Codes against Online Adversaries

Co des against Online Adv ersaries B. K. Dey ∗ S. Jaggi † M. Langb erg ‡ No v em ber 2, 2018 Abstract In this work we consider the communication of information in the presence of an online adversarial jammer. In the setting under s tudy , a sender wishes to communicate a mess a ge to a receiver by trans- mitting a co deword x = ( x 1 , . . . , x n ) sym b ol-by-sym b ol o ver a co mm unication c hannel. The a dv ersar ial jammer can view the transmitted symbols x i one at a time, and ca n change up to a p - fraction of them. How ever, the decisio ns o f the jammer must b e made in an online or c ausal manner. Namely , for each symbol x i the jammer’s decisio n on whether to corr upt it or no t (and on ho w to change it) must dep end only o n x j for j ≤ i . This is in contrast to the “c lassical” adversaria l jammer whic h may base its decisions on its complete knowledge o f x . More generally , for a delay par ameter d ∈ (0 , 1), we s tudy the scenario in whic h the jammer’s decision on the corruption of x i m ust depend solely on x j for j ≤ i − dn . In this work, we initiate the study of co des for online adversaries, and present a tight characterization of the amount o f information one can transmit in bo th the 0-delay and, more generally , the d -delay online setting. W e show that for 0-delay adv ersar ie s, the achiev able rate asymptotica lly equals that of the clas sical adversarial mo del. F or p os itiv e v alues o f d w e show that the achiev a ble rate can be significantly g reater than that of the cla ssical mo del. W e prov e tight results for b oth additive a nd overwrite jammer s when the tra nsmitted sym b ols are assumed to b e ov er a sufficiently large field F . In the a dditiv e cas e the jammer may c o rrupt information x i ∈ F b y adding onto it a cor resp onding e r ror e i ∈ F . In this case the receiver g ets the sym bo l y i = x i + e i . In the overwrite case, the ja mmer ma y corrupt infor mation x i ∈ F by replacing it with a co r resp onding cor rupted symbol y i ∈ F . F or positive delay d , sym bo l x i may not be kno wn to the adversarial jammer at the time it is b eing corrupted, he nce these t wo erro r mo dels, and the corre s po nding achiev able rates, a r e s hown to differ substantially . Finally , we extend our r esults to a jam-or-listen online mo del, where the online adversary can either jam a symbol or e avesdrop o n it. This cor resp onds to several scenar ios that a rise in practice. W e a g ain provide a tight characterization of the a chiev able r ate for several v ariants of this mo del. The rate-reg ions we pro ve for each mo del ar e inf ormationa l-theoretic in nature and hold for co mputa- tionally unbounded adversaries. The rate regio ns are characterized by “simple” piecewise linear functions of p and d . The co de s w e construct to a ttain the optimal rate for each s c enario ar e computationa lly efficient. ∗ Department of Electrical Engineering, Indian Institute of T echnology Bomba y , Mum bai, I ndia, 400 076, email: bikash@ee. iitb.ac.in † Department of Information Engineering, Chinese Universi ty of Hong Kong, Shatin, N.T., Hong Kong, email: jaggi@ie.c uhk.edu.hk ‡ Computer S cience Division, Open Univ ersit y of I srael, 10 8 Ra vutski St., Raanana 43107, Israel, emai l: mikel@ope nu.ac.il 0 1 In tro duction Consider the follo wing ad versarial comm unication scenario. A sender Alice wishes to transmit a messag e u to a r eceiv er Bob. T o do so, Alice encod es u in to a co dewo rd x and transmits it o v er a c hannel. In this w ork the c o dewo rd x = x 1 , . . . , x n is considered to be a v ector of length n ov er an alphab et F of size q . Ho wev er, Calvin, a malicious adversary , can obs erv e x and corrupt up to a p -fr action of the n transmitted sym b ols ( i.e . , pn sym b ols). In the classical adve rsarial channel mo del, e.g., [6, 3], it is u s ually assumed that Calvin has full kno wl- edge of the entire co dew ord x , and based on this kno wledge (together with the kno wledge of the co de sh ared b y Alice and Bob) Calvin can maliciously plan w hat error to imp ose on x . W e refer to suc h an adv ersary as an omniscient adv ersary . F or large v alues of q (whic h is the fo cus of this w ork) c omm unication in the presence of an omniscien t adve rsary is wel l-understo o d . It is kno wn that Alice can transmit no more than (1 − 2 p ) n error-free sym b ols to Bob w hen using codewo rds of blo c k length n . F urther, efficien t sc h emes suc h as Reed-Solomon co d es [10, 1 ] are kno wn to ac hiev e this optimal rate. Online adversaries In this work we initiate the analysis of co d ing sc hemes that allo w comm unication against certai n adv ersaries that are wea k er than the omniscient adversary . W e consider adv ersaries that b eha v e in an online m an n er. Na mely , for eac h sym b ol x i , we assum e that Calvin decides wh ether to c hange it or not (and if s o, ho w to c hange it) b ased on the sym b ols x j , for j ≤ i alone, i.e. , the sym b ols that he has already observ ed. In this case w e refer to Calvin as an online adversary . Online adv ersaries arise naturally in practical settings, w here adv ersaries typica lly h av e n o a priori kno wledge of Alice’s message u . In suc h cases they m us t sim ultaneously learn u based on Alice’s trans- missions, and jam the corresp ondin g cod ew ord x accordingly . This c ausality assumption is r easonable f or man y comm u nication c h annels, b oth wired and w ir eless, wh er e Calvin is not co-l o cated w ith Alic e. F or example consider the scenario in which the transmission of x = x 1 , . . . , x n is done during n channel uses o ver time, where at time i the sym b ol (or pac ket) x i is transmitted o v er the c hannel. Calvin can only corrupt a pac ke t when it is transmitted (a nd thus its error