 6 , e 7 ) are given as Gaussian MACs such as (2).
In the network model given in Figure 2, only the channel e 3 is a Gaussian channel with a single input. To achieve secrecy under the assumption (A2), we employ secure CAF in the Gaussian MACs appearing in this network model in the following way: In the Gaussian MAC (e 1 , e 2 ) at V 3 , the node V 3 receives only the information M 1 ⊕ M 2 . Then, the node V 3 forwards the received information to the node V 4 , and the node V 4 receives the information M 4 := M 1 ⊕ M 2 . In the Gaussian MAC (e 4 , e 5 ) at V 5 , the node V 5 receives only the information M 4 ⊕ (−M 1 ) = M 2 . In the same way, the node V 6 receives only the information M 4 ⊕ (−M 2 ) = M 1 . That is, we employ secure CAF in the three Gaussian MACs at V 3 , V 5 , and V 6 . In this way, these uses of secure CAF realize the security (S2) under this method.

Use of CAF
As another kind of secure PLNC, we attach the CAF to the decoding operations on nodes V 3 , V 5 , and V 6 in the protocol with q = 4 given in Section 3.2. In this protocol, an element of F 4 is regarded as a vector over the finite field F 2 . While this protocol saves the time, it still requires the secure shared randomness L. This protocol can be regarded as a simple combination of secure NC and PLNC.
The assumptions and the realized types of security are summarized in Table 1. Only the protocol given in Section 3.3.1 can realize security (S2) without requiring a secure shared randomness between two source nodes. This is a big advantage for secure PLNC.

Comparison
To implement the above discussed protocols as wireless communication networks, we compare the transmission rates of the protocols given in Sections 3.2 and 3.3 when each edge is given as the BPSK scheme of a two-input Gaussian channel as (2) or a single-input Gaussian channel: where h ∈ C are the channel fading coefficients, N is a complex Gaussian random variable with zero mean and a variance of one, and X is coded as (−1) A with A ∈ F 2 . Hence, (16) is rewritten as: In this comparison, for simplicity, we assume that h 1 = h 2 = h. We assume that T is the time period of transmitting one Gaussian signal on each edge. Additionally, we assume that ideal codes are available as follows. The mutual information rate I(Y; A) Equation (16) is achievable over the channel (16), the rate I(Y; A 1 ⊕ A 2 ) Equation (2) is achievable for CAF in the channel (2), and the rate 2I(Y; (2) is available for secure CAF in the channel (2). Notice that the relation I(Y; A 2 |A 1 ) Equation(2) = I(Y; A 1 |A 2 ) Equation (2) holds in this case. In addition, the mutual information rate pair (I(Y; A 1 A 2 ) Equation(2) /2, I(Y; A 1 A 2 ) Equation(2) /2) is available in the MAC channel (2) when both transmitters intend to send their own message to the receiver. (Generally, the symmetric rate (I(Y; A 1 , A 2 )/2, I(Y; A 1 , A 2 )/2) is achievable when the symmetric rate (I(Y; A 1 , A 2 )/2, I(Y; A 1 , A 2 )/2) belongs to the interval between (I(Y; A 1 ), I(Y; A 2 |A 2 )) and (I(Y; A 1 |A 2 ), I(Y; A 2 )). Our case with h 1 = h 2 = h satisfies this condition.) In the above discussion, the random variables A 1 , A 2 , and A are subject to the uniform distribution independently.
The secure NC protocol given in Section 3.2 needs to avoid a crossed line when Gaussian MAC is not used. Now, we consider how much time is needed for this protocol. In this protocol, we need to repeat several processes, each of which is composed of the encoding, wireless communication, and decoding. In the protocol given in Section 3.2, the first step can make the simultaneous transmissions on e 1 and e 4 . However, the simultaneous transmission on e 1 cannot be performed simultaneously in order to avoid the cross line on the receiving on V 3 . Hence, the second step makes the simultaneous transmissions on e 2 and e 7 . We say that the time period for the first step is the time slot of Time i, and the time period for the second step is the time slot of Time ii. That is, each time span for the process composed of the encoding, wireless communication, and decoding is called a time slot. Now, to evaluate the required number of time slots, we assume that all players have only one transmitting antenna, which can broadcast the transmitting signal. Then, we find that the whole network has five time slots at least as presented in Table 2. When the length of the transmitted message is G, the transfer time for each time slot is GT I(Y;A) Equation (16) . Therefore, the total transfer time in this case is calculated to be 5GT I(Y;A) Equation (16) . When we use the Gaussian MAC, the secure NC protocol given in Section 3.2 can be implemented with three time slots as Table 3 because V 4 broadcasts the information to e 5 and e 6 . When the length of the transmitted message is G, the first time slot requires transfer time 2GT I(Y;A 1 ,A 2 ) Equation (2) , and the second and third time slots require transfer time GT I(Y;A) Equation (16) . Hence, the total transfer time is calculated to be 2GT I(Y;A) Equation(16) . When we design the whole process as in Table 4, the first and third time slots require transfer time 2GT I(Y;A 1 ,A 2 ) Equation (2) , and the second time slot requires transfer time GT I(Y;A) Equation (16) . Hence, the total transfer time is (2) , which is larger than (16) . Table 3. Secure NC with Gaussian MAC.

