Multiple Linear-Combination Security Network Coding

Abstract

In this paper, we put forward the model of multiple linear-combination security multicast network coding, where the wiretapper desires to obtain some information about a predefined set of multiple linear combinations of the source symbols by eavesdropping any one (but not more than one) channel subset up to a certain size r, referred to as the security level. For this model, the security capacity is defined as the maximum average number of source symbols that can be securely multicast to all sink nodes for one use of the network under the linear-combination security constraint. For any security level and any linear-combination security constraint, we fully characterize the security capacity in terms of the ratio of the rank of the linear-combination security constraint to the number of source symbols. Also, we develop a general construction of linear security network codes. Finally, we investigate the asymptotic behavior of the security capacity for a sequence of linear-combination security models and discuss the asymptotic optimality of our code construction.

1. Introduction

In 2000, Ahlswede et al. [1] proposed the general concept of network coding. In particular, they investigated the single-source multicast network coding problem, where the source symbols generated by a single source node are required to multicast to multiple sink nodes through a noiseless network while the nodes in the network are allowed to process the received information. It was proven in [1] that if coding is applied at the intermediate nodes (rather than routing only), the source node can multicast source symbols to all the sink nodes at the theoretically maximum rate, i.e., the smallest minimum cut capacity separating a sink node from the source node, as the alphabet size of both the information source and the channel transmission symbol tends toward infinity. In 2003, Li et al. [2] proved that linear network coding over a finite alphabet is sufficient for optimal multicast by means of a vector space approach. Independently, Koetter and Médard [3] developed an algebraic characterization of linear network coding by means of a matrix approach. Jaggi et al. [4] further presented a deterministic polynomial-time algorithm for constructing a linear network code. For comprehensive discussions of network coding, we refer the reader to [5,6,7,8,9,10].

In the paradigm of network coding, information-theoretic security in the presence of a wiretapper is naturally considered (cf. [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28]), called the secure network coding problem. In the model of secure network coding over a wiretap network, (i) the source node multicasts the source symbols to all the sink nodes, which, as legal users, are required to correctly decode the source symbols; and (ii) the wiretapper, who can access any one but not more than one wiretap set of communication channels, is not allowed to obtain any information about the source symbols. The classical information-theoretically secure models, e.g., Shannon’s cipher system [29], secret sharing [30,31] and the wiretap channel II [32], can be regarded as special cases of the secure network coding model. In particular, a wiretap network is called an r-wiretap network if the wiretapper can fully access an arbitrary subset of, at most, r edges, where the non-negative integer r is called the security level.

In the model of secure network coding, to guarantee the required information-theoretic security, it is necessary to randomize the source symbols to combat the wiretapper. Cai and Yeung [11] presented a code construction for the r-wiretap network. El Rouayheb et al. [12] further showed that the Cai–Yeung code construction can be viewed as a network generalization of the code construction for wiretap channel II in [32]. Motivated by El Rouayheb et al., Silva and Kschischang [13] proposed a universal design of security network codes based on rank-metric codes. For the construction of security network codes in [11,12,13]. However, the existing upper bounds on the minimum required alphabet size may be too large for implementation for certain applications in terms of computational complexity and storage requirement. Feldman et al. [33] showed that for a given security level, the alphabet size can be reduced by sacrificing a small fraction of the information rate. However, if the information rate is not sacrificed, whether it is possible to reduce the required alphabet size is considered an open problem [12,17]. Recently, Guang and Yeung [18] developed a systematic graph-theoretic approach to improve the upper bound on the minimum required alphabet size for the existence of secure network codes, achieving an improvement of general significance. Subsequently, in order to tackle the problem of secure network coding when the information rate and the secure level may vary over time, Guang et al. [19] put forward local-encoding-preserving secure network coding, where a family of secure linear network codes is called local-encoding-preserving if all the codes in this family use a common local encoding operation at each intermediate node in the network. They also constructed a family of local-encoding-preserving secure linear network codes applicable for all possible pairs of rate and security level. We note that the variable-rate linear network coding problem without security consideration was previously investigated by Fong and Yeung [34].

In this paper, we put forward the model of multiple linear-combination security network coding, where multiple linear combinations (containing single linear combination as a special case) of the source symbols are required to be protected from the wiretapper. More precisely, in this model over an r-wiretap network, (i) the single source node generates source symbols over a finite field F, and all the source symbols are required to be correctly decoded at all the sink nodes; and (ii) for a predefined set of linear combinations of the source symbols, the wiretapper, who can fully access any channel subset of a size not larger than r, is not allowed to obtain any information about these linear combinations. For the above security model with security level r, the (linear-combination) security capacity is defined as the maximum average number of source symbols that can be securely multicast to all the sink nodes for one use of the network under the above linear-combination security constraint. A model related to the current work is that considered by Bhattad and Narayanan [23], which contains weakly secure network coding as a special case. The relation between the current work and that of Bhattad and Narayanan [23] is discussed in Appendix A.

In this paper, we investigate the security capacity and the code construction for this model and analyze the asymptotic behavior of the security capacity and code construction for a sequence of linear-combination security models. The main contributions and organization of this paper are as follows:

• In Section 2, we formally present the model of linear-combination security network coding and the preliminaries, including the necessary notation and definitions.
• In Section 3, we characterize the security capacity by considering different cases of the security level r. We first prove that $C_{min}-1$ is the maximum security level such that the source symbols can be securely multicast to all sink nodes with a positive rate, where $C_{min}$ is the smallest minimum cut capacity separating a sink node from the source node. Therefore, the security capacity is zero for $r\ge C_{min}$. For any nontrivial security level $1\le r\le C_{min}-1$, we prove upper bounds on the security capacity in terms of the ratio $\tau$ of the rank of the linear-combination security constraint to the number of source symbols.
  We further develop a systematic construction of linear security network codes, which is applicable to an arbitrary linear-combination security model. Based on the obtained upper bounds and the developed code construction, we fully characterize the security capacity for any possible pair of the number of the source symbols and the linear-combination security constraint. We also determine the threshold value ${\tau }_0$ such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio $\tau$ is not larger than ${\tau }_0$.
• In Section 4, we fully characterize the asymptotic behavior of the security capacity for a sequence of linear-combination security models and prove that our code construction is asymptotically optimal.
• We conclude in Section 5 with a summary of our results.

2. Preliminaries

Consider a communication network whose communication channels are point-to-point. The network is represented by a directed acyclic graph $\mathcal{G}=(\mathcal{V},\mathcal{E})$, where $\mathcal{V}$ and $\mathcal{E}$ are finite sets of nodes and edges, respectively. Here, an edge in the graph $\mathcal{G}$ corresponds to a point-to-point channel in the network. In the graph $\mathcal{G}$, multiple edges between two nodes are allowed. We assume that an element in a finite field F can be reliably transmitted on each edge for each use. We use $\mathrm{tail}\left(e\right)$ and $\mathrm{head}\left(e\right)$ to denote the tail node and the head node of an edge e, respectively. For a node $v\in \mathcal{V}$, we let $\mathrm{In}\left(v\right)=\{e\in \mathcal{E}:\mathrm{head}(e)=v\}$ and $\mathrm{Out}\left(v\right)=\{e\in \mathcal{E}:\mathrm{tail}(e)=v\}$, i.e., $\mathrm{In}\left(v\right)$ and $\mathrm{Out}\left(v\right)$ are the set of input edges and the set of output edges, respectively. Furthermore, a sequence of edges $(e_1,e_2,\cdots ,e_m)$ is called a (directed) path from the node $\mathrm{tail}\left(e_1\right)$ to the node $\mathrm{head}\left(e_m\right)$ if $\mathrm{tail}\left(e_i\right)=\mathrm{head}\left(e_{i-1}\right)$ for $i=2,3,\cdots ,m$. For two nodes u and v with $u\ne v$, an edge subset $C\subseteq \mathcal{E}$ is called a cut separating v from u if no path exists from u to v upon removing the edges in C. The capacity of a cut separating v from u is defined as the size of this cut. A cut C separating v from u is called a minimum cut separating v from u if there does not exist a cut $C^{\prime }$ separating v from u such that $|C^{\prime }|<|C|$. The capacity of a minimum cut separating v from u is called the minimum cut capacity separating v from u, as denoted by $\mathrm{mincut}(u,v)$. There is a single source node $s\in \mathcal{V}$ and a set of sink nodes $T\subseteq \mathcal{V}\setminus \left\{s\right\}$ on the graph $\mathcal{G}$. Without loss of generality, we assume that the source node s has no input edges and that every sink node $t\in T$ has no output edges, i.e., $\mathrm{In}\left(s\right)=\mathrm{Out}\left(t\right)=\varnothing ,\forall t\in T$. The graph $\mathcal{G}$, together with s and T, forms a network $\mathcal{N}$ denoted by $\mathcal{N}=(\mathcal{G},s,T)$.

The source node s generates Lsource symbols $B_1,B_2,\cdots ,B_L$ that are independent and identically distributed (i.i.d.) random variables with a uniform distribution on the finite field F. All the source symbols are required to be multicast to every sink node t in T by using the network $\mathcal{N}$ multiple times, i.e., transmitting multiple elements in F on each edge by using the edge multiple times. There is a wiretapper who can eavesdrop any edge subset of a size up to the security level r, while, for a positive integer $m_L$, the $m_L$ linear combinations of the source symbols

$$\sum _{i=1}^L{a}_{i,j}·B_i,j=1,2,\cdots ,m_L$$

(1)

over the finite field F are required to be protected from the wiretapper, where $a_{i,j},1\le i\le L,1\le j\le m_L$ are constants in F; that is, the wiretapper is not allowed to obtain any information about the multiple linear combinations of the source symbols given in (1). Furthermore, we let $\mathbf{B}=(B_1,B_2,\cdots ,B_L)$, and

$$M_L={\left[a_{i,j}\right]}_{1\le i\le L,1\le j\le m_L},$$

is an $L\times m_L$ matrix. Then, the $m_L$ linear combinations in (1) can be written as $\mathbf{B}·M_L$. Without loss of generality, we assume that $m_L\le L$ and that the matrix $M_L$ has full column rank, i.e.,

$$\mathrm{Rank}\left(M_L\right)=m_L.$$

In this model, the security level r is known by the source node and sink nodes, but which edge subset is eavesdropped by the wiretapper is unknown. It suffices to consider only the wiretap sets of a size exactly equal to r. Then, we let

$${\mathcal{W}}_r\triangleq \{W\subseteq \mathcal{E}:|W|=r\},$$

where each edge subset $W\in {\mathcal{W}}_r$ is called a wiretap set. We use $\{(L,M_L),r\}$ to denote the above linear-combination security model.