is b ased on its view so far). T o deco de the transmitted message, Bob waits un til all the p ac ke ts ha v e arrived. As in the omniscien t mo d el, Calvin is restricted in the num b er of pac k ets pn h e can corrup t. This migh t b e b ecause of limited p ro cessing p o w er, limited trans m it energy , or a need to keep his location secret. In add ition to the online adv ersaries describ ed ab ov e, we also consider the more general scenario in whic h Calvin’s jamming decisions are dela y ed. That is, for a d elay parameter d ∈ (0 , 1), Calvin’s decision on the corr u ption of x i m ust dep end solely on x j for j ≤ i − dn . W e refer to suc h adv ersaries as d -delay online adv ersaries. Such d -dela y online adv ersaries corresp ond, f or examp le, to the scenario in whic h the error transmission of the adv ersary is dela yed d ue to certain computational tasks that the adversary needs to p erform. W e s h o w that the 0-dela y mo d el (i.e., d = 0) and the d -dela y mo d el for d > 0 d isp la y different b eha viour, h ence we treat them separately . Error model W e consider tw o t yp es of attac ks b y Calvin. An additive attac k is one in whic h Calvin can add pn error symbols e i to Alic e’s transmitted sym b ols x i . Th us y i , the i ’th symbol Bob receiv es, equals x i + e i . Here add ition is d efined o ver the fi nite field F q with q element s. An overwrite attac k is one in which Calvin o ve rwrites pn of Alic e’s transmitte d symb ols x i b y the sym b ols y i receiv ed b y Bob 1 . These t wo atta c k s are s ignifi can tly different, if we assu m e that at the time C alvin is corru pting x i he has no knowledge of its v alue – this is exactly th e p ositiv e-dela y d s cenario. The t wo attac ks w e study are in tended to mo del different p h ysical mo d els of Calvin’s j amming. F or instance, in wired pac k et-based c hannels Calvin can dir ectly replace some trans mitted pac kets x i with some fak e pac k ets y i , and therefore b eha v e lik e an o verwriting adv ersary . On the o ther hand in wir eless net works, Bob’s receiv ed signal is usu ally a f unction of b oth x i and the additiv e error e i . 1 Note that in the 0-delay case these tw o attac ks are equiv alen t. This is b ecause in b oth cases Calvin can change an x i into an arbitrary y i ; an additive Calvin can choose e i = y i − x i , whereas an overw riting Calvin d irectly uses y i . 1 Lastly we consider the jam-or-listen online adv ersary . In this scenario, in addition to b eing an online adv ersary , if Calvin jams a symbol x i then he has no idea wh at v alue it tak es. This mo d el is aga in motiv ated b y wireless transmissions, where a no de can t yp ically either transmit or receiv e, but not b oth. F o r th is mo del, we consider all four combinatio ns of 0-dela y/ d -dela y , and additiv e/o ve rwrite errors. A rate R is said to b e achievable against an adversary Calvi n if it is p ossible for Ali ce to transmit a message u of at least Rn s ym b ols of F q o ver n channel uses to Bob (with probability of d ecod in g error going to zero as n → ∞ ). The c ap acity , when communicating in the presence of a certain adv ersarial mo d el, is defined to b e the supr em u m of all ac hiev able rates. Thus, the capacit y characte rizes the rate ac hiev able in the adversarial mo del un der study . W e denote the capacit y of the classical om niscient adve rsarial channel whic h can c hange pn c haracters by C omni ( p ). W e denote th e capacit y of the d -dela y online adversarial c h annels whic h can c hange pn c haracters b y C add d ( p ) f or the additive error mo del, and C ow d ( p ) for the overwrit e error mo del. F or the jam-o r-listen adv ersary , w e denote the corresp ond ing capacit ies b y C jl , add d ( p ) or C jl , ow d ( p ), dep ending on whether C alvin u ses a dditive or o v er w rite errors. A more detaile d discussion of our defi nitions and notation is giv en in S ection 2. Our results In this work, we initiate the study of co d es for onlin e adv ersaries, and presen t a tight c h aracteriza tion of the amount of informatio n one can transmit in both the 0-dela y and , m ore generally , the d -dela y online setting. T o th e b est of our kno w ledge, comm unication in the presence of an online adv ersary (with or without d ela y) has not b een exp licitly addressed in the lite rature. Neve rtheless, we note that the mo del of online c hann els, being a natural one, has been “on the ta ble” for sev eral decades and the analysis of the on lin e c hannel m o del app ears as an op en question in the b o ok of Csisz´ ar and Korner [4] (in the sectio n addressing Arbitrary V arying Channels [2 ]). V arious v ariant s of causal adv er s aries hav e b een addressed in the past, for instance [2, 5, 11, 12, 9] – h o wev er the mo d els considered therein differ significan tly from ours. A t a high lev el, w e sh o w that for 0-dela y adv ersaries the ac h iev able rate equals that of the classica l “omniscien t” adversarial mo del. This ma y at first come as a surp r ise, as the online adversary is w eak er than the omniscien t one, and hence one ma y susp ect that it all o w s a h igher r ate of comm un ication. W e then show, for p ositiv e v alues of the d ela y parameter d , that the ac hiev able rate can b e significan tly greater than those ac hiev able against omniscien t adversaries. W e stress that our results are information-theoretic in nature and th us hold ev en if the adversary is computationally unboun ded. The cod es w e construct to ac hieve the optimal rates are computationally efficien t to d esign, and for Alice and Bob to imp lement (i.e., efficien tly enco dab le and deco dable). All our results assume th at the field s ize q is significan tly la rger than n . In some cases it suffices to take q = p oly( n ), b ut in others we n eed q = exp(p oly( n )). Both settings lend themselv es naturally to r eal-wo rld scenarios, as in b oth cases a field elemen t x i can b e represente d b y a p olynomial (in n ) num b er of bits. The exact statemen ts of our results are in Theorems 1, 2, 3 and 4 b elo w. The tec hnical parameters (including rate, field size, error probabilit y , and time complexit y) of our results are sum marized in T able 1 of the App endix. W e sta rt by showing th at in the 0-dela y case, the capacit y of the online c hannel equals that of the stronger omniscien t channel mo d el. Theorem 1 ( 0-dela y mo del) F or any p ∈ [0 , 1] , c ommunic ating against a 0-delay online adversary chan- nel under b oth the overwr ite and a dditive err or mo dels e quals the c ap acity under the omn iscient mo del. In p articular, C ow 0 ( p ) = C add 0 ( p ) = C omni ( p ) = (1 − 2 p ) + =  1 − 2 p, p ∈ [0 , 0 . 