Multiple Linear-Combination Security Network Coding

In this paper, we put forward the model of multiple linear-combination security multicast network coding, where the wiretapper desires to obtain some information about a predefined set of multiple linear combinations of the source symbols by eavesdropping any one (but not more than one) channel subset up to a certain size r, referred to as the security level. For this model, the security capacity is defined as the maximum average number of source symbols that can be securely multicast to all sink nodes for one use of the network under the linear-combination security constraint. For any security level and any linear-combination security constraint, we fully characterize the security capacity in terms of the ratio of the rank of the linear-combination security constraint to the number of source symbols. Also, we develop a general construction of linear security network codes. Finally, we investigate the asymptotic behavior of the security capacity for a sequence of linear-combination security models and discuss the asymptotic optimality of our code construction.


Introduction
In 2000, Ahlswede et al. [1] proposed the general concept of network coding. In particular, they investigated the single-source multicast network coding problem, where the source symbols generated by a single source node are required to multicast to multiple sink nodes through a noiseless network while the nodes in the network are allowed to process the received information. It was proven in [1] that if coding is applied at the intermediate nodes (rather than routing only), the source node can multicast source symbols to all the sink nodes at the theoretically maximum rate, i.e., the smallest minimum cut capacity separating a sink node from the source node, as the alphabet size of both the information source and the channel transmission symbol tends toward infinity. In 2003, Li et al. [2] proved that linear network coding over a finite alphabet is sufficient for optimal multicast by means of a vector space approach. Independently, Koetter and Médard [3] developed an algebraic characterization of linear network coding by means of a matrix approach. Jaggi et al. [4] further presented a deterministic polynomial-time algorithm for constructing a linear network code. For comprehensive discussions of network coding, we refer the reader to [5][6][7][8][9][10].
In the paradigm of network coding, information-theoretic security in the presence of a wiretapper is naturally considered (cf. [11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28]), called the secure network coding problem. In the model of secure network coding over a wiretap network, (i) the source node multicasts the source symbols to all the sink nodes, which, as legal users, are required to correctly decode the source symbols; and (ii) the wiretapper, who can access any one but not more than one wiretap set of communication channels, is not allowed to obtain any information about the source symbols. The classical information-theoretically secure models, e.g., Shannon's cipher system [29], secret sharing [30,31] and the wiretap channel II [32], can be regarded as special cases of the secure network coding model. In particular, a wiretap network is called an r-wiretap network if the wiretapper can fully access an arbitrary subset of, at most, r edges, where the non-negative integer r is called the security level.
In the model of secure network coding, to guarantee the required information-theoretic security, it is necessary to randomize the source symbols to combat the wiretapper. Cai and Yeung [11] presented a code construction for the r-wiretap network. El Rouayheb et al. [12] further showed that the Cai-Yeung code construction can be viewed as a network generalization of the code construction for wiretap channel II in [32]. Motivated by El Rouayheb et al., Silva and Kschischang [13] proposed a universal design of security network codes based on rank-metric codes. For the construction of security network codes in [11][12][13]. However, the existing upper bounds on the minimum required alphabet size may be too large for implementation for certain applications in terms of computational complexity and storage requirement. Feldman et al. [33] showed that for a given security level, the alphabet size can be reduced by sacrificing a small fraction of the information rate. However, if the information rate is not sacrificed, whether it is possible to reduce the required alphabet size is considered an open problem [12,17]. Recently, Guang and Yeung [18] developed a systematic graph-theoretic approach to improve the upper bound on the minimum required alphabet size for the existence of secure network codes, achieving an improvement of general significance. Subsequently, in order to tackle the problem of secure network coding when the information rate and the secure level may vary over time, Guang et al. [19] put forward local-encoding-preserving secure network coding, where a family of secure linear network codes is called local-encoding-preserving if all the codes in this family use a common local encoding operation at each intermediate node in the network. They also constructed a family of local-encoding-preserving secure linear network codes applicable for all possible pairs of rate and security level. We note that the variable-rate linear network coding problem without security consideration was previously investigated by Fong and Yeung [34].
In this paper, we put forward the model of multiple linear-combination security network coding, where multiple linear combinations (containing single linear combination as a special case) of the source symbols are required to be protected from the wiretapper. More precisely, in this model over an r-wiretap network, (i) the single source node generates source symbols over a finite field F, and all the source symbols are required to be correctly decoded at all the sink nodes; and (ii) for a predefined set of linear combinations of the source symbols, the wiretapper, who can fully access any channel subset of a size not larger than r, is not allowed to obtain any information about these linear combinations. For the above security model with security level r, the (linear-combination) security capacity is defined as the maximum average number of source symbols that can be securely multicast to all the sink nodes for one use of the network under the above linear-combination security constraint. A model related to the current work is that considered by Bhattad and Narayanan [23], which contains weakly secure network coding as a special case. The relation between the current work and that of Bhattad and Narayanan [23] is discussed in Appendix A.
In this paper, we investigate the security capacity and the code construction for this model and analyze the asymptotic behavior of the security capacity and code construction for a sequence of linear-combination security models. The main contributions and organization of this paper are as follows: • In Section 2, we formally present the model of linear-combination security network coding and the preliminaries, including the necessary notation and definitions. • In Section 3, we characterize the security capacity by considering different cases of the security level r. We first prove that C min − 1 is the maximum security level such that the source symbols can be securely multicast to all sink nodes with a positive rate, where C min is the smallest minimum cut capacity separating a sink node from the source node. Therefore, the security capacity is zero for r ≥ C min . For any nontrivial security level 1 ≤ r ≤ C min − 1, we prove upper bounds on the security capacity in terms of the ratio τ of the rank of the linear-combination security constraint to the number of source symbols. We further develop a systematic construction of linear security network codes, which is applicable to an arbitrary linear-combination security model. Based on the obtained upper bounds and the developed code construction, we fully characterize the security capacity for any possible pair of the number of the source symbols and the linearcombination security constraint. We also determine the threshold value τ 0 such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio τ is not larger than τ 0 . • In Section 4, we fully characterize the asymptotic behavior of the security capacity for a sequence of linear-combination security models and prove that our code construction is asymptotically optimal. • We conclude in Section 5 with a summary of our results.