Next, we define a (linear-combination) security network code for the security model $\{(L,M_L),r\}$. In order to combat the wiretapper, we may need randomness to randomize the source symbols. However, as we show, it is not always necessary to randomize the source symbols. As part of the code to be defined, we assume that the key $\mathbf{K}$ is a random variable uniformly distributed over a finite set $\mathcal{K}$, which is available only at the source node s. The key $\mathbf{K}$ and the source symbols $B_i,i=1,2,\cdots ,L$ are assumed to be mutually independent. A $(L,M_L)$ security network code is defined as follows. First, we let $b_i\in F$ and $\mathbf{k}\in \mathcal{K}$ be arbitrary outputs of the source symbol $B_i$ and the key $\mathbf{K}$, respectively, $i=1,2,\cdots ,L$. We further let $\mathbf{b}=(b_1,b_2,\cdots ,b_L)$, which is the output of the vector of source symbols $\mathbf{B}=(B_1,B_2,\cdots ,B_L)$. A $(L,M_L)$ security network code $\widehat{\mathbf{C}}$ consists of:

• A local encoding function ${\widehat{\theta }}_e$ for each edge $e\in \mathcal{E}$, where

  $${\widehat{\theta }}_e:\left\{\begin{array}{cc}{F}^L\times \mathcal{K}\to \mathrm{Im}\left({\widehat{\theta }}_e\right),\hfill & \mathrm{if}\mathrm{tail}\left(e\right)=s;\hfill \\ {\displaystyle \prod _{d\in \mathrm{In}\left(\mathrm{tail}\right(e\left)\right)}}\mathrm{Im}\left({\widehat{\theta }}_d\right)\to \mathrm{Im}\left({\widehat{\theta }}_e\right),\hfill & \mathrm{otherwise};\hfill \end{array}\right.$$

  (2)

  with $\mathrm{Im}\left({\widehat{\theta }}_e\right)$ denoting the image set of ${\widehat{\theta }}_e$;
• A decoding function for each sink node $t\in T$:

  $${\widehat{\phi }}_t:\prod _{e\in \mathrm{In}\left(t\right)}\mathrm{Im}\left({\widehat{\theta }}_e\right)\to F^L$$

  to decode the source symbols $b_1,b_2,\cdots ,b_L$ at t.

Furthermore, we use $y_e\in \mathrm{Im}\left({\widehat{\theta }}_e\right)$ to denote the message transmitted on each edge $e\in \mathcal{E}$ by using the code $\widehat{\mathbf{C}}$ under $\mathbf{b}$ and $\mathbf{k}$. With the encoding mechanism described in (2), we readily see that $y_e$ is a function of $\mathbf{b}$ and $\mathbf{k}$, as denoted by ${\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right)$ (i.e., $y_e={\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right)$), where ${\widehat{h}}_e$ can be obtained by recursively applying the local encoding functions ${\widehat{\theta }}_e,e\in \mathcal{E}$ according to any ancestral order of the edges in $\mathcal{E}$. More precisely, for each $e\in \mathcal{E}$, we have

$${\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right)=\left\{\begin{array}{cc}{\widehat{\theta }}_e\left(\mathbf{b}\mathbf{k}\right),\hfill & \mathrm{if}\mathrm{tail}\left(e\right)=s;\hfill \\ {\widehat{\theta }}_e\left({\widehat{h}}_{\mathrm{In}\left(u\right)}\left(\mathbf{b}\mathbf{k}\right)\right),\hfill & \mathrm{otherwise};\hfill \end{array}\right.$$

where $u=\mathrm{tail}\left(e\right)$ and ${\widehat{h}}_E\left(\mathbf{b}\mathbf{k}\right)\triangleq \left({\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right):e\in E\right)$ for an edge subset $E\subseteq \mathcal{E}$ so that ${\widehat{h}}_{\mathrm{In}\left(u\right)}\left(\mathbf{b}\mathbf{k}\right)=\left({\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right):e\in \mathrm{In}\left(u\right)\right)$. We call ${\widehat{h}}_e$ the global encoding function of the edge e for the code $\widehat{\mathbf{C}}$.

For the security model $\{(L,M_L),r\}$, a $(L,M_L)$ security network code $\widehat{\mathbf{C}}=\{{\widehat{\theta }}_e:e\in \mathcal{E};{\widehat{\phi }}_t:t\in T\}$ is admissible if the following decoding and security conditions are satisfied:

• Decoding condition: All the source symbols are correctly decoded for each sink node $t\in T$, i.e., for each $t\in T$,

  $${\widehat{\phi }}_t\left({\widehat{h}}_{\mathrm{In}\left(t\right)}\left(\mathbf{b}\mathbf{k}\right)\right)=\mathbf{b},\forall \mathbf{b}\in F^L\mathrm{and}\forall \mathbf{k}\in \mathcal{K};$$

  (3)
• Security condition: for each wiretap set, $W\in {\mathcal{W}}_r$,

  $$I\left({\mathbf{Y}}_W;\mathbf{B}·M_L\right)=0,$$

  (4)

  where ${\mathbf{Y}}_W\triangleq (Y_e:e\in W)$, and $Y_e\triangleq {\widehat{h}}_e(\mathbf{B},\mathbf{K})$ is the random variable transmitted on the edge e.

For an admissible $(L,M_L)$ security network code $\widehat{\mathbf{C}}=\{{\widehat{\theta }}_e:e\in \mathcal{E};{\widehat{\phi }}_t:t\in T\}$, we let

$$n_e=⌈{log}_{\left|F\right|}\left|\mathrm{Im}\left({\widehat{\theta }}_e\right)\right|⌉$$

for each edge e in $\mathcal{E}$, which is regarded as the number of times the edge e is used for transmission when applying the code $\widehat{\mathbf{C}}$. We further let $n\left(\widehat{\mathbf{C}}\right)\triangleq {max}_{e\in \mathcal{E}}{n}_e$. Then, the rate of $\widehat{\mathbf{C}}$ is defined by

$$R\left(\widehat{\mathbf{C}}\right)=\frac{L}{n\left(\widehat{\mathbf{C}}\right)},$$

(5)

which is the average number of source symbols that can be securely multicast to all the sink nodes for one use of the network using the code $\widehat{\mathbf{C}}$.

Furthermore, the security capacity for this model $\{(L,M_L),r\}$ is defined as the maximum rate of all admissible $(L,M_L)$ security network codes, i.e.,

$$\mathcal{C}=max\left\{R\left(\widehat{\mathbf{C}}\right):\widehat{\mathbf{C}}\mathrm{is}\mathrm{an}\mathrm{admissible}(L,M_L)\sec \mathrm{urity}\mathrm{network}\mathrm{code}\mathrm{for}\{(L,M_L),r\}\right\}.$$

According to the definition of the rate in (5), characterizing the security capacity $\mathcal{C}$ is equivalent to determining the minimum $n\left(\widehat{\mathbf{C}}\right)$ over all the admissible $(L,M_L)$ security network codes, i.e.,

$$n^{*}\triangleq min\left\{n\left(\widehat{\mathbf{C}}\right):\widehat{\mathbf{C}}\mathrm{is}\mathrm{an}\mathrm{admissible}(L,M_L)\mathrm{security}\mathrm{network}\mathrm{code}\mathrm{for}\{(L,M_L),r\}\right\}.$$

For instance, a special case of the linear-combination security model $\{(L,M_L),r\}$ is algebraic-sum security network coding, as elaborated below. In this model, the source node s generates L source symbols $B_1,B_2,\cdots ,B_L$, which are required to be multicast to every sink node $t\in T$, and the wiretapper, who can eavesdrop any edge subset of size r, is not allowed to obtain any information about the m algebraic sums of the source symbols:

$$\sum _{\genfrac{}{}{0pt}{}{i\in \left[L\right]:}{i\equiv j\left(\mathrm{mod}m\right)}}{B}_i,j=1,2,\cdots ,m,$$

(6)

where $1\le m\le L$, and $\left[L\right]\triangleq \{1,2,\cdots ,L\}$. For this algebraic-sum security model, when $m=1$, we adopt the convention that $i\equiv 1\left(\mathrm{mod}1\right)$ for all $i=1,2,\cdots ,L$. Then, Equation (6) becomes ${\sum }_{i=1}^L{B}_i$, i.e., the algebraic sum ${\sum }_{i=1}^L{B}_i$ of all the L source symbols is required to be protected from the wiretapper. When $m=L$, we have $i\not\equiv i^{\prime }\left(\mathrm{mod}m\right),\forall i,i^{\prime }\in \left[L\right]$, where $i\ne i^{\prime }$; thus, all the source symbols $B_1,B_2,\cdots ,B_L$ are required to be protected from the wiretapper. This is the standard model of secure network coding, which has been widely studied in the literature, e.g., [11,12,13,14,15,16,17,18,19,20,21,22,23,24].

An example scenario for the application of the linear-combination security model is as follows. A predefined set of linear combinations of the source symbols is required to be protected from the wiretapper, while other linear combinations are unprotected. The source node s generates L source symbols $B_1,B_2,\cdots ,B_L$ in the finite field F, which are required to be multicast to every sink node $t\in T$. The $L\times m_L$ matrix $M_L$ is regarded as an F-valued parity-check matrix. We denote the solution space of the system of linear equations $\overrightarrow{b}·M_L=\overrightarrow{0}$ over F as $V(\overrightarrow{0})$, i.e.,

$$V(\overrightarrow{0})=\left\{\overrightarrow{b}\in F^L:\overrightarrow{b}·M_L=\overrightarrow{0}\right\},$$

where $\overrightarrow{0}$ is the zero row $m_L$-vector. According to the value of $\overrightarrow{b}·M_L$, for every output $\overrightarrow{b}\in F^L$ of $\mathbf{B}=(B_1,B_2,\cdots ,B_L)$, the vector space $F^L$ can be partitioned into ${\left|F\right|}^{m_L}$ cosets of the solution space given by $\left\{V\left(\overrightarrow{a}\right):\overrightarrow{a}\in F^{m_L}\right\}$, where $V\left(\overrightarrow{a}\right)\triangleq \left\{\overrightarrow{b}\in F^L:\overrightarrow{b}·M_L=\overrightarrow{a}\right\}.$ In this scenario, we desire to protect the information as to which coset $V\left(\overrightarrow{a}\right)$ the vector $\overrightarrow{b}$ lies in, which may contain some useful information for the wiretapper. In other words, the information about the specified linear combinations $\mathbf{B}·M_L$ needs to be protected from the wiretapper, while other linear combinations are unprotected.

