Relative Generalized Rank Weight of Linear Codes and Its Applications to Network Coding Jun Kurihara, Member, IEEE, Ryutaroh Matsumoto, Member, IEEE, and Tomohiko Uyematsu, Senior Member, IEEE Abstract By extending the notion of minimum rank distance, this paper introduces two new relative code parameters of a linear code C of length n over a field extension F and its subcode C $ C . One is called the relative 1 qm 2 1 3 dimension/intersection profile (RDIP), and the other is called the relative generalized rank weight (RGRW). We 1 clarify their basic propertiesand the relation between the RGRW and the minimum rank distance. As applications 0 oftheRDIP andtheRGRW, thesecurityperformanceandtheerrorcorrectioncapabilityofsecurenetworkcoding, 2 guaranteedindependentlyoftheunderlyingnetworkcode,areanalyzedandclarified.SilvaandKschischangshowed n theexistenceofasecurenetworkcodinginwhichnopartofthesecretmessageisrevealedtotheadversaryevenif a any dimC −1 links are wiretapped, which is guaranteedoverany underlyingnetwork code. However, the explicit J 1 constructionofsucha schemeremainedanopenproblem.We solvethisopenproblembyproposinga newscheme 3 and clarifying its performance with the RDIP and the RGRW. 2 ] Index Terms T I Network error correction, rank distance, relative dimension/intersectionprofile, relative generalized Hamming . s weight, relative generalized rank weight, secure network coding. c [ 1 I. Introduction v 2 Secure network coding was first introduced by Cai and Yeung [6], and further investigated by Feldman 8 et al. [11]. In the scenario of secure network coding, a source node transmits n packets from n outgoing 4 links to sink nodes through a network that implements network coding [1], [17], [21], and each sink node 5 . receives N packets from N incoming links. In the network, there is an adversary who eavesdrops µ links. 1 0 The problem of secure network coding is how to encode a secret message into n transmitted packets at the 3 source node, in such a way that the adversary obtains as little information as possible about the message 1 in terms of information theoretic security. : v As shown in [4], [10], secure network coding can be seen as a generalization of secret sharing schemes i X [2], [31] or the wiretap channel II [30] to network coding. The problem of secret sharing schemes is r how to encode a secret message into n information symbols called shares in such a way that the message a can be recovered only from certain subsets of shares. In order to solve both problems of secure network coding and secret sharing schemes, the nested coset coding scheme [40] is commonly used to encode a secret message to shares/transmitted packets, e.g., it has been used in [9], [10], [27], [30], [31], [34]. The nested coset coding scheme is defined by a linear code C ⊆ Fn and its subcode C $ C with 1 qm 2 1 dimC = dimC −l (l ≥ 1) over F , where F denotes an m-degree (m > 0) field extension of a field F 2 1 qm qm q of order q. From a secret message of l elements in F , it generates each transmitted packet/each share qm defined as an element of F . qm Duursma and Park [9] defined the coset distance as a relative code parameter of C and C . The coset 1 2 distance is the minimum value of the Hamming weight of codewords in C \C . They revealed that in the 1 2 case of secret sharing schemes using the nested coset coding scheme, the security guarantee of the scheme This research was partially supported by the MEXT Grant-in-Aid for Scientific Research (A) No. 23246071. The material in this paper waspresented inpart atthe2012 IEEEInternational Symposium onInformationTheory, Cambridge, MA, USA,Jul.2012 [19],andinpart at the 50th Annual Allerton Conference on Communication, Control, and Computing, Monticello, IL, USA, Oct. 2012 [20]. J.KuriharaiswithKDDIR&DLaboratories,Inc.,2–1–15Ohara,Fujimino-shi,Saitama,356–8502 Japan(e-mail:[email protected]). T. Uyematsu and R. Matsumoto arewithDepartment of Communications and Integrated Systems, Tokyo Instituteof Technology 2–12–1 Ookayama, Meguro-ku, Tokyo, 152–8550 Japan (e-mail: [email protected]; [email protected]). 