Time Slot Time i Time ii Time iii
Channel (e 1 , e 2 ) e 3 , e 4 , e 7 e 5 , e 6 (e i , e j ) expresses a Gaussian MAC composed of the joint transmission on the edges e i and e j .
The secure PLNC protocol given in Section 3.3.1 can be performed only with three time slots as in Table 4, where the pairs (e 1 , e 2 ), (e 4 , e 5 ), and (e 6 , e 7 ) are realized by secure CAF based on the Gaussian MAC channel (2). The first and third time slots require transfer time GT 2I(Y;A 1 ⊕A 2 ) Equation(2) −I(Y;A 1 ,A 2 ) Equation (2) , and the second time slot requires transfer time GT I(Y;A) Equation (16) . The total transfer time is calculated to be 2GT 2I(Y;A 1 ⊕A 2 ) Equation(2) −I(Y;A 1 ,A 2 ) Equation(2) + GT I(Y;A) Equation (16) . Secure PLNC protocol given in Section 3.3.2 can also be implemented only with three time slots as in Table 4. The first and third time slots require transfer time GT I(Y;A 1 ⊕A 2 ) Equation (2) , and the second time slot requires transfer time GT I(Y;A) Equation (16) . The total transfer time is calculated to be 2GT I(Y;A 1 ⊕A 2 ) Equation(2) + GT I(Y;A) Equation (16) . Table 4. Secure PLNC with Gaussian MAC.

Time Slot Time i Time ii Time iii
Channel (e 1 , e 2 ) e 3 (e 4 , e 5 ),(e 6 , e 7 ) Figure 3 gives the numerical comparison among the following time periods: (16) .
When h → ∞, these values converge to: respectively. The secure NC protocol given in Section 3.2 requires a shorter transfer time for the transmission than the secure PLNC protocol given in Section 3.3 in this comparison. Since the difference is not so extensive, the secure PLNC protocol given in Section 3.3.1 is useful when it is not easy to prepare secure shared randomness between two source nodes. In fact, when the direct communication between two distinct source nodes is not available, we often use the butterfly network. In this case, such a secure shared randomness requires an additional cost. However, the secure PLNC protocol given in Section 3.3.2 has no advantage over the secure NC protocol with the MAC channel. That is, a simple combination of secure NC and PLNC is not useful in this case.

Network with Three Source Nodes
Finally, we study the network topology shown in Figure 4 that is composed of three source nodes, S 1 , S 2 , and S 3 ; three intermediate nodes, I 1 , I 2 , and I 3 ; and one destination node, D. Its generalization was discussed as a multilayer network in the recent reference [23]. The goal of this network model is the secure transmission from the three source nodes to the destination node D when the source node S i is required to send an element M i ∈ F q to the destination node D.

Secure NC
As the first step, let us study the network with three sources under the framework of the secure NC. In Figure 4, every edge expresses a noiseless channel to transmit one element of F q . Here, we consider the following two security requirements: The following code satisfies Security (S3) when q is not a power of 2. This code uses 1/2, which cannot be allowed in finite field F q of a power q of 2. Notice that the