5) 0 , p ∈ [0 . 5 , 1] . (1) Mor e over, the c ap acity c an b e a ttaine d by an efficient enc o ding and de c o ding sch eme. Next we c h aracterize the capacit y of the d -dela y online c hann el un der the add itive error mo del. 2 Theorem 2 ( d dela y with additive error mo del) F or any p ∈ [0 , 1] the c ap acity C add d ( p ) of the d - delay online channel for d > 0 u nder the additi ve err or mo del is 1 − p . Mor e over, the c ap acity c an b e attaine d by an efficient enc o ding and de c o ding scheme. W e then turn to study the d -dela y online c hann el under the o ve rwrite error mo del. Th e capacit y w e present is at least as large as that ac hiev able against an additiv e or o v erw rite 0-dela y adv ersary w ho c hanges pn symb ols. Ho wev er, it is sometimes significan tly lo w er than that ac hiev able a gainst an add itiv e d -dela y adv ersary . Theorem 3 ( d dela y with overwrite error mo del) F or any p ∈ [0 , 1] the c ap acity of the d -delay on- line channel under the overwrite err or mo del is C ow d ( p ) =    1 − p, p ∈ [0 , 0 . 5) , p < d 1 − 2 p + d, p ∈ [0 , 0 . 5) , p > d 0 , p ∈ [0 . 5 , 1] . (2) Mor e over, the c ap acity c an b e a ttaine d by an efficient enc o ding and de c o ding sch eme. Lastly , we sho w that th e optimal r ates ac hiev able against a jam-or-li sten online adv ersary equal the corresp onding optimal rates ac hiev able against an online adv ersary , for eac h of the four combinatio ns of 0- or d -dela y , and additiv e or o v erwrite attac ks. Theorem 4 ( jam-or-li sten mo del) F or any p and d in [0 , 1] the c ap acity of the d -delay online channel under the jam- or-listen err or mo del is e qual to that of the d -delay online channel: C jl , add d ( p ) = C add d ( p ) , C jl , ow d ( p ) = C ow d ( p ) . (3) Mor e over, the c ap acity c an b e att aine d by the same efficient enc o ding and de c o ding schemes as in The o- r e ms 1, 2 and 3 . Outline of pro of techniques The pro ofs of Theorems 1, 2 , 3 and 4 require obtaining sev eral non- trivial upp er and lo wer b ounds on the capaci t y of the corresp onding c hann el models. The lo w er b ound s are p ro ved constructive ly by present ing efficien t enco din g and decodin g schemes op erating at th e optimal rates of comm unication. The upp er b ounds are t ypically prov en b y presen ting str ategie s for C alvin that result in a probabilit y of deco ding error that is strictly b ounded a wa y f rom zero rega rdless of Alice and Bob’s enco d ing/decodin g schemes. Theorem 1 states that comm unication in the presence of a 0-dela y online adversary is no easier than comm u nicating in the pr esence of (the more p ow erful) omniscien t adv ers ary . There already exist efficien t enco ding and deco ding s chemes that allo w communication at the optimal rate of 1 − 2 p in the pr esence of an omniscien t adv er s ary [10, 1]. Thus our cont ribution in this scenario is in the design of a str ategy for Calvin that do es n ot allo w comm unication at a higher rate. The sc heme w e presen t is fairly straigh tforward, and allo ws Calvin to en force a probabilit y o f error of size at least 1 / 4 wh enev er Alice and Bo b comm unicate at a rate higher than 1 − 2 p . Roughly sp eaking, C alvin u ses a t w o-phase wait and attack strategy . In the firs t phase (whose length dep end s on p ), Calvin do es not corr u pt the transmitted symbols bu t merely ea vesdrops. He is thus able to redu ce his am b iguit y regarding the cod ew ord x that Alice transmits. In th e second phase, using the kno wledge of x he has gained so f ar, Calvin designs an er r or v ector to b e imp osed on the remaining part of the co dew ord th at Alice is ye t to transmit. Theorem 2 sta tes that for d > 0, the capacit y of the d -dela y online c hannel und er the additiv e error mo del is 1 − p . Note that this expression is in d ep endent of d . In fact, ev en if Calvin’s at tac k is dela y ed b y just a single sym b ol, the rate of comm un ication ac hiev able b et ween Alic e and Bob is strictly greater than in the corresp onding scenario in T heorem 1! The upp er b ound follo ws d irectly from th e simp le observ ation that Calvin can alw a ys add pn r andom symb ols from F q to the fi rst pn symb ols of x , and 3 therefore the corresp ond ing sym b ols receiv ed carry no information. The lo wer b ound in v olv es a non- trivial co de construction. In a nutshell, we s ho w a r eduction b et w een comm unicating o v er the d -dela y online channel under the additiv e error m o del and comm unicating o v er a n er asur e channel. In an erasure c h annel, the receiv er Bob is assumed to kno w whic h of the pn elemen ts of the transmitted co dewo rd x w ere corrupted by Calvin. As one can efficien tly comm unicate o v er an erasure channel with rate 1 − p , e.g., [3], w e obtain the same rate for ou r online c hann el. Th e main question in no w: “In our m o del, ho w can Bob d etect that a receiv ed sym b ol y i w as corrupted by