3. Characterization of the Capacity ofthe Security Model $\{(\mathit{L},{\mathit{M}}_{\mathit{L}}),\mathit{r}\}$

3.1. Upper Bounds on the Security Capacity

Consider a linear-combination security model $\{(L,M_L),r\}$. We first consider the trivial case of $r\ge C_{min}$, where $C_{min}\triangleq {min}_{t\in T}\mathrm{mincut}(s,t)$. In this case, for a sink node $t\in T$ such that $\mathrm{mincut}(s,t)=C_{min}$, the wiretapper is able to decode the source symbols, provided that the sink node t correctly decodes them. This shows that the security capacity is $\mathcal{C}=0$ for $r\ge C_{min}$, which implies that $C_{min}-1$ is an upper bound on the maximum security level for which the source symbols can be multicast with a positive rate. For another trivial case $r=0$, the security model $\{(L,M_L),0\}$ becomes a single-source multicast network coding problem without any security consideration. Given the fact that the maximum rate at which the source symbols can be correctly multicast to all the sink nodes is $C_{min}$ (cf. [1,6]), we thus obtain that

$$n^{*}=⌈\frac{L}{C_{min}}⌉,$$

or, equivalently,

$$\mathcal{C}=\frac{L}{n^{*}}=\frac{L}{⌈L/C_{min}⌉}.$$

Next, we consider $0<r<C_{min}$. We readily see that an admissible $(L,M_L)$ security network code $\widehat{\mathbf{C}}$ is also a network code such that all the L source symbols can be correctly decoded at each $t\in T$. This immediately implies that $n^{*}$ can be lower-bounded by $⌈L/C_{min}⌉$ for any security level $0<r<C_{min}$, i.e.,

$$n^{*}\ge ⌈\frac{L}{C_{min}}⌉.$$

(7)

Furthermore, we present the following lemma, which asserts a non-trivial lower bound on $n^{*}$.

Lemma 1. 

Consider a linear-combination security model $\{(L,M_L),r\}$ with a security level of $0<r<C_{min}$, where $\mathrm{Rank}\left(M_L\right)=m_L$. Let $\tau =m_L/L$. Then,

$$n^{*}\ge ⌈\frac{\tau L}{C_{min}-r}⌉.$$

(8)

Proof. 

First, we claim that

$$H(\mathbf{B}·M_L)=\tau L·log\left|F\right|,$$

(9)

where $\tau L=m_L$. To see this, we consider an arbitrary row vector $\overrightarrow{x}\in F^{\tau L}$ and obtain

$$\begin{array}{cc}\hfill Pr\left(\mathbf{B}·M_L=\overrightarrow{x}\right)& =\sum _{\mathbf{b}\in F^L:\mathbf{b}·M_L=\overrightarrow{x}}Pr\left(\mathbf{B}=\mathbf{b}\right)\hfill \\ \hfill & =\#\left\{\mathbf{b}\in F^L:\mathbf{b}·M_L=\overrightarrow{x}\right\}·\frac{1}{{\left|F\right|}^L}=\frac{1}{{\left|F\right|}^{\tau L}},\hfill \end{array}$$

(10)

where the equality $Pr\left(\mathbf{B}=\mathbf{b}\right)=\frac{1}{{\left|F\right|}^L}$ holds because the source symbols $B_i,1\le i\le L$ are i.i.d. with the uniform distribution on F.

We now consider an arbitrary admissible $(L,M_L)$ security network code: $\widehat{\mathbf{C}}=\{{\widehat{\theta }}_e:e\in \mathcal{E};{\widehat{\phi }}_t:t\in T\}$. For an edge subset C that separates a sink node $t\in T$ from the source node s, it follows from the decoding condition (3) that $H\left(\mathbf{B}\right|{\mathbf{Y}}_C)=0$. This immediately implies that

$$\begin{array}{c}\hfill H\left(\mathbf{B}·M_L|{\mathbf{Y}}_C\right)=0.\end{array}$$

(11)

Furthermore, for any wiretap set $W\in {\mathcal{W}}_r$ with $W\subseteq C$, it follows from the security condition (4) that

$$\begin{array}{c}\hfill H\left(\mathbf{B}·M_L\right)=H\left(\mathbf{B}·M_L|{\mathbf{Y}}_W\right).\end{array}$$

(12)

Combining (11) and (12), we obtain

$$\begin{array}{cc}\hfill \hspace{1em}\hspace{1em}H\left(\mathbf{B}·M_L\right)& =H\left(\mathbf{B}·M_L|{\mathbf{Y}}_W\right)-H\left(\mathbf{B}·M_L|{\mathbf{Y}}_C\right)\hfill \\ \hfill & =I\left(\mathbf{B}·M_L;{\mathbf{Y}}_{C\setminus W}|{\mathbf{Y}}_W\right)\hfill \\ \hfill & \le H\left({\mathbf{Y}}_{C\setminus W}|{\mathbf{Y}}_W\right)\hfill \\ \hfill & \le H\left({\mathbf{Y}}_{C\setminus W}\right)\hfill \\ \hfill & \le \sum _{e\in C\setminus W}H\left(Y_e\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \hspace{1em}\le \sum _{e\in C\setminus W}log|\mathrm{Im}\left({\widehat{\theta }}_e\right)|\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill & \le \sum _{e\in C\setminus W}{n}_e·log\left|F\right|\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill & \hspace{1em}\hspace{1em}\le n\left(\widehat{\mathbf{C}}\right)·|C\setminus W|·log\left|F\right|,\hfill \end{array}$$

(15)

where the inequality (13) holds because $Y_e$ takes values in $\mathrm{Im}\left({\widehat{\theta }}_e\right)$, and the inequality (14) follows from

$$\begin{array}{c}\hfill n_e=⌈{log}_{\left|F\right|}\left|\mathrm{Im}\left({\widehat{\theta }}_e\right)\right|⌉\ge {log}_{\left|F\right|}\left|\mathrm{Im}\left({\widehat{\theta }}_e\right)\right|,\end{array}$$

and the inequality (15) follows from $n\left(\widehat{\mathbf{C}}\right)={max}_{e\in \mathcal{E}}{n}_e$.

Combining (9) and (15), we obtain

$$\begin{array}{c}\hfill n\left(\widehat{\mathbf{C}}\right)\ge \frac{H\left(\mathbf{B}·M_L\right)}{|C\setminus W|·log\left|F\right|}=\frac{\tau L}{|C\setminus W|}.\end{array}$$

Note that the above inequality is true for each sink node $t\in T$ and all the pairs $(C,W)$ of the cut C separating t from s and the wiretap set $W\in {\mathcal{W}}_r$ such that $W\subseteq C$. We thus obtain

$$\begin{array}{c}\hfill n\left(\widehat{\mathbf{C}}\right)\ge \underset{t\in T}{max}\underset{\genfrac{}{}{0pt}{}{(W,C)\in {\mathcal{W}}_r\times {\mathsf{\Lambda }}_t:}{W\subseteq C}}{max}\frac{\tau L}{|C\setminus W|},\end{array}$$

where ${\mathsf{\Lambda }}_t\triangleq \left\{C\subseteq \mathcal{E}:C\mathrm{is}\mathrm{a}\mathrm{cut}\mathrm{separating}t\mathrm{from}s\right\}$. For each $t\in T$, we have

$$\begin{array}{c}\hfill |C\setminus W|\ge C_{min}-r,\forall (W,C)\in {\mathcal{W}}_r\times {\mathsf{\Lambda }}_t\mathrm{with}W\subseteq C.\end{array}$$

According to the definition of $C_{min}$, this lower bound is achievable for some $t\in T$ and $(W,C)\in {\mathcal{W}}_r\times {\mathsf{\Lambda }}_t$ such that $W\subseteq C$. It then follows that

$$n\left(\widehat{\mathbf{C}}\right)\ge \frac{\tau L}{C_{min}-r}.$$

Furthermore, since $n\left(\widehat{\mathbf{C}}\right)$ is an integer, we have

$$n\left(\widehat{\mathbf{C}}\right)\ge ⌈\frac{\tau L}{C_{min}-r}⌉.$$

(16)

In addition, because the above lower bound (16) on $n\left(\widehat{\mathbf{C}}\right)$ is valid for any admissible $(L,M_L)$ security network code $\widehat{\mathbf{C}}$, we obtain

$$n^{*}\ge ⌈\frac{\tau L}{C_{min}-r}⌉.$$

The lemma is thus proven. □

The lower bounds in (7) and (8) on $n^{*}$ apply to all $0<r<C_{min}$. For a specific value of $\tau$, one of them can be tighter than the other. By comparing these bounds, we can readily obtain the upper bounds on the security capacity $\mathcal{C}$ as stated in the following theorem.

Theorem 1. 

Consider a linear-combination security model $\{(L,M_L),r\}$ with a security level of $0<r<C_{min}$, where $\mathrm{Rank}\left(M_L\right)=m_L$. Let

$$\tau =\frac{m_L}{L}\mathrm{and}{\tau }_0=\frac{C_{min}-r}{C_{min}}.$$

• If $0\le \tau \le {\tau }_0$, then

  $$\mathcal{C}\le \frac{L}{⌈L/C_{min}⌉}.$$
• If ${\tau }_0<\tau \le 1$, then

  $$\mathcal{C}\le \frac{L}{⌈\tau L/(C_{min}-r)⌉}.$$

Proof. 