Preliminaries
Consider a communication network whose communication channels are point-topoint. The network is represented by a directed acyclic graph G = (V, E ), where V and E are finite sets of nodes and edges, respectively. Here, an edge in the graph G corresponds to a point-to-point channel in the network. In the graph G, multiple edges between two nodes are allowed. We assume that an element in a finite field F can be reliably transmitted on each edge for each use. We use tail(e) and head(e) to denote the tail node and the head node of an edge e, respectively. For a node v ∈ V, we let In(v) = {e ∈ E : head(e) = v} and Out(v) = {e ∈ E : tail(e) = v}, i.e., In(v) and Out(v) are the set of input edges and the set of output edges, respectively. Furthermore, a sequence of edges (e 1 , e 2 , · · · , e m ) is called a (directed) path from the node tail(e 1 ) to the node head(e m ) if tail(e i ) = head(e i−1 ) for i = 2, 3, · · · , m. For two nodes u and v with u = v, an edge subset C ⊆ E is called a cut separating v from u if no path exists from u to v upon removing the edges in C. The capacity of a cut separating v from u is defined as the size of this cut. A cut C separating v from u is called a minimum cut separating v from u if there does not exist a cut C separating v from u such that |C | < |C|. The capacity of a minimum cut separating v from u is called the minimum cut capacity separating v from u, as denoted by mincut(u, v). There is a single source node s ∈ V and a set of sink nodes T ⊆ V \ {s} on the graph G. Without loss of generality, we assume that the source node s has no input edges and that every sink node t ∈ T has no output edges, i.e., In(s) = Out(t) = ∅, ∀ t ∈ T. The graph G, together with s and T, forms a network N denoted by N = (G, s, T).
The source node s generates L source symbols B 1 , B 2 , · · · , B L that are independent and identically distributed (i.i.d.) random variables with a uniform distribution on the finite field F. All the source symbols are required to be multicast to every sink node t in T by using the network N multiple times, i.e., transmitting multiple elements in F on each edge by using the edge multiple times. There is a wiretapper who can eavesdrop any edge subset of a size up to the security level r, while, for a positive integer m L , the m L linear combinations of the source symbols over the finite field F are required to be protected from the wiretapper, where a i,j , 1 ≤ i ≤ L, 1 ≤ j ≤ m L are constants in F; that is, the wiretapper is not allowed to obtain any information about the multiple linear combinations of the source symbols given in (1). Furthermore, we let B = (B 1 , B 2 , · · · , B L ), and is an L × m L matrix. Then, the m L linear combinations in (1) can be written as B· M L . Without loss of generality, we assume that m L ≤ L and that the matrix M L has full column rank, i.e., Rank(M L ) = m L .
In this model, the security level r is known by the source node and sink nodes, but which edge subset is eavesdropped by the wiretapper is unknown. It suffices to consider only the wiretap sets of a size exactly equal to r. Then, we let where each edge subset W ∈ W r is called a wiretap set. We use {(L, M L ), r} to denote the above linear-combination security model. Next, we define a (linear-combination) security network code for the security model {(L, M L ), r}. In order to combat the wiretapper, we may need randomness to randomize the source symbols. However, as we show, it is not always necessary to randomize the source symbols. As part of the code to be defined, we assume that the key K is a random variable uniformly distributed over a finite set K, which is available only at the source node s. The key K and the source symbols B i , i = 1, 2, · · · , L are assumed to be mutually independent. A (L, M L ) security network code is defined as follows. First, we let b i ∈ F and k ∈ K be arbitrary outputs of the source symbol B i and the key K, respectively, i = 1, 2, · · · , L. We further let b = (b 1 , b 2 , · · · , b L ), which is the output of the vector of source symbols B = (B 1 , B 2 , · · · , B L ). A (L, M L ) security network code C consists of: • A local encoding function θ e for each edge e ∈ E , where θ e : with Im( θ e ) denoting the image set of θ e ; • A decoding function for each sink node t ∈ T: Im( θ e ) → F L to decode the source symbols b 1 , b 2 , · · · , b L at t. Furthermore, we use y e ∈ Im( θ e ) to denote the message transmitted on each edge e ∈ E by using the code C under b and k. With the encoding mechanism described in (2), we readily see that y e is a function of b and k, as denoted by h e b k (i.e., y e = h e b k ), where h e can be obtained by recursively applying the local encoding functions θ e , e ∈ E according to any ancestral order of the edges in E . More precisely, for each e ∈ E , we have where u = tail(e) and h E (b k) h e (b k) : e ∈ E for an edge subset E ⊆ E so that h In(u) (b k) = h e (b k) : e ∈ In(u) . We call h e the global encoding function of the edge e for the code C.
For the security model {(L, M L ), r}, a (L, M L ) security network code C = { θ e : e ∈ E ; ϕ t : t ∈ T} is admissible if the following decoding and security conditions are satisfied:

•
Decoding condition: All the source symbols are correctly decoded for each sink node t ∈ T, i.e., for each t ∈ T, • Security condition: for each wiretap set, W ∈ W r , where Y W (Y e : e ∈ W), and Y e h e (B, K) is the random variable transmitted on the edge e.
For an admissible (L, M L ) security network code C = { θ e : e ∈ E ; ϕ t : t ∈ T}, we let n e = log |F| |Im( θ e )| for each edge e in E , which is regarded as the number of times the edge e is used for transmission when applying the code C. We further let n( C) max e∈E n e . Then, the rate of C is defined by which is the average number of source symbols that can be securely multicast to all the sink nodes for one use of the network using the code C. According to the definition of the rate in (5), characterizing the security capacity C is equivalent to determining the minimum n( C) over all the admissible (L, M L ) security network codes, i.e., For instance, a special case of the linear-combination security model {(L, M L ), r} is algebraic-sum security network coding, as elaborated below. In this model, the source node s generates L source symbols B 1 , B 2 , · · · , B L , which are required to be multicast to every sink node t ∈ T, and the wiretapper, who can eavesdrop any edge subset of size r, is not allowed to obtain any information about the m algebraic sums of the source symbols: where 1 ≤ m ≤ L, and [L] {1, 2, · · · , L}. For this algebraic-sum security model, when m = 1, we adopt the convention that i ≡ 1(mod 1) for all i = 1, 2, · · · , L. Then, Equation (6) becomes thus, all the source symbols B 1 , B 2 , · · · , B L are required to be protected from the wiretapper. This is the standard model of secure network coding, which has been widely studied in the literature, e.g., [11][12][13][14][15][16][17][18][19][20][21][22][23][24].
An example scenario for the application of the linear-combination security model is as follows. A predefined set of linear combinations of the source symbols is required to be protected from the wiretapper, while other linear combinations are unprotected. The source node s generates L source symbols B 1 , B 2 , · · · , B L in the finite field F, which are required to be multicast to every sink node t ∈ T. The L × m L matrix M L is regarded as an F-valued parity-check matrix. We denote the solution space of the system of linear equations b · M L = 0 over F as V( 0), i.e., where 0 is the zero row m L -vector. According to the value of b · M L , for every output b ∈ F L of B = (B 1 , B 2 , · · · , B L ), the vector space F L can be partitioned into |F| m L cosets of the solution space given by V( a) : In this scenario, we desire to protect the information as to which coset V( a) the vector b lies in, which may contain some useful information for the wiretapper. In other words, the information about the specified linear combinations B · M L needs to be protected from the wiretapper, while other linear combinations are unprotected.

. Upper Bounds on the Security Capacity
Consider a linear-combination security model {(L, M L ), r}. We first consider the trivial case of r ≥ C min , where C min min t∈T mincut(s, t). In this case, for a sink node t ∈ T such that mincut(s, t) = C min , the wiretapper is able to decode the source symbols, provided that the sink node t correctly decodes them. This shows that the security capacity is C = 0 for r ≥ C min , which implies that C min − 1 is an upper bound on the maximum security level for which the source symbols can be multicast with a positive rate. For another trivial case r = 0, the security model {(L, M L ), 0} becomes a single-source multicast network coding problem without any security consideration. Given the fact that the maximum rate at which the source symbols can be correctly multicast to all the sink nodes is C min (cf. [1,6]), we thus obtain that Next, we consider 0 < r < C min . We readily see that an admissible (L, M L ) security network code C is also a network code such that all the L source symbols can be correctly decoded at each t ∈ T. This immediately implies that n * can be lower-bounded by L/C min for any security level 0 < r < C min , i.e., Furthermore, we present the following lemma, which asserts a non-trivial lower bound on n * .

Lemma 1.
Consider a linear-combination security model {(L, M L ), r} with a security level of where τL = m L . To see this, we consider an arbitrary row vector x ∈ F τL and obtain where the equality Pr B = b = 1 |F| L holds because the source symbols B i , 1 ≤ i ≤ L are i.i.d. with the uniform distribution on F.
We now consider an arbitrary admissible (L, M L ) security network code: C = { θ e : e ∈ E ; ϕ t : t ∈ T}. For an edge subset C that separates a sink node t ∈ T from the source node s, it follows from the decoding condition (3) that H(B|Y C ) = 0. This immediately implies that Furthermore, for any wiretap set W ∈ W r with W ⊆ C, it follows from the security condition (4) that Combining (11) and (12), we obtain where the inequality (13) holds because Y e takes values in Im( θ e ), and the inequality (14) follows from n e = log |F| |Im( θ e )| ≥ log |F| |Im( θ e )|, and the inequality (15) follows from n( C) = max e∈E n e . Combining (9) and (15), we obtain Note that the above inequality is true for each sink node t ∈ T and all the pairs (C, W) of the cut C separating t from s and the wiretap set W ∈ W r such that W ⊆ C. We thus obtain According to the definition of C min , this lower bound is achievable for some t ∈ T and (W, C) ∈ W r × Λ t such that W ⊆ C. It then follows that Furthermore, since n( C) is an integer, we have In addition, because the above lower bound (16) on n( C) is valid for any admissible (L, M L ) security network code C, we obtain The lemma is thus proven.
The lower bounds in (7) and (8) on n * apply to all 0 < r < C min . For a specific value of τ, one of them can be tighter than the other. By comparing these bounds, we can readily obtain the upper bounds on the security capacity C as stated in the following theorem.
Proof. By comparing the lower bounds ( (7) and (8)) on n * , we immediately obtain implying that (18) implying that We have thus proven the theorem.