1 is exactly expressed in terms of the coset distance when the message consists of one information symbol, i.e., l = 1. Motivated by their result using the coset distance, we [18] generalized their analysis to a secret message consisting of multiple (l ≥ 1) information symbols. In [18], it was clarified that the minimum uncertainty of the message given µ(< n) shares is exactly expressed in terms of a relative code parameter of C and C , called the relative dimension/length profile (RDLP) [23]. The paper [18] also introduced a 1 2 definition of the security in secret sharing schemes for the information leakage of every possible subset of elements composing the message by generalizing the security definition of strongly secure ramp threshold secret sharing schemes [39]. It was revealed in [18] that this security is also exactly expressed in terms of a relative code parameter of C and C , called the relative generalized Hamming weight (RGHW) [23], 1 2 where the coset distance coincides with the first RGHW. The main aim of this paper is to extend the work in [18] to the security analysis of secure network coding based on the nested coset coding schemes, and to clarify its security performance guaranteed over any underlying network coded network. To this end, in Section II of this paper, we first introduce two new relative code parameters called the relative dimension/intersection profile (RDIP) and the relative generalized rank weight (RGRW), and give some basic properties of the RDIP and the RGRW. Similar to the aim of this paper, Ngai et al. [27] introduced a code parameter called the network generalized Hamming weight (NGHW), and later Zhang et al. [42] extended NGHW to the relative generalized network Hamming weight (RNGHW). The value of the (R)NGHW depends on the underlying network topology and the network code, and hence the security performance expressed in terms of the (R)NGHW is not guaranteed independently of the underlying network code. We will clarify the relation between the RNGHW and the proposed parameters in Section II-B. We note that the generalized rank weight [29] was introduced by Oggier and Sboui concurrently and independently of the conference version [20] of this paper, and that the generalized rank weight is a special case of the RGRW. In Section II, we also clarify that the RGRW can be viewed as a generalization of the minimum rank distance [14] of a linear code. In order to measure the security performance of secure network coding, we first define a criterion called the universal equivocation Θ , in Section III, which is the minimum uncertainty of the message under µ,PS,X observation with µ links for the joint distribution P of the secret message S and the transmitted packets S,X X. Although P have been assumed to be uniform forthe definition of Θ in the conference version of S,X µ,PS,X this paper [20], we make no assumption regarding P in this paper. In [6], [10], [27], [42], the minimum S,X uncertainty of the message was analyzed, but their analyses depend on the underlying network code. In contrast, Θ is guaranteed independently of the underlying network code. Hence, it is called universal µ,PS,X in the sense of [34]. Next, we introduce the second criterion. Consider the case where Θ is less than µ,PS,X the Shannon entropy of the secret message. Then, some part of the secret message could be uniquely determined by the adversary. It is clearly desirable that no part of the secret message is deterministically revealed and that every part is kept hidden, even if some information of the secret message leaks to the adversary. From this observation, we define the universal ω-strong security to be the condition where the mutual information between any r F -symbols of the secret message and observed packets from qm arbitrary ω −r +1 tapped links (1 ≤ r ≤ l) is always zero. Note that ω is defined independently of the underlying network code and universal. The universal strong security defined in [19], [33] is a special case for ω = n−1. The rest of Section III of this paper clarifies the universal security performance of secure network coding based on the nested coset coding scheme with C and C . We first present the upper and lower 1 2 bound of the mutual information leaked from a set of tapped links with an arbitrary distribution P . By S,X using this analysis, we demonstrate that the upper and lower bounds of Θ are expressed in terms of µ,PS,X the RDIP of C and C for arbitrary P , and the maximum possible value of ω, defined as the universal 1 2 S,X maximum strength Ω, is expressed in terms of the RGRW of C and C . Moreover, in terms of Ω, we 1 2 express the upper bound of the maximum mutual information between a part of the secret message and observed packets for arbitrary P , which is independent of the underlying network code. S,X On the other hand, the adversary in the scenario of network coding might be able to not only eavesdrop but also inject erroneous packets anywhere in the network, and the network may suffer from a rank 2 deficiency of the transfer matrix at a sink node. The second aim of this paper is to reveal the error correction capability of secure network coding based on the nested coset coding schemes with C and C . 