By comparing the lower bounds ((7) and (8)) on $n^{*}$, we immediately obtain

• if $0\le \tau \le {\tau }_0$, then

  $$n^{*}\ge ⌈\frac{L}{C_{min}}⌉\ge ⌈\frac{\tau L}{C_{min}-r}⌉$$

  (17)

  implying that

  $$\mathcal{C}\le \frac{L}{⌈L/C_{min}⌉};$$
• If ${\tau }_0<\tau \le 1$, we have

  $$n^{*}\ge ⌈\frac{\tau L}{C_{min}-r}⌉\ge ⌈\frac{L}{C_{min}}⌉$$

  (18)

  implying that

  $$\mathcal{C}\le \frac{L}{⌈\tau L/C_{min}⌉}.$$

We have thus proven the theorem. □

3.2. Characterization of the Security Capacity

Next, we present a code construction for the security model $\{(L,M_L),r\}$ with $0<r<C_{min}$, which shows that the upper bounds in Theorem 1 for both cases of $\tau$ are tight. We thus obtain a full characterization of the security capacity for the security model $\{(L,M_L),r\}$, as stated in the following theorem.

Theorem 2. 

Consider a linear-combination security model $\{(L,M_L),r\}$ over a finite field F, where $0<r<C_{min}$ and $\left|F\right|>max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}$. Let

$$\tau =\frac{m_L}{L}\mathit{and}{\tau }_0=\frac{C_{min}-r}{C_{min}}.$$

• If $0\le \tau \le {\tau }_0$, then

  $$\mathcal{C}=\frac{L}{⌈L/C_{min}⌉}.$$

  (19)
• If ${\tau }_0<\tau \le 1$, then

  $$\mathcal{C}=\frac{L}{⌈\tau L/(C_{min}-r)⌉}.$$

  (20)

This theorem reveals the somewhat surprising fact that for the case of $0\le \tau \le {\tau }_0$, there is no penalty on the security capacity compared with the capacity without any security consideration. In Section 4, we further investigate the asymptotic behavior of the security capacity for a sequence of the security models as L tends toward infinity. We not only characterize the asymptotic behavior of the security capacity but also show the asymptotic optimality of our construction.

We first define a linear security network code for the security model $\{(L,M_L),r\}$. Briefly, a $(L,M_L)$ security network code $\widehat{\mathbf{C}}$ is linear if the local encoding functions for all the edges are linear. Specifically, we recall that $\mathbf{b}=(b_1,b_2,\cdots ,b_L)\in F^L$ is an arbitrary output of the vector of source symbols $\mathbf{B}=(B_1,B_2,\cdots ,B_L)$. Let $\mathcal{K}=F^z$, where the non-negative integer z is specified later. Then, the key $\mathbf{K}$ is a random row vector uniformly distributed on $F^z$. We further let $\mathbf{k}\in F^z$ be an arbitrary output of $\mathbf{K}$. Consequently, for a $(L,M_L)$ linear security network code $\widehat{\mathbf{C}}$, all the global encoding functions ${\widehat{h}}_e,e\in \mathcal{E}$ are linear functions of $\mathbf{b}$ and $\mathbf{k}$. Therefore, there exists an F-valued $(L+z)\times n$ matrix $H_e=\left[{\overrightarrow{h}}_e^{\left(1\right)}{\overrightarrow{h}}_e^{\left(2\right)}\cdots {\overrightarrow{h}}_e^{\left(n\right)}\right]$ for each $e\in \mathcal{E}$ such that

$$\begin{array}{c}\hfill {\widehat{h}}_e\left(\mathbf{b}\mathbf{k}\right)=\left(\mathbf{b}\mathbf{k}\right)·H_e,\end{array}$$

where $n\triangleq n\left(\widehat{\mathbf{C}}\right)$, and $H_e$ is called the global encoding matrix of the edge e for the code $\widehat{\mathbf{C}}$. In particular, if $n\left(\widehat{\mathbf{C}}\right)=1$, then the code $\widehat{\mathbf{C}}$ is called a $(L,M_L)$ scalar-linear security network code.

In the following, for the nontrivial case of a security model $\{(L,M_L),r\}$ with a security level of $0<r<C_{min}$, we develop a construction of admissible $(L,M_L)$ linear security network codes that can be applied to any pair $(L,M_L)$. This code construction shows that the upper bounds in Theorem 1 for both cases of $\tau$ are tight, which we state in the following theorem.

Theorem 3. 

Consider a linear-combination security model $\{(L,M_L),r\}$ over a finite field F, where $\mathrm{Rank}\left(M_L\right)=m_L$, $0<r<C_{min}$ and $\left|F\right|>max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}$. Let

$$\tau =\frac{m_L}{L}\mathit{and}{\tau }_0=\frac{C_{min}-r}{C_{min}}.$$

Then, there exists an admissible $(L,M_L)$ linear security network code $\widehat{\mathbf{C}}$ such that

• If $0\le \tau \le {\tau }_0$, then

  $$n\left(\widehat{\mathbf{C}}\right)=⌈\frac{L}{C_{min}}⌉;$$

  (21)
• if ${\tau }_0<\tau \le 1$, then

  $$n\left(\widehat{\mathbf{C}}\right)=⌈\frac{\tau L}{C_{min}-r}⌉.$$

  (22)

3.3. Proof of Theorem 3

In this subsection, we provide the proof of Theorem 3, which includes three parts: code construction, verification of the decoding condition and verification of the security condition.

▸

Code construction:

We consider a linear-combination security model $\{(L,M_L),r\}$ over a finite field F, where $0<r<C_{min}$ and $\left|F\right|>max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}$. In the following, we construct an admissible $(L,M_L)$ linear security network code such that the L source symbols can be securely multicast to all the sink nodes by transmitting n symbols on each edge, i.e., using the network n times, where

$$n=\left\{\begin{array}{cc}⌈\frac{L}{C_{min}}⌉,\hfill & \mathrm{if}0\le \tau \le {\tau }_0,\hfill \\ ⌈\frac{\tau L}{C_{min}-r}⌉.\hfill & \mathrm{if}{\tau }_0<\tau \le 1,\hfill \end{array}\right.$$

(23)

(cf. (21) and (22)). For any $0\le \tau \le 1$, we let

$$z=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}L\ge nr+\tau L,\hfill \\ nr+\tau L-L,\hfill & \mathrm{if}L<nr+\tau L,\hfill \end{array}\right.$$

(24)

i.e.,

$$\mathcal{K}=\left\{\begin{array}{cc}\varnothing ,\hfill & \mathrm{if}L\ge nr+\tau L,\hfill \\ F^{nr+\tau L-L},\hfill & \mathrm{if}L<nr+\tau L.\hfill \end{array}\right.$$

According to (24), when $L\ge nr+\tau L$, it is unnecessary to randomize the source symbols to guarantee linear-combination security. Furthermore, for any pair $(L,z)$ satisfying (24), we observe that

$$nr+\tau L\le L+z\le n{C}_{min}.$$

(25)

The first inequality in (25) is straightforward. To prove the second inequality, we consider two cases below.

Case 1: 

$L\ge nr+\tau L$.

According to (24) we have $z=0$, and thus:

$$L+z=L.$$

(26)

Furthermore, it follows from (23) that for $0\le \tau \le {\tau }_0$,

$$n=⌈\frac{L}{C_{min}}⌉\ge \frac{L}{C_{min}};$$

and for ${\tau }_0<\tau \le 1$,

$$n=⌈\frac{\tau L}{C_{min}-r}⌉\ge ⌈\frac{L}{C_{min}}⌉\ge \frac{L}{C_{min}}$$

(cf. (18) for the first inequality in the above equation). Together with (26), we immediately prove that $L+z=L\le n{C}_{min}$ for this case.

Case 2: 

$L<nr+\tau L$.

According to (24), we have

$$L+z=nr+\tau L.$$

(27)

Furthermore, it follows from (23) that for $0\le \tau \le {\tau }_0$,

$$n=⌈\frac{L}{C_{min}}⌉\ge ⌈\frac{\tau L}{C_{min}-r}⌉\ge \frac{\tau L}{C_{min}-r}$$

(cf. (17) for the first inequality in the above equation), and for ${\tau }_0<\tau \le 1$,

$$n=⌈\frac{\tau L}{C_{min}-r}⌉\ge \frac{\tau L}{C_{min}-r}.$$

Together with (27), we immediately obtain that $L+z=nr+\tau L\le n{C}_{min}$ for this case. Combining the two cases, we have proven the second inequality in (25).

According to (25), we have $L+z\le n{C}_{min}$. This implies that the $L+z$ symbols in F generated by the source node s, which contain the L source symbols and the key of z symbols, can be multicast to all the sink nodes in T by using the network n times. To elaborate this, we first claim that

$$L+z>(n-1)C_{min}.$$

(28)

• When $0\le \tau \le {\tau }_0$, it follows from (23) that

  $$\begin{array}{cc}\hfill (n-1)C_{min}& =\left(⌈\frac{L}{C_{min}}⌉-1\right)·C_{min}\hfill \\ \hfill & <\frac{L}{C_{min}}·C_{min}=L\le L+z.\hfill \end{array}$$
• When ${\tau }_0<\tau \le 1$, according to (23), we obtain

  $$\begin{array}{cc}\hfill (n-1)C_{min}& =\left(⌈\frac{\tau L}{C_{min}-r}⌉-1\right)·C_{min}\hfill \\ \hfill & <\frac{\tau L}{C_{min}-r}·C_{min}\hfill \\ \hfill & =\tau L+\frac{\tau L}{C_{min}-r}·r\hfill \\ \hfill & \le \tau L+nr\le L+z,\hfill \end{array}$$

  where the last two inequalities follow from (23) and (25), respectively.

Thus, we have proven (28).

Now, we let $b_1^{\prime },b_2^{\prime },\cdots ,b_{L+z}^{\prime }$ be the $L+z$ source symbols, and divide them into n groups ${\mathbf{b}}_1^{\prime },{\mathbf{b}}_2^{\prime },\cdots$, ${\mathbf{b}}_{n-1}^{\prime }$ and ${\mathbf{b}}_n^{\prime }$, where for $i=1,2,\cdots ,n-1$, ${\mathbf{b}}_i^{\prime }$ contains $C_{min}$ source symbols, and ${\mathbf{b}}_n^{\prime }$ contains the remaining $L+z-(n-1)C_{min}$ source symbols. Here, we note from (25) and (28) that

$$1\le L+z-(n-1)C_{min}\le C_{min}.$$

Thus, it suffices to construct, at most, 2 scalar-linear network codes of dimensions $C_{min}$ and $\omega \triangleq L+z-(n-1)C_{min}$, respectively, to multicast the $L+z$ source symbols to all the sink nodes.