Characterization of the Security Capacity
Next, we present a code construction for the security model {(L, M L ), r} with 0 < r < C min , which shows that the upper bounds in Theorem 1 for both cases of τ are tight. We thus obtain a full characterization of the security capacity for the security model {(L, M L ), r}, as stated in the following theorem. Theorem 2. Consider a linear-combination security model {(L, M L ), r} over a finite field F, where 0 < r < C min and |F| > max |T|, • This theorem reveals the somewhat surprising fact that for the case of 0 ≤ τ ≤ τ 0 , there is no penalty on the security capacity compared with the capacity without any security consideration. In Section 4, we further investigate the asymptotic behavior of the security capacity for a sequence of the security models as L tends toward infinity. We not only characterize the asymptotic behavior of the security capacity but also show the asymptotic optimality of our construction.
We first define a linear security network code for the security model {(L, M L ), r}. Briefly, a (L, M L ) security network code C is linear if the local encoding functions for all the edges are linear. Specifically, we recall that b = (b 1 , b 2 , · · · , b L ) ∈ F L is an arbitrary output of the vector of source symbols B = (B 1 , B 2 , · · · , B L ). Let K = F z , where the non-negative integer z is specified later. Then, the key K is a random row vector uniformly distributed on F z . We further let k ∈ F z be an arbitrary output of K. Consequently, for a (L, M L ) linear security network code C, all the global encoding functions h e , e ∈ E are linear functions of b and k. Therefore, there exists an for each e ∈ E such that where n n( C), and H e is called the global encoding matrix of the edge e for the code C. In particular, if n( C) = 1, then the code C is called a (L, M L ) scalar-linear security network code.
In the following, for the nontrivial case of a security model {(L, M L ), r} with a security level of 0 < r < C min , we develop a construction of admissible (L, M L ) linear security network codes that can be applied to any pair (L, M L ). This code construction shows that the upper bounds in Theorem 1 for both cases of τ are tight, which we state in the following theorem.

Theorem 3. Consider a linear-combination security model
Then, there exists an admissible (L, M L ) linear security network code C such that • if τ 0 < τ ≤ 1, then

Proof of Theorem 3
In this subsection, we provide the proof of Theorem 3, which includes three parts: code construction, verification of the decoding condition and verification of the security condition.

