Secure Network Coding Against the Contamination and Eavesdropping Adversaries

In this paper, we propose an algorithm that targets contamination and eavesdropping adversaries. We consider the case when the number of independent packets available to the eavesdropper is less than the multicast capacity of the network. By means of our algorithm every node can verify the integrity of the received packets easily and an eavesdropper is unable to get any meaningful information about the source. We call it practical security if an eavesdropper is unable to get any meaningful information about the source.We show that, by giving up a small amount of overall capacity, our algorithm achieves achieves the practically secure condition at a probability of one. Furthermore, the communication overhead of our algorithm are negligible compared with previous works, since the transmission of the hash values and the code coefficients are both avoided.

💡 Research Summary

The paper addresses the simultaneous presence of two adversarial threats in a network‑coding environment: packet‑tampering (contamination) and passive eavesdropping. The authors assume a multicast network where the source (Alice) wishes to send m packets to a destination (Bob) and an eavesdropper (Calvin) can listen on a set of edges whose total number of linearly independent global encoding kernels, k, is strictly smaller than the multicast capacity m. The goal is twofold: (1) enable every intermediate node to verify that received packets have not been altered, and (2) guarantee that Calvin learns no “meaningful information” about the original source data, a notion the authors term “practical security”.

The core construction combines a homomorphic hash function with a pseudo‑random coefficient generator. The hash is built over a large finite field F_q with a generator g whose order is a prime p; secret exponents u_0,…,u_{n+1} are chosen and the public parameters g_i = g^{u_i} (mod q) are published. For a message vector x = (x_0,…,x_n,r) the hash is H(x)= (∏{i=0}^{n} g_i^{x_i})·g{n+1}^{r} (mod q). Because the hash is homomorphic (H(x)·H(y)=H(x+y)), a linear combination of packets can be verified by comparing the hash of the combined packet with the product of the intended hash values.

Alice first selects a random seed c and uses a pseudo‑random generator G to produce coefficients c_1,…,c_m. She also constructs a Vandermonde‑type matrix P from random field elements r_1,…,r_m and computes X′ = P·X. After adding the vector r = (r_1,…,r_m) to each row, she obtains X″. For each packet she computes an additional padding x_{i0} so that the hash of the padded packet equals the public “intended” hash value g_i. The transmitted packet b x_i therefore satisfies H(b x_i)=g_i, while the secret padding and the matrix P remain unknown to any intermediate node.

During verification, a node that receives a packet x reconstructs the coefficients c_i from the shared seed, computes H_1 = H(x), and independently computes H_2 = ∏_{i=1}^{m} g_i^{c_i} (mod q). Equality of H_1 and H_2 certifies integrity; no separate secure channel is required. Bob, after collecting all m packets, extracts the secret vector r, reconstructs P, and multiplies by P^{-1} to recover the original X.

Security against contamination is proved by reduction to the discrete logarithm problem (DL