Let ${\mathbf{C}}_1$ be a $C_{min}$-dimensional scalar-linear network code in the network $\mathcal{N}$, of which the global encoding vectors are column vectors ${\overrightarrow{f}}_e$ in $F^{C_{min}}$ for all $e\in \mathcal{E}$, and let ${\mathbf{C}}_2$ be an $\omega$-dimensional scalar-linear network code on $\mathcal{N}$, of which the global encoding vectors are column vectors ${\overrightarrow{f}}_e^{\prime }$ in $F^{\omega }$ for all $e\in \mathcal{E}$ (cf. [1,2] and [6]). We use two codes ${\mathbf{C}}_1$ and ${\mathbf{C}}_2$ to construct an $(L+z)$-dimensional (vector-) linear network code $\mathbf{C}$ on the network $\mathcal{N}$ such that n symbols are transmitted on each edge $e\in \mathcal{E}$. Specifically, for each $e\in \mathcal{E}$, we let

$$\begin{array}{cc}\hfill G_e& =\left[{\overrightarrow{g}}_e^{\left(1\right)}{\overrightarrow{g}}_e^{\left(2\right)}\cdots {\overrightarrow{g}}_e^{\left(n\right)}\right]\hfill \\ \hfill & =\left[\begin{array}{ccccc}{\overrightarrow{f}}_e& \overrightarrow{0}& \cdots & \overrightarrow{0}& \overrightarrow{0}\\ \overrightarrow{0}& {\overrightarrow{f}}_e& \cdots & \overrightarrow{0}& \overrightarrow{0}\\ ⋮& ⋮& \ddots & ⋮& ⋮\\ \overrightarrow{0}& \overrightarrow{0}& \cdots & {\overrightarrow{f}}_e& \overrightarrow{0}\\ \overrightarrow{0}& \overrightarrow{0}& \cdots & \overrightarrow{0}& {\overrightarrow{f}}_e^{\prime }\end{array}\right],\hfill \end{array}$$

which is an F-valued $(L+z)\times n$ matrix regarded as the global encoding matrix for the code $\mathbf{C}$.

Next, for an edge $e\in \mathcal{E}$, we use $⟨G_e⟩$ to denote the vector space spanned by the column vectors of the matrix $G_e$, i.e.,

$$⟨G_e⟩\triangleq ⟨{\overrightarrow{g}}_e^{\left(1\right)},{\overrightarrow{g}}_e^{\left(2\right)},\cdots ,{\overrightarrow{g}}_e^{\left(n\right)}⟩.$$

Furthermore, for a wiretap set $W\in {\mathcal{W}}_r$, we use $G_W$ to denote the $(L+z)\times nr$ matrix whose column vectors are the column vectors of $G_e$ for all the edges $e\in W$, i.e.,

$$G_W=\left[G_e:e\in W\right]=\left[{\overrightarrow{g}}_e^{\left(1\right)}{\overrightarrow{g}}_e^{\left(2\right)}\cdots {\overrightarrow{g}}_e^{\left(n\right)}:e\in W\right],$$

Then, similarly, we use $⟨G_W⟩$ to denote the vector space spanned by the column vectors of the matrix $G_W$, i.e.,

$$⟨G_W⟩\triangleq ⟨{\overrightarrow{g}}_e^{\left(1\right)},{\overrightarrow{g}}_e^{\left(2\right)},\cdots ,{\overrightarrow{g}}_e^{\left(n\right)}:e\in W⟩.$$

Hence, we readily see that

$$\begin{array}{c}\hfill ⟨G_W⟩=\sum _{e\in W}⟨G_e⟩.\end{array}$$

Now, we claim that there exist F-valued column $(L+z)$-vectors ${\overrightarrow{u}}_i,i=1,2,\cdots ,\tau L$ such that

$$⟨{\overrightarrow{u}}_i:1\le i\le \tau L⟩\bigcap ⟨G_W⟩=\left\{\overrightarrow{0}\right\},\forall W\in {\mathcal{W}}_r.$$

(29)

To show this, we prove by induction on $1\le j\le \tau L$ that if we have $j-1$ linearly independent column vectors ${\overrightarrow{u}}_1,{\overrightarrow{u}}_2,\cdots ,{\overrightarrow{u}}_{j-1}$ in $F^{L+z}$ such that

$$⟨{\overrightarrow{u}}_i:1\le i\le j-1⟩\bigcap ⟨G_W⟩=\left\{\overrightarrow{0}\right\},\forall W\in {\mathcal{W}}_r,$$

then we can choose a column vector ${\overrightarrow{u}}_j\in F^{L+z}\setminus ⟨{\overrightarrow{u}}_i:1\le i\le j-1⟩$ such that

$$⟨{\overrightarrow{u}}_i:1\le i\le j⟩\bigcap ⟨G_W⟩=\left\{\overrightarrow{0}\right\},\forall W\in {\mathcal{W}}_r,$$

provided that $\left|F\right|>\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)$. We consider

$$\begin{array}{cc}\hfill & |F^{L+z}\setminus \bigcup _{W\in {\mathcal{W}}_r}⟨G_W,{\overrightarrow{u}}_1,{\overrightarrow{u}}_2,\cdots ,{\overrightarrow{u}}_{j-1}⟩|\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \ge {\left|F\right|}^{L+z}-|{\mathcal{W}}_r{|·|F|}^{nr+j-1}\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill & \hspace{1em}\ge {\left|F\right|}^{nr+\tau L}-|{\mathcal{W}}_r{|·|F|}^{nr+\tau L-1}\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill & \hspace{1em}\hspace{1em}\ge {\left|F\right|}^{nr+\tau L-1}·\left(\left|F\right|-|{\mathcal{W}}_r|\right)>0,\hfill \end{array}$$

(32)

where the inequality (30) follows because

$$\begin{array}{cc}\hfill dim\left(⟨G_W,{\overrightarrow{u}}_1,{\overrightarrow{u}}_2,\cdots ,{\overrightarrow{u}}_{j-1}⟩\right)& \le dim\left(⟨G_W⟩\right)+j-1\hfill \\ \hfill & \le n\left|W\right|+j-1=nr+j-1,\forall W\in {\mathcal{W}}_r;\hfill \end{array}$$

inequality (31) follows from $L+z\ge nr+\tau L$ according to (25) and inequality (32) follows from

$$\left|F\right|>\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)=\left|{\mathcal{W}}_r\right|.$$

Thus, we have proven the existence of such vectors ${\overrightarrow{u}}_i,1\le i\le \tau L$ that satisfy the condition (29).

With the vectors ${\overrightarrow{u}}_i,1\le i\le \tau L$, we let U be an F-valued $(L+z)\times (L+z)$ invertible matrix such that ${\overrightarrow{u}}_i,1\le i\le \tau L$ are the first $\tau L$ column vectors of U. Furthermore, we consider an $(L+z)\times \tau L$ matrix

$${\widehat{M}}_L\triangleq \left[\begin{array}{c}{M}_L\\ \mathbf{0}\end{array}\right],$$

(33)

where $\mathbf{0}$ is the $z\times \tau L$ zero matrix. In particular, when $z=0$ (cf. (24)), ${\widehat{M}}_L=M_L$. Recalling that $M_L$ has full column rank, we readily see that ${\widehat{M}}_L$ also has full column rank. With the full-column-rank matrix ${\widehat{M}}_L$, we let $\mathsf{\Gamma }$ be an F-valued $(L+z)\times (L+z)$ invertible matrix such that the column vectors of ${\widehat{M}}_L$ are the first $\tau L$ column vectors of $\mathsf{\Gamma }$. Then, we define the matrix

$$Q\triangleq \mathsf{\Gamma }·U^{-1},$$

(34)

which is of size $(L+z)\times (L+z)$ and also invertible over F.

Now, we consider the transformation $Q·\mathbf{C}$ of the code $\mathbf{C}$ by the matrix Q, i.e., $Q·\mathbf{C}$ is an F-valued $(L+z)$-dimensional linear network code on the network $\mathcal{N}$, of which all the global encoding matrices are

$$H_e\triangleq Q·G_e,\forall e\in \mathcal{E},$$

(cf. the transformation of a scalar-linear network code in [6], Section 19.3.1 and [19], Theorem 2). Next, we show that $\widehat{\mathbf{C}}\triangleq Q·\mathbf{C}$ is an admissible F-valued $(L,M_L)$ linear security network code for the security model $\{(L,M_L),r\}$ by verifying the decoding and security conditions.

Remark 1. 

We now discuss the computational complexity of our code construction. Our code construction consists of two parts: (i) constructing the two linear network codes ${\mathbf{C}}_1$ and ${\mathbf{C}}_2$ of different dimensions, which are used to multicast all the $L+z$ symbols to the sink nodes; and (ii) constructing the transformation matrix Q, or equivalently, constructing the $\tau L$ column $(L+z)$-vectors ${\overrightarrow{u}}_i,1\le i\le \tau L$ that satisfy the condition (29). We analyze the complexity of the two parts as follows.

• The linear network codes ${\mathbf{C}}_1$ and ${\mathbf{C}}_2$ can be constructed in polynomial time (cf. [4,6,7]);
• To obtain the column $(L+z)$-vectors ${\overrightarrow{u}}_i,1\le i\le \tau L$ that satisfy (29), we, in turn, choose $\tau L$ vectors ${\overrightarrow{u}}_i$ as follows:

  $${\overrightarrow{u}}_i\in F^{L+z}\setminus \bigcup _{W\in {\mathcal{W}}_r}⟨G_W,{\overrightarrow{u}}_1,{\overrightarrow{u}}_2,\cdots ,{\overrightarrow{u}}_{i-1}⟩.$$
  According to ([35], Lemma 11), the vectors ${\overrightarrow{u}}_i,1\le i\le \tau L$ can be found in

  $$\mathcal{O}\left(\tau L{(L+z)}^3|{\mathcal{W}}_r|+\tau L(L+z)|{\mathcal{W}}_r{|}^2\right).$$

By combining the above analysis, our code construction can be implemented in polynomial time.