Code construction:
We consider a linear-combination security model {(L, M L ), r} over a finite field F, where 0 < r < C min and |F| > max |T|, ( |E | r ) . In the following, we construct an admissible (L, M L ) linear security network code such that the L source symbols can be securely multicast to all the sink nodes by transmitting n symbols on each edge, i.e., using the network n times, where (cf. (21) and (22)). For any 0 ≤ τ ≤ 1, we let i.e., According to (24), when L ≥ nr + τL, it is unnecessary to randomize the source symbols to guarantee linear-combination security. Furthermore, for any pair (L, z) satisfying (24), we observe that nr + τL ≤ L + z ≤ nC min .
The first inequality in (25) is straightforward. To prove the second inequality, we consider two cases below.
Combining the two cases, we have proven the second inequality in (25). According to (25), we have L + z ≤ nC min . This implies that the L + z symbols in F generated by the source node s, which contain the L source symbols and the key of z symbols, can be multicast to all the sink nodes in T by using the network n times. To elaborate this, we first claim that • When 0 ≤ τ ≤ τ 0 , it follows from (23) that • When τ 0 < τ ≤ 1, according to (23), we obtain where the last two inequalities follow from (23) and (25), respectively.
Thus, we have proven (28). Now, we let b 1 , b 2 , · · · , b L+z be the L + z source symbols, and divide them into n groups b 1 , b 2 , · · · , b n−1 and b n , where for i = 1, 2, · · · , n − 1, b i contains C min source symbols, and b n contains the remaining L + z − (n − 1)C min source symbols. Here, we note from (25) and (28) that Thus, it suffices to construct, at most, 2 scalar-linear network codes of dimensions C min and ω L + z − (n − 1)C min , respectively, to multicast the L + z source symbols to all the sink nodes.
Let C 1 be a C min -dimensional scalar-linear network code in the network N , of which the global encoding vectors are column vectors f e in F C min for all e ∈ E , and let C 2 be an ω-dimensional scalar-linear network code on N , of which the global encoding vectors are column vectors f e in F ω for all e ∈ E (cf. [1,2] and [6]). We use two codes C 1 and C 2 to construct an (L + z)-dimensional (vector-) linear network code C on the network N such that n symbols are transmitted on each edge e ∈ E . Specifically, for each e ∈ E , we let which is an F-valued (L + z) × n matrix regarded as the global encoding matrix for the code C.
Next, for an edge e ∈ E , we use G e to denote the vector space spanned by the column vectors of the matrix G e , i.e., e , · · · , g (n) e . Furthermore, for a wiretap set W ∈ W r , we use G W to denote the (L + z) × nr matrix whose column vectors are the column vectors of G e for all the edges e ∈ W, i.e., Then, similarly, we use G W to denote the vector space spanned by the column vectors of the matrix G W , i.e., e , · · · , g (n) e : e ∈ W . Hence, we readily see that Now, we claim that there exist F-valued column (L + z)-vectors u i , i = 1, 2, · · · , τL such that To show this, we prove by induction on 1 ≤ j ≤ τL that if we have j − 1 linearly independent column vectors u 1 , u 2 , · · · , u j−1 in F L+z such that then we can choose a column vector u j ∈ F L+z \ u i : 1 ≤ i ≤ j − 1 such that where the inequality (30) follows because dim G W , u 1 , u 2 , · · · , u j−1 ≤ dim G W + j − 1 ≤ n|W| + j − 1 = nr + j − 1, ∀ W ∈ W r ; inequality (31) follows from L + z ≥ nr + τL according to (25) and inequality (32) follows from |F| > |E | r = |W r |.
Thus, we have proven the existence of such vectors u i , 1 ≤ i ≤ τL that satisfy the condition (29).
With the vectors u i , 1 ≤ i ≤ τL, we let U be an F-valued (L + z) × (L + z) invertible matrix such that u i , 1 ≤ i ≤ τL are the first τL column vectors of U. Furthermore, we consider an (L + z) × τL matrix where 0 is the z × τL zero matrix. In particular, when z = 0 (cf. (24)), M L = M L . Recalling that M L has full column rank, we readily see that M L also has full column rank. With the full-column-rank matrix M L , we let Γ be an F-valued (L + z) × (L + z) invertible matrix such that the column vectors of M L are the first τL column vectors of Γ. Then, we define the matrix which is of size (L + z) × (L + z) and also invertible over F. Now, we consider the transformation Q · C of the code C by the matrix Q, i.e., Q · C is an F-valued (L + z)-dimensional linear network code on the network N , of which all the global encoding matrices are H e Q · G e , ∀ e ∈ E , (cf. the transformation of a scalar-linear network code in [6], Section 19.3.1 and [19], Theorem 2). Next, we show that C Q · C is an admissible F-valued (L, M L ) linear security network code for the security model {(L, M L ), r} by verifying the decoding and security conditions. Remark 1. We now discuss the computational complexity of our code construction. Our code construction consists of two parts: (i) constructing the two linear network codes C 1 and C 2 of different dimensions, which are used to multicast all the L + z symbols to the sink nodes; and (ii) constructing the transformation matrix Q, or equivalently, constructing the τL column (L + z)vectors u i , 1 ≤ i ≤ τL that satisfy the condition (29). We analyze the complexity of the two parts as follows.

•
The linear network codes C 1 and C 2 can be constructed in polynomial time (cf. [4,6,7]); • To obtain the column (L + z)-vectors u i , 1 ≤ i ≤ τL that satisfy (29), we, in turn, choose τL vectors u i as follows: According to ([35], Lemma 11), the vectors u i , 1 ≤ i ≤ τL can be found in By combining the above analysis, our code construction can be implemented in polynomial time.

Verification of the decoding condition:
We continue to consider the output of the source (b, k), where b ∈ F L is the vector of source symbols, and k ∈ F z is the key. In using the code C, the implementation of the global encoding matrices H e , e ∈ E is equivalent to linearly transforming (b k) into x (b k) · Q, then using the code C to multicast x to all the sink nodes in T.
Since the vector x can be correctly decoded at each t ∈ T when applying the code C, (b k) can be also correctly decoded at each t ∈ T, as can the vector b of source symbols. Thus, we have verified the decoding condition.

Verification of the security condition:
In order to verify the security condition (4), we need the next lemma, which plays a crucial role in our code construction. This lemma provides a necessary and sufficient condition for a linear security network code to satisfy the security condition (4). For an edge e ∈ E , H e denotes the vector space spanned by the column vectors of H e , i.e., e , · · · , h (n) e . Furthermore, for a wiretap set W ∈ W r , we let H W be the (L + z) × nr matrix that contains all the column vectors of the global encoding matrices H e for all the edges e ∈ W, i.e., We let e , · · · , h where M L = M L 0 is an (L + z) × τL matrix as defined in (33).

Proof. See Appendix B.
Now, we start to verify the security condition for our code construction. Toward this end, according to Lemma 2, it suffices to verify (35). For the constructed (L, M L ) linear security network code C, we have (cf. (29)). We recall (34) that Q = Γ · U −1 is an (L + z) × (L + z) invertible matrix. Then, according to (36), we immediately obtain We note that Furthermore, we write where we recall that u i , 1 ≤ i ≤ τL are the first τL column vectors of U, I τL is the τL × τL identity matrix and 0 is the (L + z − τL) × τL zero matrix. Then, we can see that where (39) follows from Q = Γ · U −1 (cf. (34)), and (40) follows because the column vectors of M L are the first τL column vectors of Γ. Combining (38) and (40) with (37), we immediately prove that Thus, according to Lemma 2, we have verified the security condition. Combining all the above, Theorem 3 has been proven.