1 2 For the error correction problem of secure network coding, in Section IV, we define the universal error correction capability against at most t injected error packets and at most ρ rank deficiency of the transfer matrix of a sink node. This is called universal because it is guaranteed independently of the underlying network code, as well as Θ and Ω. We clarified that in secure network coding based on the nested µ,PS,X coset coding scheme with C and C , the universal error correction capability against t errors and ρ rank 1 2 deficiency is expressed in terms of the first RGRW of C and C . Although the conference version [20] 1 2 of this paper considered only the case where the transfer matrix is completely known to each sink node, the analysis in this paper includes not only the case of known transfer matrices but also the case where the transfer matrix is unknown to every sink node. Asan applicationoftheaboveanalyses bytheRDIP and theRGRW, thispaperalsoproposesa universal strongly secure network coding constructed from the nested coset coding schemes with C and C , and 1 2 provides its analysis. In [34], Silva and Kschischang proposed a secure network coding scheme based on the nested coset coding scheme with maximum rank distance (MRD) codes C and C [14]. Their scheme 1 2 guarantees that the universal equivocation Θ for µ ≤ dimC equals the Shannon entropy [8] of the µ,PS,X 2 secret message S when the distribution of the transmitted packets X is conditionally uniform given S. This implies that no information about the message leaks out even if any dimC links are observed by 2 an adversary. In [33], they also show the existence of the nested coset coding scheme that guarantees the universal maximum strength Ω = dimC −1 = n−1 for C = Fn . However, an explicit construction of 1 1 qm the nested coset coding scheme achieving Ω = dimC −1 had remained an open problem [33]. Inspired 1 by Nishiara et al.’s strongly secure threshold ramp secret sharing scheme [28] using a systematic Reed- Solomon code, Section V of this paper proposes an explicit construction using a systematic MRD code with Ω = dimC − 1, and solves the open problem. The earlier version of the proposed scheme was 1 presented in the conference paper [19]. We note that in [19], the error correction in the scheme was not considered at all. With the addition of error correction, the scheme proposed in this paper is an extension of the earlier version. The analysis of universal security performance of the proposed scheme is provided as an application of the RDIP and the RGRW, which is a different approach from the analysis in the conference version [19] and also from [33], [34]. We also provide an analysis of the universal error correction capability of our scheme as an application of the RGRW. As well as the scheme of Silva and Kschischang [34], the proposed scheme guarantees, independently of the underlying network code, that no information of the secret message is obtained from any µ ≤ dimC tapped links, and that the secret 2 message is correctly decodable against any t error packets injected somewhere in the network and ρ rank deficiency of the transfer matrix of the sink node whenever n − dimC + 1 < 2t + ρ holds. Moreover, 1 our scheme also always guarantees that no information about any r F -symbols of the secret message qm is obtained by the adversary with µ = dimC − r tapped links (1 ≤ r ≤ l), unlike Silva et al.’s scheme 1 [33], [34]. Our only assumption in the proposed scheme is that the network must transport packets of size m ≥ l+n symbols. Note that the proposed scheme completely solves the open problem posed at the end of Section V-B of the survey paper of Cai and Chan on secure network coding [4]. Here again, we briefly show the structure of this paper. The remainder of this paper