Calvin?” The id ea is to use auth enticat ion sc h emes wh ic h are information theoretically secure, and lend themselve s to th e adversarial setting at hand. Namely , eac h tr an s mitted symb ol will include some inte rnal redu ndancy , a signature, whic h up on d ecod ing will b e authen ticated. As Calvin is a p ositiv e dela y adv ersary , it is assumed that he is u n a ware of b oth the s y mb ol b eing transmitted and its sig nature. It is enough that the signatur e scheme we construct b e resilien t against suc h an adv er s ary . In Theorem 3 b oth the lo w er and up p er b ound on the capac it y require no v el constructions. F or the upp er b ound w e refine the “wa it-and attac k” strategy for C alvin outlined in the discussion ab o v e on Theorem 1, to fit the d -dela y scenario. F or the lo w er b oun d, we change Alice and Bob’s enco ding/deco ding sc h emes, outlined in the d iscussion ab o ve on Th eorem 2, to fit the d -dela y overwrite mo d el. Namely , as b efore, Alice’s encodin g sc heme comprises o f an erasur e co de along with a hash fu nction used to authen ticate individual symbols. Ho wev er, in general, an overwr ite adversary is more p ow erful than an additive adv ersary . This is b ecause an ov erwriting adv ersary can substitute any symb ol x i b y a new symb ol y i . Th us Calvin can c h o ose to replace x i with a symb ol y i that is a v alid output of the hash fu nction. Hence the design of the h ash function f or Theorem 3 is more intricat e than the corresp onding construction in Theorem 2. Roughly sp eaking, in the scheme we pr op ose f or the d -dela y over write scenario, the redu ndancy add ed to eac h sym b ol x i con tains information that allo ws p airwise authen ticatio n (via a pairwise indep endent hash function). Namely , eac h sym b ol x i con tains n signatures σ ij (one for eac h sym b ol x j ∈ x ). Usin g these signatures, some p airs of symb ols x i and x j can b e mutually authentica ted to c hec k whether exactly one of them has b een corrup ted. (F or instance, symb ols x i and x j suc h that | i − j | < dn can b e used for m utual authentic ation, since wh en Calvin co rrup ts either one of them he does not y et kno w the v alue of the other.) This allo ws Bob to b uild a c onsistency g r aph con taining a verte x corresp ondin g to eac h receiv ed sym b ol, and an edge connecting m utually consisten t symb ols. Bob then analyzes certain com b inatorial prop erties of this consistency graph to extract a maximal set of mutually consisten t symbols. He finally in v erts Alice’s erasure co de to retrieve her message. W e view Bob’s efficien t deco ding algo rithm as the main tec hnical con tribution of this w ork. Lastly , Theorem 4 states that a jam -or-liste n adve rsary is s till as p o w erful as the p reviously describ ed online adv ersaries. This is in teresting b ecause a jam-or -listen adversary is in general w eak er than an online adv ersary , since he never find s out the v alues of the s ym b ols he corrup ts. Th is theorem is a corollary of Theorems 1, 2 and 3 as follo ws. The co de constru ctions corresp onding to the lo w er b ounds are the same as in Theorems 1, 2 and 3. As for the upp er b ound s, w e n ote that the attac ks describ ed for Calvin in Theorems 1 , 2 a nd 3 actually corr esp ond to a jam-or- listen adv ersary , and h ence are v alid at tac ks for this scenario as well. Outline The r est of the p ap er is organize d as follo ws. I n Section 2 we presen t a detailed d escription of our adv ersarial mo dels together with some notation t o be used throughout o ur w ork. In Sectio n 3 we present the pro of of Theorem 2. In Section 4 we presen t the main tec hnical con tribution of this work, the p ro of of Theorem 3. Th eorem 1, although s tated first in the Introdu ction, f ollo ws rather easily from the p ro of of Theorem 3 and is th us presen ted in Section B of the App end ix. Theorem 4 fol lo w s directly from Theorems 1, 2 , and 3, and is th us present ed in Section C of the App endix. Some remarks and op en problems are finally giv en in Section 5. T h e tec hn ical parameters of our results are summarized in T able 1 of th e App endix. 4 2 Definitions and Notation F or clarit y of p resen tation we rep eat and formalize the d efinitions pr esen ted earlie r. Let q b e a p o wer of some prime integ er, and let F q b e the fi eld of size q . Throughout this work w e assume that th e field size q is exp onential in p oly( n ) (a lthough some of our results will only need a p olynomial in n sized q ) and that our parameters p and d are constan t. F or an y in teger i let [ i ] denote th e set { 1 , . . . , i } . Let R ≥ 0 b e Alice’s r ate . An [ n , nR ] q - c o de is d efined b y Alice’s enco der and Bob’s corresp onding decod er, as defined b elo w. Alice: Alice ’s message u is assu med to b e an elemen t of [ q nR ]. In our sc hemes, Alice will also h old a uniformly distr ib uted se cr et r whic h is assumed to b e a n u m b er of elemen ts (sa y ℓ ) of [ q ]. Alice’s secret is assumed to b e unknown to b oth Bob and Calvin prior to trans mission. Alice’s enc o der is a determin istic function mapp ing ev ery ( w, r ) in [ q nR ] × [ q ] ℓ to a v ector x = ( x 1 , . . . x n ) in F n . Calvin/Channel: W e assu me that Calvin is online, namely at the time that the charact er x i is transmitted Calvin h as th e knowledge of { x i } i ∈ K i . Here the know le dge set K i is a subset of [ i ] that is defined b elo w acco rding to the differen t j amm in g mo dels w e study . Using his jamming function Calvin either r eplaces Alice’s transmitted symbol x i in F q with a corresp onding symb ol y i , or adds an error e i to x i suc h that Bob r eceiv es y i = x i + e i . In this wo rk, Calvin’s kn o wledge sets must satisfy the follo win g constraints. Causality/ d -delay: Calvin’s kno wledge set K