▸

Verification of the decoding condition:

We continue to consider the output of the source $(\mathbf{b},\mathbf{k})$, where $\mathbf{b}\in F^L$ is the vector of source symbols, and $\mathbf{k}\in F^z$ is the key. In using the code $\widehat{\mathbf{C}}$, the implementation of the global encoding matrices $H_e,e\in \mathcal{E}$ is equivalent to linearly transforming $\left(\mathbf{b}\mathbf{k}\right)$ into $\mathit{x}\triangleq \left(\mathbf{b}\mathbf{k}\right)·Q$, then using the code $\mathbf{C}$ to multicast $\mathit{x}$ to all the sink nodes in T.

Since the vector $\mathit{x}$ can be correctly decoded at each $t\in T$ when applying the code $\mathbf{C}$, $\left(\mathbf{b}\mathbf{k}\right)$ can be also correctly decoded at each $t\in T$, as can the vector $\mathbf{b}$ of source symbols. Thus, we have verified the decoding condition.

▸

Verification of the security condition:

In order to verify the security condition (4), we need the next lemma, which plays a crucial role in our code construction. This lemma provides a necessary and sufficient condition for a linear security network code to satisfy the security condition (4). For an edge $e\in \mathcal{E}$, $⟨H_e⟩$ denotes the vector space spanned by the column vectors of $H_e$, i.e.,

$$⟨H_e⟩\triangleq ⟨{\overrightarrow{h}}_e^{\left(1\right)},{\overrightarrow{h}}_e^{\left(2\right)},\cdots ,{\overrightarrow{h}}_e^{\left(n\right)}⟩.$$

Furthermore, for a wiretap set $W\in {\mathcal{W}}_r$, we let $H_W$ be the $(L+z)\times nr$ matrix that contains all the column vectors of the global encoding matrices $H_e$ for all the edges $e\in W$, i.e.,

$$H_W=\left[H_e:e\in W\right]=\left[{\overrightarrow{h}}_e^{\left(1\right)}{\overrightarrow{h}}_e^{\left(2\right)}\cdots {\overrightarrow{h}}_e^{\left(n\right)}:e\in W\right].$$

We let

$$⟨H_W⟩\triangleq ⟨{\overrightarrow{h}}_e^{\left(1\right)},{\overrightarrow{h}}_e^{\left(2\right)},\cdots ,{\overrightarrow{h}}_e^{\left(n\right)}:e\in W⟩$$

be the vector space spanned by the column vectors of $H_W$. Evidently,

$$⟨H_W⟩=\sum _{e\in W}⟨H_e⟩.$$

Lemma 2. 

For the security model $\{(L,M_L),r\}$ over a finite field F with $0<r<C_{min}$, let $\widehat{\mathbf{C}}$ be an F-valued $(L,M_L)$ linear security network code, of which the global encoding matrices are $(L+z)\times n$ matrices $H_e=\left[{\overrightarrow{h}}_e^{\left(1\right)}{\overrightarrow{h}}_e^{\left(2\right)}\cdots {\overrightarrow{h}}_e^{\left(n\right)}\right],e\in \mathcal{E}$. Then, for the code $\widehat{\mathbf{C}}$, the security condition (4) is satisfied if and only if

$$⟨{\widehat{M}}_L⟩\bigcap ⟨H_W⟩=\{\overrightarrow{0}\},\forall W\in {\mathcal{W}}_r,$$

(35)

where ${\widehat{M}}_L=\left[\begin{array}{c}{M}_L\\ \mathbf{0}\end{array}\right]$ is an $(L+z)\times \tau L$ matrix as defined in (33).

Proof. 

See Appendix B. □

Now, we start to verify the security condition for our code construction. Toward this end, according to Lemma 2, it suffices to verify (35). For the constructed $(L,M_L)$ linear security network code $\widehat{\mathbf{C}}$, we have

$$⟨{\overrightarrow{u}}_i:1\le i\le \tau L⟩\bigcap ⟨G_W⟩=\{\overrightarrow{0}\},\forall W\in {\mathcal{W}}_r$$

(36)

(cf. (29)). We recall (34) that $Q=\mathsf{\Gamma }·U^{-1}$ is an $(L+z)\times (L+z)$ invertible matrix. Then, according to (36), we immediately obtain

$$\begin{array}{c}\hfill ⟨Q·{\overrightarrow{u}}_i:1\le i\le \tau L⟩\bigcap ⟨Q·G_W⟩=\{\overrightarrow{0}\},\forall W\in {\mathcal{W}}_r.\end{array}$$

(37)

We note that

$$\begin{array}{c}\hfill H_W=\left[H_e:e\in W\right]=Q·\left[G_e:e\in W\right]=Q·G_W,\forall W\in {\mathcal{W}}_r.\end{array}$$

(38)

Furthermore, we write

$$\begin{array}{c}\hfill \left[{\overrightarrow{u}}_1{\overrightarrow{u}}_2\cdots {\overrightarrow{u}}_{\tau L}\right]=U·\left[\begin{array}{c}{I}_{\tau L}\\ \mathbf{0}\end{array}\right],\end{array}$$

where we recall that ${\overrightarrow{u}}_i,1\le i\le \tau L$ are the first $\tau L$ column vectors of U, $I_{\tau L}$ is the $\tau L\times \tau L$ identity matrix and $\mathbf{0}$ is the $(L+z-\tau L)\times \tau L$ zero matrix. Then, we can see that

$$\begin{array}{cc}\hfill Q·\left[{\overrightarrow{u}}_1{\overrightarrow{u}}_2\cdots {\overrightarrow{u}}_{\tau L}\right]& =Q·U·\left[\begin{array}{c}{I}_{\tau L}\\ \mathbf{0}\end{array}\right]\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =\mathsf{\Gamma }·U^{-1}·U·\left[\begin{array}{c}{I}_{\tau L}\\ \mathbf{0}\end{array}\right]\hfill \\ \hfill & =\mathsf{\Gamma }·\left[\begin{array}{c}{I}_{\tau L}\\ \mathbf{0}\end{array}\right]\hfill \end{array}$$

(39)

$$\begin{array}{cc}\hfill & ={\widehat{M}}_L,\hfill \end{array}$$

(40)

where (39) follows from $Q=\mathsf{\Gamma }·U^{-1}$ (cf. (34)), and (40) follows because the column vectors of ${\widehat{M}}_L$ are the first $\tau L$ column vectors of $\mathsf{\Gamma }$. Combining (38) and (40) with (37), we immediately prove that

$$\begin{array}{c}\hfill ⟨{\widehat{M}}_L⟩\bigcap ⟨H_W⟩=\left\{\overrightarrow{0}\right\},\forall W\in {\mathcal{W}}_r.\end{array}$$

Thus, according to Lemma 2, we have verified the security condition. Combining all the above, Theorem 3 has been proven.

3.4. An Example to Illustrate Our Code Construction

Let $\mathcal{N}=(\mathcal{G},s,T=\{t_1,t_2\})$ be the butterfly network as depicted in Figure 1. For the security model $r=1$, we consider two linear-combination security models $\{(2,M_2),1\}$ and $\{(3,M_3),1\}$ over the field ${\mathbf{F}}_3=\{0,1,2\}$, where

$$M_2=\left[\begin{array}{c}1\\ 1\end{array}\right]\mathrm{and}{M}_3=\left[\begin{array}{cc}1& 0\\ 1& 1\\ 0& 1\end{array}\right].$$

(41)

Namely, in the $\{(2,M_2),1\}$ security model, the algebraic sum $B_1+B_2$ of the two source symbols is required to be protected from the wiretapper, and in the $\{(3,M_3),1\}$ security model, the algebraic sums $B_1+B_2$ and $B_2+B_3$ of the source symbols are required to be protected from the wiretapper.

Figure 1. The butterfly network: $\mathcal{N}=(\mathcal{G},s,T=\{t_1,t_2\})$.

• The security model: $\{(2,M_2),1\}$.

In this model, the source node s generates two source symbols $b_1$ and $b_2$ in ${\mathbf{F}}_3$, and the algebraic sum $b_1+b_2$ needs to be protected. According to (41), we have

$$m_2=\mathrm{Rank}\left(M_2\right)=1,\mathrm{and}\tau =\frac{m_2}{2}=\frac{1}{2}={\tau }_0=\frac{C_{min}-r}{C_{min}}.$$

Therefore, we have $0\le \tau \le {\tau }_0$, i.e., the first case in Theorem 2. Next, we construct an optimal ${\mathbf{F}}_3$-valued $(2,M_2)$ linear security network code for the $\{(2,M_2),1\}$ security model, which achieves a security capacity of 2.

According to our code construction, it follows from (23) and (24) that we take

$$n=⌈\frac{L}{C_{min}}⌉=1$$

and $z=0$ because $L=2\ge nr+\tau L=2$. We first consider an ${\mathbf{F}}_3$-valued two-dimensional scalar-linear network code ${\mathbf{C}}_1$ on the network $\mathcal{N}$, which is used to multicast two source symbols $b_1$ and $b_2$ in ${\mathbf{F}}_3$ to sink nodes $t_1$ and $t_2$. The global encoding matrices (vectors) of ${\mathbf{C}}_1$ are

$$\begin{array}{c}\hfill \begin{array}{c}\hfill G_{e_1}=G_{e_3}=G_{e_8}=\left[\begin{array}{c}1\\ 0\end{array}\right],G_{e_2}=G_{e_4}=G_{e_9}=\left[\begin{array}{c}0\\ 1\end{array}\right],\mathrm{and}{G}_{e_5}=G_{e_6}=G_{e_7}=\left[\begin{array}{c}1\\ 1\end{array}\right].\end{array}\end{array}$$

Clearly, the code ${\mathbf{C}}_1$ is not secure for the algebraic sum $b_1+b_2$ because the wiretapper can obtain $b_1+b_2$ by accessing the edge $e_5$ on which $b_1+b_2$ is transmitted. Based on the code ${\mathbf{C}}_1$, we now construct a $(2,M_2)$ scalar-linear security network code for the $\{(2,M_2),1\}$ security model.