is organized as follows. Section II defines the RDIP and RGRW of linear codes, and introduces their basic properties. We also show their relations to the existing code parameters in this section. Section III defines the universal security performance over the wiretap network model, and reveals that the universal security performance of secure network coding is exactly expressed in terms of the RDIP and the RGRW. In Section IV, we also reveal that the universal error correction capability of secure network coding is exactly expressed in terms of the RGRW. As an example, an explicit construction of strongly secure network coding is proposed in Section V, and its security performance and error correction capability are analyzed by the RDIP and the RGRW. Finally, Section VI presents our conclusions. 3 II. New Parameters of Linear Codes and TheirProperties A. Notations and Preliminaries Let F be a finite field containing q elements and F be an m-degree field extension of F (m ≥ 1). q qm q Let Fn denote an n-dimensional row vector space over F . Similarly, Fn denotes an n-dimensional row q q qm vector space over F . Unless otherwise stated, we consider subspaces, ranks, dimensions, etc, over the qm field extension F instead of the base field F . qm q An [n,k] linear code C over Fn is a k-dimensional subspace of Fn . Let C⊥ denote a dual code of a qm qm code C. A subspace of a code is called a subcode [24]. For C ⊆ Fn , we denote by C|F a subfield subcode qm q C∩Fn [24]. Observe that dimC means the dimension of C as a vector space over F whereas dimC|F q qm q is the dimension of C|F over F . q q For a vector v = [v ,...,v ] ∈ Fn and a subspace V ⊆ Fn , we denote vq = [vq,...,vq] and Vq = {vq : 1 n qm qm 1 n v ∈ V}. For a subspace V ⊆ Fn , we define by V∗ , m−1Vqi the sum of subspaces V,Vq,...,Vqm−1. Define qm i=0 a family of subspaces V ⊆ Fn satisfying V = Vq by qm P Γ(Fn ) , F -linear subspace V ⊆ Fn : V = Vq . qm qm qm n o Also define Γ(Fn ) , {V ∈ Γ(Fn ) : dimV = i}. i qm qm For Γ(Fn ), we have the following lemmas given in [36]. qm Lemma 1([36,Lemma1]). LetV ⊆ Fn beasubspace.Then,thefollowingsareequivalent;1)V ∈ Γ(Fn ), qm qm 2)ThereisabasisofV consistingofvectorsinFn.Inparticular,V ∈ Γ(Fn )ifandonlyifdimV|F = dimV. q qm q Lemma 2 ( [36]). For a subspace V ⊆ Fn , V∗ is the smallest subspace in Γ(Fn ), containing V. qm qm Lemma 3 ( [36]). For a subspace V ⊆ Fn , dimV∗ ≤ mdimV. qm B. Definitions of New Parameters We first define the relative dimension/intersection profile (RDIP) of linear codes as follows. Definition 4 (Relative Dimension/Intersection Profile). Let C ⊆ Fn be a linear code and C $ C be 1 qm 2 1 its subcode. Then, the i-th relative dimension/intersection profile (RDIP) of C and C is the greatest 1 2 difference between dimensions of intersections, defined as K (C ,C ) , max {dim(C ∩V)−dim(C ∩V)}, (1) R,i 1 2 1 2 V∈Γi(Fnqm) for 0 ≤ i ≤ n. Next, we define the relative generalized Hamming weight (RGHW) of linear codes as follows. Definition 5 (Relative Generalized Rank Weight). Let C ⊆ Fn be a linear code and C $ C be its 1 qm 2 1 subcode. Then, the i-th relative generalized rank weight (RGRW) of C and C is defined by 1 2 M (C ,C ) , min dimV : V ∈ Γ(Fn ),dim(C ∩V)−dim(C ∩V) ≥ i , (2) R,i 1 2 qm 1 2 n o for 0 ≤ i ≤ dim(C /C ). 1 2 In [29], Oggier and Sboui proposed the generalized rank weight that can be viewed as a special case of the RGRW with C = {0}. 2 Here we briefly explain the relation between these new parameters and the existing relative pa- rameters defined by a code and its subcode. For an index set I ⊆ {1,...,n}, define a subspace 4 E , x = [x ,...,x ] ∈ Fn : x = 0 for i < I ⊆ Fn . We have dimE = |I|. Let Λ(Fn ) and Λ(Fn ) I 1 n qm i qm I qm i qm for 0 ≤ni ≤ n be collections of F -linear subspoaces of Fn , defined by qm qm Λ(Fn ) , E ⊆ Fn : I ⊆ {1,...,n} , qm I qm n o Λ(Fn ) , E ⊆ Λ(Fn ) : dimE = i . i qm I qm I n o Thei-threlativedimension/lengthprofile(RDLP)defined byLuoetal. [23]isobtainedby replacingΓ(Fn ) i qm in (1) with Λ(Fn ). Also, the relative generalized Hamming weight (RGHW) [23] is given by replacing i qm Γ(Fn ) in (2) with Λ(Fn ). Additionally, the generalized Hamming weight (GHW) [38] is obtained by qm qm replacing Γ(Fn ) in (2) with Λ(Fn ) and setting C = {0}. qm qm 2 Remark 6. For an arbitrary index set I ⊆ {1,...,n}, a basis of E is {e(i) = [e(i),...,e(i)] : i ∈ I} from I 1 n the