An Example to Illustrate Our Code Construction
Let N = (G, s, T = {t 1 , t 2 }) be the butterfly network as depicted in Figure 1. For the security model r = 1, we consider two linear-combination security models {(2,  In this model, the source node s generates two source symbols b 1 and b 2 in F 3 , and the algebraic sum b 1 + b 2 needs to be protected. According to (41), we have Therefore, we have 0 ≤ τ ≤ τ 0 , i.e., the first case in Theorem 2. Next, we construct an optimal F 3 -valued (2, M 2 ) linear security network code for the {(2, M 2 ), 1} security model, which achieves a security capacity of 2. According to our code construction, it follows from (23) and (24) that we take n = L C min = 1 and z = 0 because L = 2 ≥ nr + τL = 2. We first consider an F 3 -valued two-dimensional scalar-linear network code C 1 on the network N , which is used to multicast two source symbols b 1 and b 2 in F 3 to sink nodes t 1 and t 2 . The global encoding matrices (vectors) of C 1 are , G e 2 = G e 4 = G e 9 = 0 1 , and G e 5 = G e 6 = G e 7 = 1 1 .
Clearly, the code C 1 is not secure for the algebraic sum b 1 + b 2 because the wiretapper can obtain b 1 + b 2 by accessing the edge e 5 on which b 1 + b 2 is transmitted. Based on the code C 1 , we now construct a (2, M 2 ) scalar-linear security network code for the {(2, M 2 ), 1} security model .
We use y e i , which takes values in F 3 , to denote the message transmitted on each edge e i , 1 ≤ i ≤ 9. According to the above global encoding matrices of C 1 , the messages y e i (= (b 1 , b 2 ) · H e ) transmitted on the edges e i , 1 ≤ i ≤ 9 are y e 1 = y e 3 = y e 8 = b 1 + 2b 2 , y e 2 = y e 4 = y e 9 = b 2 , and y e 5 = y e 6 = y e 7 = b 1 , as depicted in Figure 2. We can readily verify the decoding and security conditions for the code C 1 . In particular, in this case, we see that although no randomness is used to randomize the source symbols, the wiretapper cannot obtain any information about the algebraic sum b 1 + b 2 when any one edge is eavesdropped. In this model, the source node s generates three source symbols b 1 , b 2 and b 3 in F 3 , and two algebraic sums b 1 + b 2 and b 2 + b 3 need to be protected. According to (41), we note that m 3 = Rank(M 3 ) = 2; thus, Therefore, we have τ 0 < τ ≤ 1, i.e., the second case in Theorem 2. Next, we construct an optimal F 3 -valued (3, M 3 ) linear security network code for the {(3, M 3 ), 1} security model, which achieves a security capacity of 3/2. According to our code construction, it follows from (23) and (24) that we take n = τL C min − r = 2 and z = 1 because L < nr + τL according to L = 3 and nr + τL = 4. We consider an F 3 -valued four-dimensional (where 4 = L + z) linear network code C 2 of rate 2, which is used to multicast the three source symbols b 1 , b 2 and b 3 and a key k in F 3 to the sink nodes t 1 and t 2 . The 4 × 2 global encoding matrices of C 2 are We note that the code C 2 is not secure because the wiretapper can obtain some information about b 1 + b 2 by accessing the edge e 5 on which b 1 + b 2 and b 3 + k are transmitted. Based on the code C 2 , we now construct a linear secure network code for the {(3, M 3 ), 1} security model. Let Now, we obtain an admissible F 3 -valued (3, M 3 ) linear security network code C 2 = Q · C 2 , of which the 4 × 2 global encoding matrices are H e i = Q · G e i , 1 ≤ i ≤ 9; specifically, We use y e i , which takes values in F 2 3 , to denote the message transmitted on each edge e i , 1 ≤ i ≤ 9. According to the above global encoding matrices of C 2 , the messages y e i (= (b 1 , b 2 , b 3 , k) · H e ) transmitted on the edges e i , 1 ≤ i ≤ 9 are y e 1 = y e 3 = y e 8 = (b 1 + b 2 + b 3 , b 2 + b 3 + k), y e 2 = y e 4 = y e 9 = (b 3 , k), and y e 5 = y e 6 = y e 7 = (b 1 + b 2 + 2b 3 , b 2 + b 3 + 2k), as depicted in Figure 3. For the {(2, M 2 ), 1} and {(3, M 3 ), 1} security models, as discussed in the above example, according to Theorem 3, admissible linear security network codes with rates of 2 and 3/2, respectively, can be constructed if the field size is |F| > max |T|, ( |E | r ) = 9. However, we see in the example that the field F 3 , of size 3 is sufficient for our code construction. This implies that the max |T|, ( |E | r ) bound in Theorem 3 on the field size is only sufficient but not necessary for our code construction.