i is a subset of [ i − dn ]. Jam-or-listen: If Calvin is a jam-or-l isten adv ersary , K i is inductiv ely defined so that it do es n ot cont ain j ≤ i suc h that y j 6 = x j . That is, Calvin has no kn owledge of any x i he corrup ts. Calvin’s jamming function m ust satisfy the follo w ing constrain ts. F or eac h i , Calvin’s jamming function, and in particular the corresp ond ing err or symb ol e i ∈ F q , dep ends solely on the set { x i } i ∈ K i , Alice’s enco ding sc heme, and Bob’s decodin g sc heme. A dditive/Overwrite: If C alvin is an additive adv ersary , y i = x i + e i , with addition defined o ver F q . If Calvin is an overwrite adv ersary , y i = e i . Power: Bob’s receiv ed symb ol y i differs fr om Alice’s transmitted symbol x i for at most pn v alues in [ i ]. Bob: Bob’s de c o der is a (p oten tially) probabilistic function solely of Ali ce’s enco der and th e receiv ed v ector y . It maps every ve ctor y = ( y 1 , . . . y n ) in F n to an elemen t u ′ of [ q nR ]. Co de parameters: Bob is said to m ak e a de c o ding err or if the message h e deco des u ′ differs fr om that enco ded b y Alice, u . The pr ob ability of err or for a giv en message u is d efined as the probab ility , o v er Alice’s secret r , C alvin’s randomn ess, and Bob’s randomness, that Bob d ecod es incorrectly . The probabilit y of error of the co ding sc heme is d efined as the maxim um ov er all u of th e probabilit y of error for message u . Note that these defin itions imply that a su ccessfu l deco ding scheme allo ws a worst c ase p romise. Namely , it imp lies high success probability no matter which message u was c hosen b y Alice. The rate R is said to b e achievable if for ev ery ε > 0, δ > 0 and every sufficien tly large n there exists a c omputational ly efficient [ n, n ( R − δ )] q -cod e that allo w s communication with prob ab ility of error at most ε . T he sup rem um of the ac h iev able rates is calle d the c ap acity and is d enoted by C . W e denote the capacit y of th e d -dela y online adversarial c hannels under the addit ive error mo del by C add d ( p ) and under the over write err or mo d el b y C ow d ( p ). F or a jam-or -listen adversary we denote th e corresp on d ing capacitie s by C jl , add d ( p ) and C jl , add d ( p ). W e put no computational restrictions on C alvin. Th is is b ecause our p ro ofs are informatio n-theoretic in nature, and are v alid even for a computationally u n b ound ed adv ersary . Ho w ev er, our schemes pro v id e computationally efficient sc hemes for Alice and Bob. Remark 2.1 We c an al low Calvin to b e even str onger than outline d in the mo del ab ove. In p articular, Calvin ’s jamming function c an also dep end on Al ic e’s message u , and our The or ems and c orr esp onding pr o ofs ar e unchange d. The crucial r e quir ement is that e ach o f Calvin ’s jamm ing functions b e indep e ndent of Alic e’s se cr et r , c onditione d on the symb ols in the c orr esp onding know le dge set. That is, the only information Calvin has of A lic e’s se cr et, he gle ans by observing x . P ack ets: F or several of our co de constructions (sp ecifically those in Theorems 2 and 3), it is concep- tually and nota tionally co n v enien t to view eac h symbol from F q as a “pac k et” of sym b ols fr om a smaller 5 finite field F q ′ of size q ′ instead. In particular, we assume ( q ′ ) m = q . Here m is an in teger cod e-design parameter to be sp ecified later. F or a co dew ord x = x 1 , . . . , x n , Alice treats eac h symbol (or pac ke t) x i in F q as m sub -sym b ols x i, 1 through x i,m from F q ′ . Similarly , she treats her secret r as m sub-symbols r 1 through r m from F q ′ . 3 Pro of of Theorem 2 W e consider b lo ck length n large enough so that d > 1 /n . Throughout, to simplify our presentat ion, w e assume that expressions suc h as pn or dn are in tegers. W e fir st pro ve that 1 − p is an upp er b ound on C add d ( p ) b y sho wing a “random-add” strategy for C alvin. Namely , co nsider an adversary who c h o oses elemen ts of F q uniformly at random and adds them to the first pn sym b ols in Alice’s transmissions. T h us the fi rst pn sym b ols Bob receiv es are uniform ly distributed random elemen ts of F q , and carry no information at all. It is not hard to v erify that such an adve rsarial strategy allo ws comm u nication b et ween Alice and Bob at rate at most 1 − p . This concludes our discussion for the u pp er b ound. W e no w describ e ho w Alice and Bob ac h iev e a rate approac h ing 1 − p with computationally tractable co des. Alic e’s enco ding is in tw o phases. In the first p hase, rou gh ly sp eaking, she uses an erasur e co de to enco de the appro ximately (1 − p ) n sym b ols of her message u int o an erasure-co dew ord v w ith n sym b ols. The erasure co de allo ws u to b e retriev ed from an y subset of at least (1 − p ) n sym b ols of th e erasur e- co dew ord v . In the second phase, Alice uses n “short” random k eys and corresp onding h ash functions to trans form eac h symb ol v i of the erasure-codeword v in to the corresp ond in g transmitted sym b ol x i . This hash function is carefully constructed so that if Calvin (a p ositiv e-dela y additiv e adv ersary) corrupts a sym b ol x i , with high pr obabilit y Bob is able to detect this in a computationally efficien t manner by examining the corresp ond ing receiv ed y i . Bob’s deco ding scheme is also a t w o-phase process. In the first phase he uses the hash sc h eme describ ed ab ov e to discard the symbols he d etects Calvin has co rrup ted – there are at most pn suc h sym b ols. In the seco nd phase Bob uses the remaining (1 − p ) n symb ols and the deco der of Alice’s e rasure code to retriev e her message. W e assume Alice’s erasur e co de is efficien tly enco dable and d ecod ab le (for instance Reed-Solomon cod es [10, 1] can b e u s ed). In