definition of E , where e(i) = 1 if i = j, and e(i) = 0 if i , j. This implies that a basis of E consists I j j I of vectors in Fn, and hence we have E ∈ Γ(Fn ) from Lemma 1. We thus have Λ(Fn ) ⊆ Γ(Fn ) and q I qm qm qm Λ(Fn ) ⊆ Γ(Fn ). This implies that the RDIP of linear codes is always greater than or equal to the RDLP i qm i qm of the codes, and that the RGRW of linear codes is always smaller than or equal to the RGHW of the codes. We also show the relation between the RGRW and the relative network generalized Hamming weight (RNGHW) [42]. Let F be a set of some one-dimensional subspaces of Fn. Each subspace in F was q defined as a space spanned by a global coding vector [13] of each link in the network coded network. (For the definition of global coding vectors, see Section III-A or [13]). Let 2F be the power set of F. For 2F, define a set of direct sums of subspaces by Υ , W ⊆ Fn : W = V,J ∈ 2F . F q VX∈J We restrict the degree m of field extension F to m = 1, i.e., C and C are F -linear subspaces of Fn. qm 1 2 q q Then, the RNGHW of C and C for the network is obtained by replacing Γ(Fn ) in (2) with Υ . In 1 2 qm F addition, the network generalized Hamming weight (NGHW) [27] is obtained by replacing Γ(Fn ) in (2) qm with Υ and set C = {0}, as the relation between the RGHW and the GHW. F 2 Remark 7. Note that in the definitions of RNGHW and NGHW, the field over which the global coding vectors are defined must coincide with the field over which linear codes C and C are defined. Hence, 1 2 we restricted the degree m to 1 of the field extension F over which C and C are defined. In the case qm 1 2 of m = 1, we have Υ ⊆ Γ(Fn ). Thus, the RGRW of C and C for m = 1 is always smaller than or F qm 1 2 equal to the RNGHW. C. Basic Properties of the RDIP and the RGRW This subsection introduces some basic properties of the RDIP and the RGRW. They will be used for expressions of the universal security performance (Section III) and the universal error correction capability (Section IV) of secure network coding. Theorem 8 (Monotonicity of the RDIP). Let C ⊆ Fn be a linear code and C $ C be its subcode. Then, 1 qm 2 1 the i-th RDIP K (C ,C ) is nondecreasing with i from K (C ,C ) = 0 to K (C ,C ) = dim(C /C ), R,i 1 2 R,0 1 2 R,n 1 2 1 2 and 0 ≤ K (C ,C )−K (C ,C ) ≤ 1 holds. R,i+1 1 2 R,i 1 2 Proof: K (C ,C ) = 0 and K (C ,C ) = dim(C /C ) are obvious from Definition 4. By Lemma 1, R,0 1 2 R,n 1 2 1 2 for any subspace V ∈ Γ (Fn ), some V ’s satisfying V ∈ Γ(Fn ) and V $ V always exist. This yields 1 i+1 qm 2 2 i qm 2 1 K (C ,C ) ≤ K (C ,C ). R,i 1 2 R,i+1 1 2 Next we show that the increment at each step is at most 1. Consider arbitrary subspaces V,V′ ∈ Γ(Fn ) qm such that dimV′ = dimV +1 and V $ V′. Let f = dim(C ∩V)−dim(C ∩V) and g = dim(C ∩V′)− 1 2 1 5 dim(C ∩V′). Since dim(C ∩V)+1 ≥ dim(C ∩V′) ≥ dim(C ∩V) and C $ C , we have f +1 ≥ g ≥ f 2 1 1 1 2 1 and hence K (C ,C )+1 ≥ K (C ,C ) ≥ K (C ,C ). R,i 1 2 R,i+1 1 2 R,i 1 2 We note that if we replace Γ(Fn ) with Λ(Fn ) in Theorem 8, it coincides with [23, Proposition 1] for i qm i qm the monotonicity of the RDLP. Lemma 9. Let C ⊆ Fn be a linear code and C $ C be its subcode. Then, the i-th RGRW M (C ,C ) 1 qm 2 1 R,i 1 2 is strictly increasing with i. Moreover, M (C ,C ) = 0 and R,0 1 2 M (C ,C ) = min j : K (C ,C ) = i R,i 1 2 R,j 1 2 n o = min dimV : V ∈ Γ(Fn ),dim(C ∩V)−dim(C ∩V) = i , qm 1 2 n o for 0 ≤ i ≤ dim(C /C ). 1 2 Proof: First we have min j : K (C ,C ) ≥ i = min j : ∃V ∈ Γ (Fn ), such that dim(C ∩V)−dim(C ∩V) ≥ i R,j 1 2 j qm 1 2 n o = min(cid:8)dimV : V ∈ Γ(Fn ),dim(C ∩V)−dim(C ∩V) ≥ i (cid:9) qm 1 2 n o = M (C ,C ). R,i 1 2 From Theorem 8, we have j : K (C ,C ) = i ∩ j : K (C ,C ) ≥ i+1 = ∅. We thus have R,j 1 2 R,j 1 2 n o n o M (C ,C ) = min j : K (C ,C ) ≥ i R,i 1 2 R,j 1 2 n o = min j : K (C ,C ) = i . R,j 1 2 n o Therefore the RGRW is strictly increasing with i and thus M (C ,C ) = min dimV : V ∈ Γ(Fn ),dim(C ∩V)−dim(C ∩V) = i , R,i 1 2 qm 1 2 n o is established. In [29, Lemma 1], it was shown that in the case of C = {0}, the second RGRW M (C ,{0}) is greater 2 R,2 1 than the first RGRW M (C ,{0}). R,1 1 We note that if we replace Γ(Fn ) and K (C ,C ) in Lemma 9 with Λ(Fn ) and the j-th RDLP, the qm R,j 1 2 qm lemmacoincides with [23, Theorem3] fortheproperties ofRGHW. Also,ifwe replace Γ(Fn ) inLemma9 qm with Υ , the property of strictly increasing the RGRW shown in the lemma also becomes the property F of the RNGHW [42, Theorem 3.2]. Now we present the following upper bound of the RGRW. Proposition 10. Let C ⊆ Fn be a linear code and C $ C be its subcode. Then, the RGRW of C and 1 qm 2 1 1 C is upper bounded by 2 M (C ,C ) ≤ min{n−dimC ,(m−1)dimC /C }+i, (3) R,i 1 2 1 1 2 for 1 ≤ i ≤ dim(C /C ). 