Asymptotic Behavior of the Security Capacity
In this section, we investigate the asymptotic behavior of the security capacity. For a fixed network N and a security level r, we consider a sequence of the {(L, M L ), r}, L = 1, 2, · · · security models. The following theorem characterizes the asymptotic behavior of the security capacity for a sequence of security models {(L, M L ), r}, L = 1, 2, · · · . Theorem 4. Consider a sequence of linear-combination security models {(L, M L ), r} over a finite field F for L = 1, 2, · · · , where 0 < r < C min and |F| > max |T|, ( |E | r ) . C L,M L denotes the security capacity for each model {(L, M L ), r}. Let Proof. We first consider the case of τ L ≤ τ 0 + o(1). Then, there exists a non-negative sequence, a L , L = 1, 2, · · · with lim L→∞ a L = 0, such that We now use Theorem 2 to show that To show this, consider the following two cases: where the equality follows from (20), and the inequality follows from (42).
Combining (43) and (7) with Lemma 1, we further obtain that for each pair (L, M L ), We note that lim Together with (44), we have thus proven that lim L→∞ C L,M L = C min .
Next, we consider a case in which τ L = κ + o(1), where τ 0 < κ ≤ 1. Then, there exists a sequence b L , L = 1, 2, · · · satisfying lim L→∞ b L = 0 such that Here, we note that b L may be negative. Together with κ > τ 0 and lim L→∞ b L = 0, there exists a positive integer L 0 such that for each L ≥ L 0 , According to (20) in Theorem 2, we have Thus, the theorem is proven.
To illustrate this, in the following, we consider several specific sequences of security models. First, we consider a sequence of security models {(L, M L ), r}, L = 1, 2, · · · in which all the ranks Rank(M L ), L = 1, 2, · · · are upper-bounded by a constant, such as m, e.g., the security constraint of multiple algebraic sums, Next, we show that our code construction is asymptotically optimal. We first note that Together with the first case of Theorem 3 (cf. (21)), the constructed code C L,M L achieves a rate of R( C L,M L ) = L L/C min . This immediately implies that the equality (45) is satisfied, namely that our code construction is asymptotically optimal for this example.
Next, we consider a sequence of security models {(L, M L ), r}, L = 1, 2, · · · in which all the ranks m L = Rank(M L ) satisfy We note that the sequence of m L , L = 1, 2, · · · is not upper-bounded. According to Theorem 4, we can obtain the asymptotic behavior of the security capacity for the sequence of models {(L, M L ), r}, L = 1, 2, · · · as follows: Furthermore, it follows from Theorem 3 that where C L,M L is the code constructed for each model {(L, M L ), r} by the code construction.
Comparing (46) and (47), we immediately see that the equality (45) holds, which shows that our code construction is asymptotically optimal for this example. Finally, we consider the special sequence of security models {(L, M L ), r} for L = 1, 2, · · · , where m L = L, i.e., τ L = m L /L = 1 for all L = 1, 2, · · · . This linearcombination security constraint is equivalent to protecting all the source symbols from the wiretapper, so each model {(L, M L ), r} is equivalent to the standard secure-network coding model. Thus, we have On the other hand, for each pair (L, M L ), it follows from τ L = 1 and Theorem 3 that the (L, M L ) linear security network code C L,M L constructed by our code construction has a rate of R( C L,M L ) = L L/(C min − r) .

This implies that lim
Combining (48) and (49), we see that the equality (45) holds, and thus, our code construction is also asymptotically optimal for this example.

Conclusions
In this paper, we put forward the model of multiple linear-combination security network coding, which is specified by the security level, the number of source symbols and the linear-combination security constraint. We fully characterized the security capacity for any such security model in terms of the ratio τ of the rank of the linear-combination security constraint to the number of source symbols. Also, we developed a construction of linear security network codes. The code construction is applicable to any security model, and the constructed code achieves the security capacity. We also determined a threshold value τ 0 such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio τ is not larger than τ 0 . Finally, we analyzed the asymptotic behavior of the security capacity for a sequence of linear-combination security models and fully characterized the asymptotic behavior of the security capacity. We also showed that our code construction is asymptotically optimal.
Author Contributions: All authors contributed equally to this work. All authors have read and agreed to the published version of the manuscript. Acknowledgments: A special case of the results presented in this paper was discussed in our submission to the 2023 IEEE Information Theory Workshop. We thank an anonymous reviewer for pointing out the relation between our submission and the work of Bhattad and Narayanan [23].