wh at follo ws w e giv e our co de construction in detail. Let q b e sufficien tly large (to b e sp ecified explicitly later in the pro of ). Let m = n 2 + 2 n . As mentio ned in Section 2, Alice treats eac h sym b ol of a co d ew ord x = x 1 , . . . , x n as a pac k et, by breaking eac h x i in to m sub-symb ols x i, 1 through x i,m from F q ′ . She partitions x i, 1 through x i,m in to three consecutiv e sequences of sub-sym b ols of sizes n 2 , n and n resp ective ly . The sub-sym b ols x i, 1 through x i,n 2 are denoted by the set w i , and corresp ond to the su b -sym b ols of v i , the i th sym b ol of the erasure-co dew ord v ge nerated b y Alic e. The next n sub -sym b ols are denoted by the set r i , and consist of Alice’s secret for pac ket i , namely , n sub -sym b ols c hosen indep endent ly and unif orm ly at rand om f rom F q ′ . F or eac h i , r i is c hosen indep end en tly . T he final n sub-sym b ols are denoted by the set σ i , and co nsist of the hash (or signature) of the in f ormation w i b y the function H r i . Here, H r i is tak en from a family H of hash fu nctions (kno wn to all parties in adv ance) to be defined shortly . All in all, eac h trans mitted sym b ol x i of Alice consists of the tu ple ( w i , r i , H r i ( w i )). W e no w explicitly demonstrate the construction of eac h w i from Alice’s message u . Alic e c ho oses R = (1 − 2 n/m )(1 − p ). Th us the m essage u she w ish es to transmit to Bob has m nR = ( m − 2 n )(1 − p ) n = (1 − p ) n 3 sub-symb ols ov er F q ′ . Alice uses an erasure co de (resilien t to pn 3 erasures) to transform th ese sub-symb ols of u in to the v ector v c omprising of n 3 sub-symb ols o v er F q ′ . She then denotes consecutive blo c ks of n 2 sub-symb ols of v by the corresp onding w i ’s. More sp ecifically , w i consists of the sub-symbols in v in lo cations n 2 ( i − 1) th rough n 2 i − 1. Before completing the description of Alice’s encod er by describin g the hash family H , w e outline Bob’s deco der. Bob fir st auth en ticates ea c h receiv ed sym b ol y i = ( w ′ i , r ′ i , σ ′ i ) by chec king th at H r ′ i ( w ′ i ) = σ ′ i . He then deco des u sing the deco ding algorithm of the erasur e co d e on the su b-sym b ols on w ′ i of all symb ols y i that p ass Bob’s auth enticat ion test. W e no w define our hash family H and show th at with high p robabilit y an y corrup ted s ym b ol y i 6 = x i 6 will n ot pass Bob’s authent ication c hec k. More sp ecifically , we study only corrupted sym b ols y i 6 = x i for whic h w ′ i 6 = w i . (If w ′ i = w i , the erasur e deco der d escrib ed ab o v e will not mak e an error.) Let e i b e the error imp osed by Calvin in the transm iss ion of th e i ’th pac ket x i . Hence for an addit ive adv ersary Calvin, e i is defined by y i = x i + e i . Analogously to the corresp onding sub-divisions of x i and y i , w e decomp ose e i in to the tu p le ( ˆ w i , ˆ r i , ˆ σ i ). In particular, w e d efine the sets ˆ w i , ˆ r i and ˆ σ i so to satisfy w ′ i = w i + ˆ w i , r ′ i = r i + ˆ r i and σ ′ i = σ i + ˆ σ i (addition is p erformed by elemen t-wise addition o ver F q ′ of corresp ondin g sub-symb ols in eac h set). F or Bob to deco de correctly , the prop erty that y i fails Bob’s authen tication test if ˆ w i 6 = 0 needs to b e satisfied with h igh probabilit y . More formally , noting that r i is n ot kn o wn to Calvin and thus in d ep endent of ˆ w i , w e need for all i and all e i suc h that ˆ w i 6 = 0, that Pr r i [ H r ′ i ( w ′ i ) = σ ′ i | H r i ( w i ) = σ i ] is sufficiently small. Or equiv alen tly , Pr r i [ H r i + ˆ r i ( w i + ˆ w i ) = σ i + ˆ σ i | H r i ( w i ) = σ i ] = Pr r i [ H r i + ˆ r i ( w i + ˆ w i ) − H r i ( w i ) = ˆ σ i ] is sufficiently small. T o co mplete our pro of we present our hash family H . Recall that w i consists of n 2 sub-symb ols in F q ′ . Let W i represent w i when arranged as a n × n matrix. Let r i b e a co lumn v ector of n symbols corresp onding to r i . W e define the v alue of the hash H r i ( w i ) as the length- n column v ector σ i defined as W i r i . Th us for the corresp onding errors ˆ w i 6 = 0 , ˆ r i , ˆ σ i defined ab o v e, H r i + ˆ r i ( w i + ˆ w i ) − H r i ( w i ) = ˆ σ i iff ( W i + ˆ W i )( r i + ˆ r i ) − ( W i r i ) = ˆ σ i . Here ˆ W i is the matrix repr esen tation of ˆ w i and ˆ r i , ˆ σ i corresp ond to ˆ r i , ˆ σ i . Namely , the corrupted symb ol receiv ed by Bob is authen ticated only if ˆ W i r i = ˆ σ i − ( W i + ˆ W i ) ˆ r i . F or C alvin to corrupt Ali ce’s transmission, we assume that ˆ w i 6 = 0 or e quiv alen tly ˆ W i 6 = 0, therefore the r ank of ˆ W i is at least 1. No w , in ˆ W i r i = ˆ σ i − ( W i + ˆ W i ) ˆ r i , the left hand side dep en d s on r i while the righ t hand side do es n ot. Hence the equation is satisfied by at most ( q ′ ) n − 1 v alues for the v ector r i . Since r i is uniformly d istr ibuted o ver ( F q ′ ) n and unknown to Calvin, the probability of a decodin g error is at most 1 /q ′ = o ( n − 1 ) if q ′ is c hosen to b e n · ω (1). All in all, our communicati on scheme su cceeds if eac h corrupted symbol with ˆ w i 6 = 0 fails the authen- ticatio n test. This happ ens with p r obabilit y at least 1 − n/q ′ = 1 − o (1) as desired. T aking m = n 2 + 2 n the r ate of the co de is (1 − o (1))(1 − p ) and the field size needed is ( q ′ ) m = exp(p oly( n )). 