Security (S4)
To make a code satisfy Security (S4), we modify the above protocol as follows. The modified protocol uses the channels between the intermediate (untrusted) nodes and the destination node twice. In addition, it employs the channels between the source nodes and the intermediate (untrusted) nodes only once. Source node S i sends the scrambled variable L i to the intermediate (untrusted) node I i⊕1 via the edge e i . Each source node S i prepares the scrambled variable L i and sends the variable M i ⊕ (−L i ) to the intermediate (untrusted) node I i⊕(−1) via the edge e 3⊕i . Here, i ⊕ 1 and i ⊕ (−1) are regarded as elements of Z 3 . Each intermediate (untrusted) node sends both received variables to the destination node by using the channel twice. Then, the destination node D can recover the messages as: because the node D obtains information L 1 ,  (2).
That is, the eavesdropper is supposed to access only one of the information symbols at the intermediate (untrusted) nodes, which corresponds to Case 2 of Section 4.1. Then, using secure CAF [21], we construct our protocol.
As the first step, we discuss the case when q is not a power of 2. In the Gaussian MAC (e 1 , e 6 ), we employ secure CAF so that the node I 2 obtains the information symbol M 1 ⊕ M 3 . Similarly, I 1 and I 3 obtain the information symbol M 2 ⊕ M 3 and M 1 ⊕ M 2 , respectively. Hence, the information symbols at every intermediate (untrusted) node are independent of the messages M 1 , M 2 , and M 3 . In the next step, the intermediates (untrusted) nodes I 1 , I 2 , and I 3 transmit their received information symbols M 1 , M 2 , and M 3 to the destination node D via the Gaussian MACs with three input signals. Then, applying separate decoding, the destination node D recovers the information symbols M 1 , M 2 , and M 3 . Using the method presented in Section 4.1.1, the destination node D obtains the original information symbols M 1 , M 2 , and M 3 .
When q ≥ 4 is a power of 2, to apply the method given in Section 4.1.1, the node I 2 needs to obtain the information M 1 ⊕ eM 3 . This task for I 2 can be implemented by a secure CAF with a two-dimensional vector over the finite field F 2 by the prior conversion from M 3 to eM 3 at the node S 3 before use of the Gaussian MAC (e 1 , e 6 ). The same method is applied to the Gaussian MACs (e 2 , e 4 ) and (e 3 , e 5 ). The remaining part of this protocol can be performed in the same way as the above.
In the above way, the framework of the secure PLNC enables us to implement the secure code for an attack on an intermediate (untrusted) node by using secure CAF. That is, this code guarantees Security (S4). This protocol requires no additional random variable, unlike the protocol presented in Section 4.1.2.

Use of CAF
Next, we construct a protocol using CAF. In this protocol, at the node D, to recover M 1 , we employ CAF on the two edges e 8 and e 9 . Similarly, to recover M 2 (M 3 ), we employ CAF on the two edges e 7 and e 9 (e 7 and e 8 ). To avoid information leakage over every intermediate (untrusted) node, the transmitter applies the secure network code given in Section 4.1.2.

Comparison
All the proposed protocols are summarized in Table 5. Since the security of our interest is (S4), we compare the protocols except for the protocol given in Section 4.1.1. Only the protocol given in Section 4.2.1 satisfies Security (S4). To implement these protocols as wireless communication network, we compare the transmission rates of the protocols given in Sections 4.1 and 4.2 when each edge is given as the BPSK scheme of a singleinput Gaussian channel (16), a two-input Gaussian channel (2), or a three-input Gaussian channel (2): where h ∈ C are the channel fading coefficients, N is a complex Gaussian random variable with zero mean and a variance of one, and X i is coded as (−1) A i with A i ∈ F 2 . In this comparison, we make the same assumptions for h 1 , h 2 , and GT as the previous section. Additionally, we assume that ideal codes given in Section 3.4 are available, and that the mutual information rate triple is available in the MAC channel (21) when three transmitters intend to send their own message to the receiver, where the random variables A 1 , A 2 , and A 3 are independently subject to the uniform distribution [37]. Using this rate, we compare the secure NC protocol given in Section 4.1.2 and the secure PLNC protocol given in Section 4.2 because both protocols realize the secrecy for intermediate (untrusted) nodes. When any Gaussian MAC is not used, the secure NC protocol given in Section 4.1.2 requires five time slots at least as shown in Table 6. In particular, the edges e 7 , e 8 , and e 9 need to send the information symbols twice as the remaining edges. Therefore, when the length of the transmitted message is G, the first and second time slots need transfer time GT I(Y;A) Equation (16) , and the remaining time slots need transfer time 2GT I(Y;A) Equation (16) . Hence, the total transfer time is calculated to be 8GT I(Y;A) Equation (16) . When we use the Gaussian MAC, the secure NC protocol given in Section 4.1.2 can be implemented with two time slots as in Table 7. The first time slot needs transfer time 2GT I(Y;A 1 ,A 2 ) Equation (2) , and the second time slot needs transfer time 6GT I(Y;A 1 A 2 A 3 ) Equation (21) . Hence, the total transfer time is calculated to be   Table 7. Secure NC with Gaussian MAC.