1 2 Proof: We can assume that C is a systematic code without loss of generality. That is, the first dimC 2 2 coordinates of each basis of C is one of the canonical bases of FdimC2. Let S $ Fn be a linear code 2 qm qm such that C is the direct sum of C and S. Then, after suitable permutation of coordinates, a basis of 1 2 S can be chosen such that its first dimC coordinates are zero. Hence, a code S can be regarded as a 2 code of length n−dimC , and we have M (S,{0}) ≤ n−dimC from the definition of the RGRW. 2 R,dimS 2 On the other hand, since M (S,{0}) = dimS∗ from the definition of the RGRW and Lemma 2, and R,dimS dimS∗ ≤ mdimS from Lemma 3, we have M (S,{0}) ≤ mdimS = mdimC /C . We thus have R,dimS 1 2 M (S,{0}) ≤ min{n−dimC ,mdimC /C }. R,dimS 2 1 2 6 We shall use the mathematical induction on t. We see that M (S,{0}) ≤ min{n−dimC ,(m−1)dimC /C }+t, (4) R,t 1 1 2 is true for t = dimS = dimC −dimC . Assume that for some t ≥ 1, (4) is true. Then, since the M(S,{0}) 1 2 i is strictly increasing with i from Lemma 9, we have M (S,{0}) ≤ M (S,{0})−1 ≤ min{n−dimC ,(m−1)dimC /C }+t−1, R,t−1 R,t 1 1 2 holds. Thus, it is proved by mathematical induction that (4) holds for 1 ≤ t ≤ dim(C /C ). 1 2 Lastly, we prove (3) by the above discussion about the RGRW of S and {0}. For an arbitrary fixed subspace V ⊆ Fn , we have dim(C ∩V) ≥ dim(S∩V)+dim(C ∩V), because C is a direct sum of S qm 1 2 1 and C . Hence, dim(C ∩V)−dim(C ∩V) ≥ dim(S∩V) holds, and we have M (C ,C ) ≤ M (S,{0}) 2 1 2 R,i 1 2 R,i for 1 ≤ i ≤ dim(C /C ) from the definition of the RGRW. Therefore, from the foregoing proof, we have 1 2 M (C ,C ) ≤ M (S,{0}) ≤ min{n−dimC ,(m−1)dimC /C }+i, (5) R,i 1 2 R,i 1 1 2 for 1 ≤ i ≤ dim(C /C ), and the proposition is proved. 1 2 If n−dimC ≤ mdimC /C holds and Γ(Fn ) is replaced with Λ(Fn ), this lemma coincides with the 2 1 2 qm qm generalized Singleton bound for the RGHW [23, Theorem 4]. Also, if n − dimC ≤ mdimC /C holds 2 1 2 and Γ(Fn ) is replaced with Υ , i.e., the RGRW is replaced to the RNGHW, it becomes [42, Theorem qm F 3.4]. D. Relation between the Rank Distance and the RGRW Next, we show the relation between the rank distance [14] and the RGRW. We will use the relation to express the universal security performance (Section III) and the universal error correction capability (Section IV) of secure network coding. For a vector x = [x ,...,x ] ∈ Fn , we denote by S(x) ⊆ F an F -linear subspace of F spanned by 1 n qm qm q qm x ,...,x . The rank distance [14] between two vectors x,y ∈ Fn is given by d (x,y) , dim S(y − x), 1 n qm R Fq where dim denotes the dimension over the base field F . In other words, it is the maximum number of Fq q coordinates in (y− x) that are linearly independent over F . The minimum rank distance [14] of a code q C is given as d (C) , min{d (x,y) : x,y ∈ C,x , y} R R = min{d (x,0) : x ∈ C,x , 0}. R Lemma 11. Let b ∈ Fn be an n-dimensional nonzero vector over F , and let hbi ⊆ Fn be an F -linear qm qm qm qm one-dimensional subspace of Fn spanned by b. Then, we have dimhbi∗ = d (b,0). qm R Proof: Let {γ ,...,γ } be an F -basis of F . Let d = d (b,0) = dim S(b). From the definition of 1 m q qm R Fq the rank distance, there exists a nonsingular matrix P ∈ Fn×n satisfying q b = [γ ,...,γ ,0,...,0]P. 1 d ,a∈Fn qm | {z } For α ,α ∈ F , β ,β ∈ F , we have α βqi +α βqi = (α β +α β )qi (0 ≤ i ≤ m−1). Thus, since P is a 1 2 q 1 2 qm 1 1 2 2 1 1 2 2 matrix over F , we have bqi = (aP)qi = aqiP. Let hb,bq,...,bqm−1i ⊆ Fn be an F -linear subspace of Fn q qm qm qm spanned by m vectors b,bq,...,bqm−1, then we have hbi∗ = hb,bq,...,bqm−1i and hence dimhbi∗ = dimhb,bq,...,bqm−1i = dimhaP,aqP,...,aqm−1Pi = dimha,aq,...,aqm−1i 7 a aq = rank a q...m− 1. ,T∈Fm×n qm |{z} Since the right n − d columns of T are zero columns, we have rankT ≤ d. On the other hand, since the upper-left d × d submatrix T′ of T is the generator matrix of [d,d] Gabidulin code [14], we have rankT′ ≥ d. Therefore, we have dimhbi∗ = rankT = d. Lemma 12. For a code C ⊆ Fn and its subcode C $ C , the first