4 Pro of of Theorem 3 Pro of o f U pp er b ound: W e start b y addressing the three cases in the upp er b oun d on the ca pacit y C ow d ( p ). Fi rst, if p < d , Calvin corr u pts th e fi rst pn sym b ols u niformly at random as in the proof of Theorem 2 to attain an upp er b ound of 1 − p on th e ac hiev able rate. Second, if p ≥ 1 / 2 and the rate R > 0 is p ositiv e, Calvin pic ks a co dew ord x ′ uniformly at random fr om Alice’s codeb o ok. With probabilit y at least 1 − q − Rn , Alice’s true co dewo rd x is distinct f rom th e co dew ord x ′ . Calvin then flips an unbiased coin, and dep ending on the outcome he c orrupts either the first h alf or th e second half of x . This corruption is d one by replacing the symb ols of x b y the corresp onding sym b ols of x ′ . If ind eed x 6 = x ′ , Bob has n o w a y of determining wh ether Alice transm itted x or x ′ . T hus, Bob’s p robabilit y of d ecod ing incorr ectly is at least 1 2 (1 − q − Rn ) ≥ 1 4 for large enough q and/or n . Finally , if d < p < 1 / 2, we pr esen t a “w ait-and-atta c k ” strate gy for Calvin to pro ve that 1 − 2 p + d is an upp er b ound on C omni d ( p ). S upp ose not, and that rate R = 1 − 2 p + d + ε is ac hiev able for some ε > 0. Then there are q Rn p ossible messages in Alice’s co deb o ok. C alvin starts by ea v esdropping on, bu t not corrupting, the fir st ( R − ε ) n sym b ols Alice transmits. He then ov erwrites the n ext dn symbols with sym b ols c hosen u niformly at rand om fr om F q . These dn locations conv ey no information to Bob. A t this p oint (after Alice transmits ( R + d − ε ) n sym b ols), the d -dela y Calvin only kno ws the v alue of the first ( R − ε ) n symb ols of x . It can b e v erifi ed that with p robabilit y at least 1 − q − εn/ 2 o ver Alice’s co deb o ok, after Alice’s fir st ( R + d − ε ) n transmitted symbols, the set S of co dewo rds consistent with what Bob and Calvin ha v e observe d thus far is of size at least q εn/ 2 . Calvin then pic ks a random x ′ from S . With probabilit y at least 1 − q − εn/ 2 , x ′ is distinct from Alice’s x . Calvin th en flips an un biased coin, and dep ending on the outcome he corrupts either the fi rst half or the second half of the remaining (1 − ( R + d − ε )) n = 2( p − d ) n sym b ols of x . This corru ption is done by replacing the symb ols of x by the corresp onding symbols of x ′ . If indeed x 6 = x ′ , Bob has no w ay of determining whether Alice transmitted x or x ′ . Thus Bob’s probability 7 (o ver the message set and o ver the c hoice of C alvin) of d ecod ing incorrectly is at least 1 2 (1 − q − εn/ 2 ) 2 ≥ 1 4 . Pro of of Lo wer b ound: W e now p ro ve that th e rate C ow d ( p ) sp ecified in T heorem 3 is indeed ac hiev able with a computational ly tractable co de. T h e scheme we p resen t co v ers all p ositive r ates in the rate-region sp ecified in T heorem 3, i.e. , wh enev er p < 1 / 2. In particular the rate R of our co des equal 1 − p if d > p , and equals 1 − 2 p + d if d < p . Our sc heme follo ws roughly the ideas that app ear in the sc h eme of Section 3. Namely , Alice’s enco ding sc h eme comprises of an erasure co de along with a hash fun ction used for authentic ation. How ev er, in general, an overwri te adv ersary is more p ow erful than an addit ive adv ersary , b ecause it can b e directly sho w n that an ov erwriting adve rsary can substitute any symbol x i b y a new symb ol y i that can pass the authen tication sc h eme used b y Bob in Section 3. W e th u s prop ose a more elab orate auth enticat ion sc h eme in wh ic h eac h symbol x i con tains inform ation that allo ws for p airwise authen tication with ev ery other symbol x j . Using notation similar to that of Section 3, let u b e the message Alice w ould lik e to trans m it to Bob, and v = v i , . . . , v n b e the enco ding of u via an efficientl y encodable a nd deco dable erasur e cod e (here w e use Reed-Solomon cod es). L et q b e su fficien tly large (to b e sp ecified explicitly later in the pr o of ). L et m = n 4 + 2 n 3 (note that this is significantl y larger than in Theorem 2). As men tioned in Section 2, Alice treats eac h sym b ol of a co deword x = x 1 , . . . , x n as a pack et, b y breaking eac h x i in to m su b-sym b ols x i, 1 through x i,m from F q ′ . She partitions x i, 1 through x i,m in to three consecutiv e sequences o f sub -symb ols of s izes n 4 , n 3 and n 3 resp ectiv ely . The sub-sym b ols x i, 1 through x i,n 4 are d enoted by the set w i , and corresp ond to th e sub-sym b ols of v i , the i th s ym b ol o f the erasure-codeword v generated by Alic e. The next n 3 sub-symb ols are arranged in to n sets of n 2 sub-symb ols eac h, denoted by the sets r ij for eac h j ∈ [ n ], and consist of Alice’s secret for pack et i . That is, eac h r ij consists of n 2 sub-symb ols c h osen indep end en tly and un iformly at random fr om F q ′ . F or eac h i and j , r ij is c h osen indep endent ly . The final n 3 sub-symb ols arranged into n sets of n 2 sub-symb ols eac h, denoted b y the sets σ ij for eac h j ∈ [ n ], and consist of the pairwise hashes of the symb ols x i and x j . W e define σ ij to b e H r ij ( w j ), where H r ij is tak en from (a s light v ariation to) a p airwise indep endent family H (kno w n in adv ance to all parties). Namely , σ ij is the hash of the information from x j using a key from the transmitted sym b ol x i . All in all, eac h transmitted sym b ol x i of Alice consists of the tuple ( w i , { r ij } j , { H r ij ( w j ) } j ). Here j = 1 , . . . , n . W e no w explicitly demonstrate the construction of eac h w i from Alice’s message u . Alic e c ho oses R = (1 − (2 n 3 ) /m ) C , where C is an abb r eviation of the capacit y C ow d ( p ) sp ecified in Theorem 3. Note that R equals C asymptotically in n and m . T h us the message u she wish es to transmit to Bob has mRn = ( m − 2 n 3 ) C n = C n 5 sub-symb ols o v er F q ′ . Alice uses an erasure code (resilien t to (1 − C ) n 5 erasures) to transform these sub-symbols of u into the v ector v comprising of n 5 sub-symb ols ov er F q ′ . She then denotes consecutiv e blo c ks of n 4 sub-symb ols of v by corresp ondin g w i ’s. More sp ecifically , w i consists of the su b-sym b ols in v in lo cations n 4 ( i − 1) + 1 thr ough n 4 i . Here i = 1 , . . . , n . The remaind er of the pro of is as follo ws. W e first