Next, we let ${\overrightarrow{u}}_1=\left[\begin{array}{c}1\\ 2\end{array}\right]$, an ${\mathbf{F}}_3$-valued column 2-vector such that ${\overrightarrow{u}}_1\notin ⟨G_{e_i}⟩,\forall 1\le i\le 9$ (cf. (29)). Then, let $U=\left[\begin{array}{cc}1& 0\\ 2& 1\end{array}\right]$, a $2\times 2$ invertible matrix on ${\mathbf{F}}_3$ such that ${\overrightarrow{u}}_1$ is the first column vector of U. Furthermore, since $z=0$, we have ${\widehat{M}}_2=M_2=\left[\begin{array}{c}1\\ 1\end{array}\right]$ (cf. (33)) and let $\mathsf{\Gamma }=\left[\begin{array}{cc}1& 0\\ 1& 1\end{array}\right]$, which is a $2\times 2$ invertible matrix on ${\mathbf{F}}_3$ such that $\left[\begin{array}{c}1\\ 1\end{array}\right]$ is the first column vector of $\mathsf{\Gamma }$. According to (34), we calculate $Q=\mathsf{\Gamma }·U^{-1}=\left[\begin{array}{cc}1& 0\\ 2& 1\end{array}\right]$. Now, we obtain an admissible ${\mathbf{F}}_3$-valued $(2,M_2)$ scalar-linear security network code ${\widehat{\mathbf{C}}}_1=Q·{\mathbf{C}}_1$, of which the global encoding matrices (vectors) are $H_{e_i}=Q·G_{e_i},1\le i\le 9$. Specifically,

$$\begin{array}{c}\hfill \begin{array}{c}\hfill H_{e_1}=H_{e_3}=H_{e_8}=\left[\begin{array}{c}1\\ 2\end{array}\right],H_{e_2}=H_{e_4}=H_{e_9}=\left[\begin{array}{c}0\\ 1\end{array}\right],\mathrm{and}{H}_{e_5}=H_{e_6}=H_{e_7}=\left[\begin{array}{c}1\\ 0\end{array}\right].\end{array}\end{array}$$

We use $y_{e_i}$, which takes values in ${\mathbb{F}}_3$, to denote the message transmitted on each edge $e_i,1\le i\le 9$. According to the above global encoding matrices of ${\widehat{\mathbf{C}}}_1$, the messages $y_{e_i}(=(b_1,b_2)·H_e)$ transmitted on the edges $e_i,1\le i\le 9$ are

$$\begin{array}{c}\hfill \begin{array}{c}\hfill y_{e_1}=y_{e_3}=y_{e_8}=b_1+2b_2,y_{e_2}=y_{e_4}=y_{e_9}=b_2,\mathrm{and}{y}_{e_5}=y_{e_6}=y_{e_7}=b_1,\end{array}\end{array}$$

as depicted in Figure 2. We can readily verify the decoding and security conditions for the code ${\widehat{\mathbf{C}}}_1$. In particular, in this case, we see that although no randomness is used to randomize the source symbols, the wiretapper cannot obtain any information about the algebraic sum $b_1+b_2$ when any one edge is eavesdropped.

Figure 2. An ${\mathbf{F}}_3$-valued $(2,M_2)$ scalar-linear security network code for $\{(2,M_2),1\}$.

• The security model: $\{(3,M_3),1\}$.

In this model, the source node s generates three source symbols $b_1,b_2$ and $b_3$ in ${\mathbf{F}}_3$, and two algebraic sums $b_1+b_2$ and $b_2+b_3$ need to be protected. According to (41), we note that $m_3=\mathrm{Rank}\left(M_3\right)=2$; thus,

$$\tau =\frac{m_3}{3}=\frac{2}{3}>{\tau }_0=\frac{C_{min}-r}{C_{min}}=\frac{1}{2}.$$

Therefore, we have ${\tau }_0<\tau \le 1$, i.e., the second case in Theorem 2. Next, we construct an optimal ${\mathbf{F}}_3$-valued $(3,M_3)$ linear security network code for the $\{(3,M_3),1\}$ security model, which achieves a security capacity of $3/2$.

According to our code construction, it follows from (23) and (24) that we take

$$n=⌈\frac{\tau L}{C_{min}-r}⌉=2$$

and $z=1$ because $L<nr+\tau L$ according to $L=3$ and $nr+\tau L=4$. We consider an ${\mathbf{F}}_3$-valued four-dimensional (where $4=L+z$) linear network code ${\mathbf{C}}_2$ of rate 2, which is used to multicast the three source symbols $b_1$, $b_2$ and $b_3$ and a key k in ${\mathbf{F}}_3$ to the sink nodes $t_1$ and $t_2$. The $4\times 2$ global encoding matrices of ${\mathbf{C}}_2$ are

$$\begin{array}{c}\hfill \begin{array}{c}\hfill G_{e_1}=G_{e_3}=G_{e_8}=\left[\begin{array}{cc}1& 0\\ 0& 0\\ 0& 1\\ 0& 0\end{array}\right],G_{e_2}=G_{e_4}=G_{e_9}=\left[\begin{array}{cc}0& 0\\ 1& 0\\ 0& 0\\ 0& 1\end{array}\right],\mathrm{and}{G}_{e_5}=G_{e_6}=G_{e_7}=\left[\begin{array}{cc}1& 0\\ 1& 0\\ 0& 1\\ 0& 1\end{array}\right].\end{array}\end{array}$$

We note that the code ${\mathbf{C}}_2$ is not secure because the wiretapper can obtain some information about $b_1+b_2$ by accessing the edge $e_5$ on which $b_1+b_2$ and $b_3+k$ are transmitted. Based on the code ${\mathbf{C}}_2$, we now construct a linear secure network code for the $\{(3,M_3),1\}$ security model.

Let

$${\overrightarrow{u}}_1=\left[\begin{array}{c}1\\ 2\\ 0\\ 0\end{array}\right]\mathrm{and}{\overrightarrow{u}}_2=\left[\begin{array}{c}0\\ 0\\ 1\\ 2\end{array}\right]$$

be two ${\mathbf{F}}_3$-valued column 4-vectors such that $⟨{\overrightarrow{u}}_1,{\overrightarrow{u}}_2⟩\bigcap ⟨G_{e_i}⟩=\{\overrightarrow{0}\},\forall 1\le i\le 9$ (cf. (29)). Then, let

$$U=\left[\begin{array}{cccc}1& 0& 0& 0\\ 2& 0& 1& 0\\ 0& 1& 0& 0\\ 0& 2& 0& 1\end{array}\right]$$

be a $4\times 4$ invertible matrix on ${\mathbf{F}}_3$ such that ${\overrightarrow{u}}_1$ and ${\overrightarrow{u}}_2$ are the first two column vectors of U. Furthermore, since $z=1$, as mentioned above, we have

$${\widehat{M}}_3=\left[\begin{array}{cc}1& 0\\ 1& 1\\ 0& 1\\ 0& 0\end{array}\right]$$

(cf. (33)). Also let

$$\mathsf{\Gamma }=\left[\begin{array}{cccc}1& 0& 0& 0\\ 1& 1& 0& 0\\ 0& 1& 1& 0\\ 0& 0& 0& 1\end{array}\right]$$

be a $4\times 4$ invertible matrix on ${\mathbf{F}}_3$ such that the column vectors of ${\widehat{M}}_L$ are the first two column vectors of $\mathsf{\Gamma }$. According to (34), we calculate

$$Q=\mathsf{\Gamma }·U^{-1}=\left[\begin{array}{cccc}1& 0& 0& 0\\ 1& 0& 1& 0\\ 1& 1& 1& 0\\ 0& 0& 1& 1\end{array}\right],$$

Now, we obtain an admissible ${\mathbf{F}}_3$-valued $(3,M_3)$ linear security network code ${\widehat{\mathbf{C}}}_2=Q·{\mathbf{C}}_2$, of which the $4\times 2$ global encoding matrices are $H_{e_i}=Q·G_{e_i},1\le i\le 9$; specifically,

$$\begin{array}{c}\hfill \begin{array}{c}\hfill H_{e_1}=H_{e_3}=H_{e_8}=\left[\begin{array}{cc}1& 0\\ 1& 1\\ 1& 1\\ 0& 1\end{array}\right],H_{e_2}=H_{e_4}=H_{e_9}=\left[\begin{array}{cc}0& 0\\ 0& 0\\ 1& 0\\ 0& 1\end{array}\right],\mathrm{and}{H}_{e_5}=H_{e_6}=H_{e_7}=\left[\begin{array}{cc}1& 0\\ 1& 1\\ 2& 1\\ 0& 2\end{array}\right].\end{array}\end{array}$$

We use $y_{e_i}$, which takes values in ${\mathbb{F}}_3^2$, to denote the message transmitted on each edge $e_i,1\le i\le 9$. According to the above global encoding matrices of ${\widehat{\mathbf{C}}}_2$, the messages $y_{e_i}(=(b_1,b_2,b_3,k)·H_e)$ transmitted on the edges $e_i,1\le i\le 9$ are

$$\begin{array}{cc}\hfill & y_{e_1}=y_{e_3}=y_{e_8}=(b_1+b_2+b_3,b_2+b_3+k),\hfill \\ \hfill y_{e_2}=y_{e_4}& =y_{e_9}=(b_3,k),\mathrm{and}{y}_{e_5}=y_{e_6}=y_{e_7}=(b_1+b_2+2b_3,b_2+b_3+2k),\hfill \end{array}$$

as depicted in Figure 3.

Figure 3. An ${\mathbf{F}}_3$-valued $(3,M_3)$ linear-security network code for $\{(3,M_3),1\}$.

For the $\{(2,M_2),1\}$ and $\{(3,M_3),1\}$ security models, as discussed in the above example, according to Theorem 3, admissible linear security network codes with rates of 2 and $3/2$, respectively, can be constructed if the field size is $\left|F\right|>max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}=9$. However, we see in the example that the field ${\mathbf{F}}_3$, of size 3 is sufficient for our code construction. This implies that the $max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}$ bound in Theorem 3 on the field size is only sufficient but not necessary for our code construction.