RGRW can be represented as 1 qm 2 1 M (C ,C ) = min{d (x,0) : x ∈ C \C }. R,1 1 2 R 1 2 Proof: From Lemma 2, M (C ,C ) can be represented as R,1 1 2 M (C ,C ) = min dimW : W ∈ Γ(Fn ),dim(C ∩W)−dim(C ∩W) ≥ 1 R,1 1 2 qm 1 2 n o = min dimW : W ∈ Γ(Fn ),∃v ∈ (C ∩W)\C qm 1 2 = min{ndimhvi∗ : v ∈ C \C }. o 1 2 Therefore, since dimhvi∗ = d (v,0) for a vector v ∈ Fn from Lemma 11, we have M (C ,C ) = R qm R,1 1 2 min{d (v,0) : v ∈ C \C }. R 1 2 Lemma 12 immediately yields the following corollary that shows that M (·,{0}) is a generalization of R,1 d (·). R Corollary 13. For a linear code C, d (C) = M (C,{0}) holds. R R,1 Here we introduce the Singleton-type bound of rank distance [14], [22]. Proposition 14 (Singleton-Type Bound of Rank Distance [14], [22]). Let C ⊆ Fn be a linear code. Then, qm the minimum rank distance of C is upper bounded by m d (C) ≤ min 1, (n−dimC)+1. (6) R n (cid:26) (cid:27) Note that the right-hand side of (6) is n−dimC+1 if m ≥ n and m(n−dimC)+1 if m < n. A code n satisfying the equality of (6) is called a maximum rank distance (MRD) code [14]. The Gabidulin code [14] is known as an MRD code. In the following, we shall present some extra properties of the RGRW M (·,·) and the minimum rank R,i distance d (·) by using the relation between M (·,·) and d (·) shown above and the properties of the R R,i R RGRW described in the previous subsection. In the case where m ≥ n, Corollary 15 gives a generalization of theSingleton-typebound of rank distance[14], [22] of C ⊆ Fn , and Corollary 16 shows that the RGRW qm of C ⊆ Fn and C $ C depends only on C when C is MRD. Proposition 17 presents an upper bound 1 qm 2 1 1 1 of the first RGRW by combining the Singleton-type bound of rank distance [14], [22] of C ⊆ Fn for qm m < n and the upper bound of the RGRW given in Proposition 10. In the case where m < n, Corollary 18 gives a tighter upper bound of the minimum rank distance of C ⊆ Fn for m < n and dimC = 1 than that qm shown in Proposition 14. First, Lemma 9 and Proposition 10 yield the following corollary from Corollary 13 and Proposition 14. This corollary shows a generalization of the Singleton-type bound of rank distance [14], [22] of C ⊆ Fn qm in the case where m ≥ n. Corollary 15. For a linear code C ⊆ Fn with m ≥ n, M (C,{0}) ≤ (n−dimC)+i for 1 ≤ i ≤ dimC. The qm R,i equality holds for all i if and only if C is an MRD code. Proof: From Proposition 10, M (C,{0}) ≤ (n−dimC)+i is immediate. The RGRW M (C,{0}) is R,i R,i strictly increasing with i from Lemma 9, and M (C,{0}) ≤ n holds. Therefore, from Corollary 13 and R,dimC 8 Proposition 14, M (C,{0}) = n−dimC +i for 1 ≤ i ≤ dimC must hold if and only if C is MRD with R,i m ≥ n. Next, we give the following corollary of Proposition 10 for the RGRW of C ⊆ Fn and C $ C . This 1 qm 2 1 corollary reveals that when C is an MRD code with m ≥ n, the i-th RGRW M (C ,C ) always coincides 1 R,i 1 2 with the maximum possible value of M (C ,{0}), shown in Corollary 15, regardless of its subcode C . R,i 1 2 Corollary 16. Let m ≥ n. Let C ⊆ Fn be an MRD code and C $ C be its arbitrary subcode. Then, the 1 qm 2 1 RGRW of C and C is M (C ,C ) = n−dimC +i for 1 ≤ i ≤ dim(C /C ). 1 2 R,i 1 2 1 1 2 Proof: By the definition of the RGRW in Definition 5, we first have M (C ,C ) ≥ M (C ,{0}). R,i 1 2 R,i 1 Hence, since C is MRD with m ≥ n, we have M (C ,C ) ≥ M (C ,{0}) = n − dimC + i from 1 R,i 1 2 R,i 1 1 Corollary 15. On the other hand, we have M (C ,C ) ≤ n−dimC +i from Proposition 10. Therefore, R,i 1 2 1 we have M (C ,C ) = n−dimC +i. R,i 1 2 1 By combining Proposition 14 and Proposition 10, we also have the following proposition only for the first RGRW. This proposition presents an upper bound of the first RGRW, obtained by the Singleton-type bound of the rank distance of C ⊆ Fn for m < n in Proposition 14. qm Proposition 17. The first RGRW of a linear code C ⊆ Fn and its subcode C $ C is upper bounded by 1 qm 2 2 m(n−dimC ) M (C ,C ) ≤ min n−dimC ,(m−1)dimC /C , 1 +1. R,1 1 2 ( 1 1 2 n−dimC ) 2 Proof: As in the proof of Proposition 10, let S $ Fn be a linear code such that C = C +S. Also, qm 1 2 we suppose that the first dimC coordinates of S are zero without loss of generality. Since S can be 2 viewed as a code of length n−dimC , we have the following inequality from Proposition 14. 