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. A Related Work by Bhattad and Narayanan
A model related to the current work is that considered by Bhattad and Narayanan [23], the general case of which is given as follows. On the network N , the single source node s generates L L ≤ C min source symbols, as denoted by X 1 , X 2 , · · · , X L , over a finite field F, which are required to be multicast to all the sink nodes in T. Let U p , 1 ≤ p ≤ P be P subsets of the L source symbols and G p , 1 ≤ p ≤ P be another P subsets of the L source symbols. The security requirement is specified by the P pairs (U p , G p ), 1 ≤ p ≤ P as follows. The wiretapper, who can access any one wiretap set W in a collection W of wiretap sets, is not allowed to obtain any information about U p , given G p for each p = 1, 2, · · · , P, i.e., for each p = 1, 2, · · · , P, where Y W = (Y e : e ∈ W), with Y e being the random variable transmitted on the edge e. In particular, when taking P = L, U p = {X p } and G p = ∅ for 1 ≤ p ≤ P, the security requirement (A1) becomes This type of security requirement is called weak security in [23]. For the above model, the main focus in [23] is on how to find a suitable linear transformation of the L source symbols for a given linear network code to obtain a secure linear network code such that the security requirement (A1) is satisfied. Theorem 3 in [23], the most general result presented in the paper, asserts the existence of such a linear transformation when a given condition is satisfied. We state this theorem as follows.
Theorem A1 ([23], Theorem 3). Consider an L-dimensional L ≤ C min network code C over a finite field F and a collection of wiretap sets W in which r = max W∈W |W|. Let (U p , G p ), 1 ≤ p ≤ P be P pairs of subsets U p and G p of the L source symbols, which specify the security requirement.
then there exists a linear transformation of the source symbols as a precoding on the linear network code C such that the security requirement (A1) is satisfied.
We now go back to the linear-combination security model {(L, M L ), r} discussed in the current paper. Consider the first case 0 ≤ τ ≤ τ 0 in Theorem 2, where we recall that τ = m L /L, where m L = Rank(M L ) and τ 0 = (C min − r)/C min . Then, we can apply the approach of the linear transformation in Theorem A1 (cf. [23] for details) to obtain a (L, M L ) linear security network code, provided that the following two additional conditions on the model parameters are satisfied: Specifically, we consider a linear-combination security model {(L, M L ), r} satisfying the conditions (A3), where the L source symbols B 1 , B 2 , · · · , B L are required to be multicast to all the sink nodes in T, and the multiple linear combinations B · M L , where B = (B 1 , B 2 , · · · , B L ) are required to be protected from the wiretapper. We first linearly transform B = (B 1 , B 2 , · · · , B L ) to (X 1 , X 2 , · · · , X L ) using an L × L invertible matrix M whose left L × m L submatrix is equal to M L . Then, we have (X 1 , X 2 , · · · , X L ) = (B 1 , B 2 , · · · , B L ) · M, where (X 1 , X 2 , · · · , X m L ) = (B 1 , B 2 , · · · , B L ) · M L .
We now apply Theorem A1 as follows. Take X 1 , X 2 , · · · , X L as the source symbols. Let U = {X 1 , X 2 , · · · , X m L }, G = ∅ and W = W r . According to τ ≤ (L − r)/L, we see that |U| + |G| = m L ≤ L − r, which satisfies the condition (A2) in Theorem A1. It therefore follows from Theorem A1 that we can construct a linear secure network code such that X 1 , X 2 , · · · , X L can be multicast to all the sink nodes in T, and the wiretapper cannot obtain any information about U, i.e., I X 1 , X 2 , · · · , X m L ; Y W = 0, ∀ W ∈ W r , or, equivalently, I B · M L ; Y W = 0, ∀ W ∈ W r .
Hence, we obtain an admissible (L, M L ) linear security network code for the security model {(L, M L ), r}. However, the second case τ 0 < τ ≤ 1 in Theorem 2 cannot be handled by the approach proposed in [23]. Specifically, according to τ > τ 0 , we have This implies that |U| + |G| = m L > L − r, which does not satisfy the condition (A2) in Theorem A1. Hence, we cannot apply the linear transformation approach for the case of τ 0 < τ ≤ 1.

Appendix B. Proof of Lemma 2
We first prove the "only if" part by contradiction. Suppose, on the contrary, that there exists a wiretap set W ∈ W r such that In the following, we prove that which contradicts the security condition (4) for the code C.
According (A4), there exist two non-zero column vectors w ∈ F n|W| (= F nr ) and u ∈ F τL such that H W · w = M L · u = 0, where 0 is the zero-column (L + z)-vector. Then, we obtain where the equality in (A7) follows from Y W = (B K) · H W , the equality in (A8) follows from (A6), the equality in (A9) follows from H B· M L · u B· M L = 0 and the inequality in (A9) follows from M L · u = 0 because u = 0, and M L has full column rank. Thus, the inequality in (A5) is proven. Next, we prove the "if" part. According to the security condition (4), we prove that if the condition in (35) is satisfied. To prove (A10), it suffices to show that for each W ∈ W r , the equality is satisfied for any x ∈ F τL row vector and any y ∈ F nr row vector such that Pr Y W = y > 0, i.e., there exists a pair (b k) of a vectors of source symbols b ∈ F L and a key k ∈ F z such that (b k) · H W = y. We recall that Pr B·M L = x = 1 |F| τL , ∀ x ∈ F τL (cf. (10)). Thus, we only need to prove that for each W ∈ W r , Pr B·M L = x Y W = y = 1 |F| τL for any x ∈ F τL and y ∈ F nr such that Pr Y W = y > 0. We now consider where we use "#{·}" to denote the cardinality of the set, and the equality (A12) follows because B and K are independently and uniformly distributed on F L and F z , respectively. Furthermore, • For the denominator in (A12), we have • For the numerator in (A12), we have where the equality (A14) follows from the following condition: M L H W = { 0} (cf. (35)).
Combining (A13) and (A14) with (A12), we immediately prove that Pr B · M L = x Y W = y = 1 |F| τL , which implies the equality in (A11). The "if" part is also proven. We have thus proven the lemma.