4. Asymptotic Behavior of the Security Capacity

In this section, we investigate the asymptotic behavior of the security capacity. For a fixed network $\mathcal{N}$ and a security level r, we consider a sequence of the $\{(L,M_L),r\},L=1,2,\cdots$ security models. The following theorem characterizes the asymptotic behavior of the security capacity for a sequence of security models $\{(L,M_L),r\},L=1,2,\cdots$.

Theorem 4. 

Consider a sequence of linear-combination security models $\{(L,M_L),r\}$ over a finite field F for $L=1,2,\cdots$, where $0<r<C_{min}$ and $\left|F\right|>max\left\{\left|T\right|,\left(\genfrac{}{}{0pt}{}{\left|\mathcal{E}\right|}{r}\right)\right\}$. ${\mathcal{C}}_{L,M_L}$ denotes the security capacity for each model $\{(L,M_L),r\}$. Let

$${\tau }_L=\frac{m_L}{L},L=1,2,\cdots \mathit{and}{\tau }_0=\frac{C_{min}-r}{C_{min}},$$

where $m_L=\mathrm{Rank}\left(M_L\right)$ for $L=1,2,\cdots$.

• If ${\tau }_L\le {\tau }_0+o\left(1\right)$, then,

  $$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}=C_{min}.$$
• If ${\tau }_L=\kappa +o\left(1\right)$, with κ satisfying ${\tau }_0<\kappa \le 1$, then,

  $$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}={\kappa }^{-1}·(C_{min}-r).$$

Proof. 

We first consider the case of ${\tau }_L\le {\tau }_0+o\left(1\right)$. Then, there exists a non-negative sequence, $a_L,L=1,2,\cdots$ with $\underset{L\to \infty }{lim}{a}_L=0$, such that

$${\tau }_L\le {\tau }_0+a_L,L=1,2,\cdots .$$

(42)

We now use Theorem 2 to show that

$${\mathcal{C}}_{L,M_L}\ge \frac{L}{⌈({\tau }_0+a_L)·L/(C_{min}-r)⌉}.$$

(43)

To show this, consider the following two cases:

• If $0\le {\tau }_L\le {\tau }_0$, it follows from (19) that

  $${\mathcal{C}}_{L,M_L}=\frac{L}{⌈L/C_{min}⌉}=\frac{L}{⌈{\tau }_0·L/(C_{min}-r)⌉}\ge \frac{L}{⌈({\tau }_0+a_L)·L/(C_{min}-r)⌉};$$
• If ${\tau }_0<{\tau }_L\le 1$, then we obtain

  $${\mathcal{C}}_{L,M_L}=\frac{L}{⌈{\tau }_L·L/(C_{min}-r)⌉}\ge \frac{L}{⌈({\tau }_0+a_L)·L/(C_{min}-r)⌉},$$

  where the equality follows from (20), and the inequality follows from (42).

Combining (43) and (7) with Lemma 1, we further obtain that for each pair $(L,M_L)$,

$$\frac{L}{⌈({\tau }_0+a_L)·L/(C_{min}-r)⌉}\le {\mathcal{C}}_{L,M_L}\le \frac{L}{⌈L/C_{min}⌉}\le C_{min}.$$

(44)

We note that

$$\underset{L\to \infty }{lim}\frac{L}{⌈({\tau }_0+a_L)·L/(C_{min}-r)⌉}=C_{min}.$$

Together with (44), we have thus proven that

$$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}=C_{min}.$$

Next, we consider a case in which ${\tau }_L=\kappa +o\left(1\right)$, where ${\tau }_0<\kappa \le 1$. Then, there exists a sequence $b_L$, $L=1,2,\cdots$ satisfying $\underset{L\to \infty }{lim}{b}_L=0$ such that

$${\tau }_L=\kappa +b_L,L=1,2,\cdots .$$

Here, we note that $b_L$ may be negative. Together with $\kappa >{\tau }_0$ and $\underset{L\to \infty }{lim}{b}_L=0$, there exists a positive integer $L_0$ such that for each $L\ge L_0$,

$$|b_L|<\kappa -{\tau }_0,\mathrm{i}.\mathrm{e}.,{\tau }_0-\kappa <b_L<\kappa -{\tau }_0,$$

which implies that

$${\tau }_L=\kappa +b_L>{\tau }_0,\forall L\ge L_0.$$

According to (20) in Theorem 2, we have

$${\mathcal{C}}_{L,M_L}=\frac{L}{⌈(\kappa +b_L)·L/(C_{min}-r)⌉},$$

so that

$$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}={\kappa }^{-1}·(C_{min}-r).$$

Thus, the theorem is proven. □

According to Theorem 4, we can see that for a sequence of security models $\{(L,M_L),r\},L=1,2,\cdots$ that satisfies ${\tau }_L\le {\tau }_0+o\left(1\right)$ or ${\tau }_L=\kappa +o\left(1\right)$, where ${\tau }_0<\kappa \le 1$, our code construction is asymptotically optimal, i.e.,

$$\underset{L\to \infty }{lim}R\left({\widehat{\mathbf{C}}}_{L,M_L}\right)=\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L},$$

(45)

where ${\widehat{\mathbf{C}}}_{L,M_L}$ is the code constructed for each model $\{(L,M_L),r\}$ by our code construction. To illustrate this, in the following, we consider several specific sequences of security models.

First, we consider a sequence of security models $\{(L,M_L),r\},L=1,2,\cdots$ in which all the ranks $\mathrm{Rank}\left(M_L\right),L=1,2,\cdots$ are upper-bounded by a constant, such as m, e.g., the security constraint of multiple algebraic sums,

$$\sum _{\genfrac{}{}{0pt}{}{i\in \left[L\right]:}{i\equiv j\left(\mathrm{mod}m\right)}}{B}_i,j=1,2,\cdots ,m$$

as discussed in the last paragraph of Section 2. With this, we have

$$\underset{L\to \infty }{lim}\frac{m_L}{L}=0,$$

which implies the inequality ${\tau }_L=m_L/L\le {\tau }_0+o\left(1\right)$. It then follows from the first case of Theorem 4 that

$$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}=C_{min}.$$

Next, we show that our code construction is asymptotically optimal. We first note that

$${\tau }_L=\frac{m_L}{L}\le \frac{C_{min}-r}{C_{min}}={\tau }_0,\forall L\ge C_{min}·⌈\frac{m}{C_{min}-r}⌉.$$

Together with the first case of Theorem 3 (cf. (21)), the constructed code ${\widehat{\mathbf{C}}}_{L,M_L}$ achieves a rate of $R\left({\widehat{\mathbf{C}}}_{L,M_L}\right)=\frac{L}{⌈L/C_{min}⌉}$. This immediately implies that the equality (45) is satisfied, namely that our code construction is asymptotically optimal for this example.

Next, we consider a sequence of security models $\{(L,M_L),r\},L=1,2,\cdots$ in which all the ranks $m_L=\mathrm{Rank}\left(M_L\right)$ satisfy

$$m_L=⌈\kappa ·L⌉,L=1,2,\cdots .$$

We note that the sequence of $m_L,L=1,2,\cdots$ is not upper-bounded. According to Theorem 4, we can obtain the asymptotic behavior of the security capacity for the sequence of models $\{(L,M_L),r\},L=1,2,\cdots$ as follows:

$$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}=\left\{\begin{array}{cc}{C}_{min},\hfill & \mathrm{if}0<\kappa \le {\tau }_0,\hfill \\ {\kappa }^{-1}·(C_{min}-r),\hfill & \mathrm{if}{\tau }_0<\kappa <1.\hfill \end{array}\right.$$

(46)

Furthermore, it follows from Theorem 3 that

$$\underset{L\to \infty }{lim}R\left({\widehat{\mathbf{C}}}_{L,M_L}\right)=\left\{\begin{array}{cc}{C}_{min},\hfill & \mathrm{if}0<\kappa \le {\tau }_0,\hfill \\ {\kappa }^{-1}·(C_{min}-r),\hfill & \mathrm{if}{\tau }_0<\kappa <1,\hfill \end{array}\right.$$

(47)

where ${\widehat{\mathbf{C}}}_{L,M_L}$ is the code constructed for each model $\{(L,M_L),r\}$ by the code construction. Comparing (46) and (47), we immediately see that the equality (45) holds, which shows that our code construction is asymptotically optimal for this example.

Finally, we consider the special sequence of security models $\{(L,M_L),r\}$ for $L=1,2,\cdots$, where $m_L=L$, i.e., ${\tau }_L=m_L/L=1$ for all $L=1,2,\cdots$. This linear-combination security constraint is equivalent to protecting all the source symbols from the wiretapper, so each model $\{(L,M_L),r\}$ is equivalent to the standard secure-network coding model. Thus, we have

$$\underset{L\to \infty }{lim}{\mathcal{C}}_{L,M_L}=C_{min}-r.$$

(48)

On the other hand, for each pair $(L,M_L)$, it follows from ${\tau }_L=1$ and Theorem 3 that the $(L,M_L)$ linear security network code ${\widehat{\mathbf{C}}}_{L,M_L}$ constructed by our code construction has a rate of

$$R\left({\widehat{\mathbf{C}}}_{L,M_L}\right)=\frac{L}{⌈L/(C_{min}-r)⌉}.$$

This implies that

$$\underset{L\to \infty }{lim}R\left({\widehat{\mathbf{C}}}_{L,M_L}\right)=C_{min}-r.$$

(49)

Combining (48) and (49), we see that the equality (45) holds, and thus, our code construction is also asymptotically optimal for this example.

5. Conclusions

In this paper, we put forward the model of multiple linear-combination security network coding, which is specified by the security level, the number of source symbols and the linear-combination security constraint. We fully characterized the security capacity for any such security model in terms of the ratio $\tau$ of the rank of the linear-combination security constraint to the number of source symbols. Also, we developed a construction of linear security network codes. The code construction is applicable to any security model, and the constructed code achieves the security capacity. We also determined a threshold value ${\tau }_0$ such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio $\tau$ is not larger than ${\tau }_0$. Finally, we analyzed the asymptotic behavior of the security capacity for a sequence of linear-combination security models and fully characterized the asymptotic behavior of the security capacity. We also showed that our code construction is asymptotically optimal.