Time Span Time i Time ii
Channel (e 1 , e 6 ), (e 2 , e 4 ),(e 3 , e 5 ) (e 7 , e 8 , e 9 ) The secure PLNC protocol given in Section 4.2.1 can be implemented only with two time slots as in Table 8, where the pairs (e 1 , e 2 ), (e 4 , e 5 ), and (e 6 , e 7 ) are realized by the secure CAF based on the Gaussian MAC channel (2). The first time slot needs transfer time GT 2I(Y;A 1 ⊕A 2 ) Equation(2) −I(Y;A 1 ,A 2 ) Equation (2) , and the second time slot needs transfer time 3GT I(Y;A 1 A 2 A 3 ) Equation (21) . Hence, the total transfer time is calculated to be (2) . Table 8. Secure PLNC with secure CAF.

Time Span Time i Time ii
Channel (e 1 , e 6 ), (e 2 , e 4 ), (e 3 , e 5 ) (e 7 , e 8 , e 9 ) Another secure PLNC protocol given in Section 4.2.2 can be implemented only with two time slots as in Table 9, where the pairs (e 1 , e 2 ), (e 4 , e 5 ), and (e 6 , e 7 ) are realized by the secure CAF based on the Gaussian MAC channel (2). The first time slot needs transfer time 2GT I(Y;A 1 ,A 2 ) Equation (2) , and the second time slot needs transfer time 3GT I(Y;A 1 ⊕A 2 ) Equation (2) . Hence, the total transfer time is calculated to be (2) . Table 9. Secure PLNC with CAF.
When h → ∞, these values converge to: respectively. The codes for the secure PLNC protocol given in Section 4.2.1 require shorter transfer time for the transmission than the secure NC protocol given in Section 4.1.2 in this comparison when the coefficient h is larger than about 1.7. This comparison shows that the secure PLNC protocol given in Section 4.2.1 has an advantage over the secure NC protocol given in Section 4.1.2 when the power of the signal is sufficiently large. In addition, this comparison indicates the advantage of the simple combination of secure NC and PLNC given in Section 4.2.2 over the secure NC protocol given in Section 4.

Conclusions and Discussion
We have studied the advantages of a secure PLNC over a secure NC. To investigate this type of advantage, we have focused on two typical network models. Section 3 has discussed the butterfly network model given in Figure 2, and Section 4 has discussed the network model with three source nodes given in Figure 4. We have described concrete protocols that efficiently realize the required secrecy and work over these network models. In these examples, the secure PLNC can realize the secrecy even with untrusted intermediate nodes.
In particular, as summarized in Table 1, in the butterfly network, although the protocols using secure network codes require a secure shared randomness for this purpose, the secure PLNC does not need it. Comparing the transfer times of the proposed codes, we have shown that the secure PLNC has a shorter transfer time than the the simple combination of secure NC and physical layer network under a certain range of channel parameters.
As one of the main reasons of these advantages, we can list the fact that secure PLNC is a cross-layered network protocol. That is, it can be realized by a joint application of the error correction and the secure NC by using the mechanism of a physical layer while the conventional scenario can be considered as separate application of the error correction and the secure NC. In particular, the noise in the channels is utilized for keeping the secrecy in the secure PLNC. Therefore, we can conclude that the secure PLNC is useful to realize the secrecy against information leakage at intermediate (untrusted) nodes.
One might consider that the proposed method does not work for jamming attacks [39] or spoofing [40,41]. The transmitters and the receivers can detect it by attaching authentication [42][43][44][45], which can be realized by using a universal2 hash function and preshared keys.
Furthermore, the number of existing applications of the secure PLNC is quite limited. It is an important future study to find much more fruitful applications of the secure PLNC over untrusted relays. In fact, reference [21] also derived an upper bound for the amount of the leaked information of the constructed finite-length code. Therefore, it is an interesting future topic to make finite-length analysis by applying the finite-length analysis in [21]. In addition, the analysis of this paper is based on the BPSK scheme. Since many papers on secure PLNC were based on lattice codes, a similar comparison based on lattice codes is needed. Such a comparison remains an interesting open problem.
Finally, we list three future problems. The first one is the application of the proposed method to multi-hop untrusted relaying networks [8,46]. The second one is the realization of covert communication [47,48] over the wireless networks discussed in this paper. The third one is the problem related to retransmission. In real communication, there is a possibility that we need to perform retransmission due to various reasons. While such a retransmission causes delay, our time analysis does not cover it. In addition, due to the existence of retransmissions, the network needs to prepare a certain central system that controls the status of the whole network. It is another future problem to design the implementation of our system taking care of these issues. These are challenging future studies.