2 m d (S) = M (S,{0}) ≤ {(n−dimC )−dimS}+1 R R,1 n−dimC 2 2 m(n−dimC ) = 1 +1. n−dimC 2 Thus, from (5), m(n−dimC ) M (C ,C ) ≤ M (S,{0}) ≤ 1 +1. R,1 1 2 R,1 n−dimC 2 Therefore, from Proposition 10, the corollary is proved. The following corollary is immediately obtained from Proposition 17. Corollary 18. Assume m ≥ 2. For a linear code C ⊆ Fn , we have the following inequalities. qm n−dimC+1 (n ≤ m) d (C) = M (C,{0}) ≤ (m−1)dimC+1 (n > m,dimC = 1) R R,1 m(n−dimC)+1 (n > m,dimC ≥ 2). n This corollary presents a tighter upper bound of d (C) for C ⊆ Fn than that shown in Proposition 14, R qm when m < n and dimC = 1. Lastly, by using the relation between the RGRW and the rank distance [14] presented above, we introduce an extra property of the RDIP K (C ,C ) when C is MRD. We define [x]+ = max{0,x}. R,i 1 2 1 Proposition 19. Let C ⊆ Fn be a linear code and C $ C be a its subcode. Assume m ≥ n and 1 qm 2 1 C be an MRD code. Then, the RDIP of C and C is given by K (C ,C ) = µ−n+dimC + for 1 1 2 R,µ 1 2 1 0 ≤ µ ≤ n−dimC . 2 (cid:2) (cid:3) 9 Proof: From Corollary 16, we have M (C ,C ) = n−dimC +i for 0 ≤ i ≤ dim(C /C ). Thus, from R,i 1 2 1 1 2 Proposition 9 for i = 1, we have min µ : K (C ,C ) = 1 = n−dimC +1, R,µ 1 2 1 n o and hence K (C ,C ) = 0 for 0 ≤ µ ≤ n−dimC from Theorem 8. On the other hand, from Proposition 9 R,µ 1 2 1 for i = dim(C /C ), we have 1 2 min µ : K (C ,C ) = dim(C /C ) = n−dimC +dim(C /C ) R,µ 1 2 1 2 1 1 2 n o =dimC1−dimC2 = n−dimC , | {z } 2 and hence K (C ,C ) = dim(C /C ). Thus, since R,n−dimC2 1 2 1 2 K (C ,C )−K (C ,C ) = dim(C /C ) = dimC −dimC , R,n−dimC2 1 2 R,n−dimC1 1 2 1 2 1 2 holds, K (C ,C ) = µ−n+dimC for n−dimC ≤ µ ≤ n−dimC must hold from Theorem 8. Therefore, R,µ 1 2 1 1 2 the proposition is established. III. Universal Security Performance ofSecure Network Coding This section derivesthe security performance of secure network coding based on the nested coset coding scheme [40], which is guaranteed independently of the underlying network code construction. This section first presents the network model with errors, and introduces the wiretap network model and the nested coset coding scheme in secure network coding. Next, we define the universal equivocation, the universal ω-strong security and the universal maximum strength as the universal security performance of secure network coding on the wiretap network model. We then express the universal security performance of secure network coding based on the nested coset coding scheme in terms of the RDIP and the RGRW. A. Network Model with Errors We first introducethebasic network model in which no errors occurin thenetwork. As in [6], [10], [27], [34], [42], we consider a multicast communication network represented by a directed acyclic multigraph with unit capacity links, a single source node, and multiple sink nodes. We assume that linear network coding [17], [21] is employed over the network. Elements of a column vector space Fm×1 are called q packets. Assume that each link in the network can carry a single F -symbol per one time slot, and that q each link transports a single packet over m time slots without delays, erasures, or errors. The source node produces n packets X , ..., X ∈ Fm×1 and transmits X , ..., X on n outgoing links 1 n q 1 n over m consecutive time slots. Define the m × n matrix X = [X ,...,X ]. The data flow on any link 1 n can be represented as an F -linear combination of packets X ,...,X ∈ Fm×1. Namely, the information q 1 n q transmitted on a link e can be denoted as b XT ∈ F1×m, where b ∈ Fn is called a global coding vector e q e q (GCV) [13] of e. Suppose that a sink node has N incoming links. Then, the information received at a sink node can be represented as an N ×m matrix AXT ∈ FN×m, where A ∈ FN×n is the transfer matrix of the q q network constructed by gathering the GCV’s of N incoming links. The network code is called feasible if each transfer matrix to each sink node has rank n over F , otherwise it is called rank deficient. The rank q deficiency of the network coded network [32], [34], [35] is defined by ρ , n−min{rankA : A at each sink node}, i.e., the maximum column-rank deficiency of the transfer matrix A among all sink nodes. As in [32], [34], [35], ρ is also referred to as ρ erasures. The above setup of the network coded network is referred to as an (n×m) linear network [34]. We q may also call it a ρ-erasure (n×m) linear network when we need to indicate the rank deficiency ρ of q the network.