discuss the pr op ert y of the family H of hash fu nctions in us e, needed for our analysis. W e then describ e and analyze Bob’s decod ing algorithm. As men tioned ab o ve w e us e a (v ariation to a) pairwise indep endent hash family H = { H r } with the prop erty that for all w ′ j 6 = w j , th e probabilit y o ve r r ij that H r ij ( w ′ j ) equals H r ij ( w j ) is sufficien tly small. Suc h fun ctions are common in the literature (e.g., see [8, 7]). In f act, w e use essential ly the same hashes as in Th eorem 2, except with different in p uts and dimension. Namely , let W i and W ′ i represent w i and w ′ i resp ectiv ely arranged as n 2 × n 2 matrices. Let r ij b e a length- n 2 column v ector of symb ols corresp ondin g to r ij . W e define th e hash H r ij ( w j ) as the column vecto r σ ij = W i r ij . Note that H r ij ( w ′ j ) = H r ij ( w j ) means that W ′ j r ij = W j r ij , which implies that ( W ′ j − W j ) r ij = 0 . But b y assump tion w ′ j 6 = w j , so W ′ j 6 = W j , and so W ′ j − W j is of rank at least 1. T hus a r andom r ij satisfies ( W ′ j − W j ) r ij = 0 with pr obabilit y ≤ 1 /q ′ . W e no w define Bob’s decoder . L et x i , x j b e tw o sym b ols transmitted b y Alice, and y i , y j b e the corresp onding symb ols r eceiv ed b y Bob. Consider the information w i , the s ecret r ij and the h ash v alue σ ij in x i , and let w ′ i , r ′ ij and σ ′ ij b e the corresp onding (p oten tially corrup ted) v alues in y i . Similarly consider the comp onents of x j and y j . Bob c hec ks for mutual c onsistency b et w een y i and y j . Namely , the pair y i and y j are said to b e m utually consisten t if b oth σ ′ ij = H r ′ ij ( w ′ j ) and σ ′ j i = H r ′ j i ( w ′ i ). Clearly , if b oth y i and y j are uncorrupted ve rsions of x i and x j resp ectiv ely , they are mutually consisten t. By the analysis ab ov e 8 of H r ij , if Calvin d o es not know the v alue of r ij , do es n ot corrupt x i but corrup ts w j , then th e probab ility o ver r ij that y i and y j are consisten t is at most 1 /q ′ . This is b ecause σ ′ ij = σ ij = H r ij ( w j ), r ′ ij = r ij , and w.h.p. H r ij ( w j ) 6 = H r ij ( w ′ j ). W e conclude: Lemma 4.1 With pr ob ability at le ast 1 − 1 /q ′ , the f ol lowing y i and y j ar e mutual ly inc onsistent. (i) Causalit y: If i > j , x i = y i and w ′ j 6 = w j . (ii) d -dela y: If | i − j | < dn , and Calvin c orrupts exactly o ne of the symb ols x i and x j so that either w i 6 = w ′ i or w j 6 = w ′ j . Bob d ecod es via the d -Dela y On line Overwriting Disrup tiv e Adv ersary Decodin g ( d -DOOD AD) Algo- rithm, describ ed in detail b elo w. W e first giv e a high-leve l ov erview of the three m a j or s teps of d -DOOD AD. Bob’s first step is to test pairs of receiv ed symbols ( y i , y j ) for m utual consistency . In particular he consid- ers only pairs of sy mb ols separated by at most dn lo cations; in this ev ent Lemma 4.1(ii) implies that Bob detects the corruption of exactly one of a pair of sym b ols w ith high p robabilit y . Based on the O ( dn 2 ) tests in th e first step, in the second step h e enumerates subsets of { y 1 , . . . , y n } of receiv ed sym b ols as “candidate subsets” for decoding via Alice’s erasur e co de. In particular, eac h of the candidate su bsets satisfies the natural pr op ert y that it cont ains at lea st (1 − p ) n mutually consisten t y i ’s. Na ¨ ıv ely , this enumeration seems computationally in tractable since th ere ma y b e as m an y as  n (1 − p ) n  suc h sets. Ho w ev er , there is also a more in tricate com binatorial p rop ert y (Step 2(c ) in the d -DOOD AD algorithm b elo w) that candidate subsets m ust satisfy; we discuss this p r op ert y after pr esen tin g the d etails of th e algorithm. Th e effect of Step 2 b elo w is to dr astically curtail the num b er of candidate subs ets th at Bob n eeds to consider, to at most n p/d , h ence ensurin g that this step is still computationally tractable. In the third step, for eac h of th e candidate subsets generated in the p revious step, Bob u ses the deco der for Alice’s erasure co de to generate a set of linear equations that th e sub-symb ols of her message u must satisfy . T hen we cla im that an y candid ate sub set that has ev en one corrupted symb ol m ust generate a set of inconsisten t linear equations. Hence Bob deco des b y using the d ecod er f or Alice ’s erasure co de on the u nique candidate subset that generates a consisten t set of li near equations. As w e will see, the error probabilit y of our scheme will b e n 2 /q ′ , w hic h is o (1) if we set q = exp(p oly( n )). The details of d -DOOD AD no w f ollo w. W e define a c onne cte d c omp onent G i of an undirected graph G as a conn ected subgraph of G suc h that there is no edge in G b etw een any v ertex in G i and an y vertex outside it. Also, let L b e th e linear transform of the R eed-S olomon co d e that takes th e length- C n 5 column v ector u of Alic e’s message u to the length- n 5 column vec tor o f the erasure co dew ord v . Hence L u = v . Let the column ve ctor of sub-symbols corresp ondin g to v in the transmission Bob receiv es b e d enoted w ′ . F or an y subset I ⊆ [ n 5 ] of size C n 5 , let L I , v I and w ′ I b e r esp ectiv ely defin ed as th e restriction of L to the i th ro w s/indices of L , v and w ′ resp ectiv ely , for all i ∈ I . d -Dela y Online Ov erwriting Disruptiv e Adversary Deco ding ( d -DO OD AD) Algo rithm : 1. Bob constructs a d -distanc e mutual c onsistency gr aph G with v er tex s et { y 1 , . . . , y n } and edge-set comprising of all mutually consisten t p airs ( y i , y j ) such that | i − j | < nd (but no other ed ges). Thus G comprises of ℓ ≤ n connected comp onent s {G 1 , . . . G ℓ } . 2. Let K b e a su bset of [ ℓ ]. W e d efine the c andidate subset C ( K ) of G as the set {G k | k ∈ K} of connected comp onen ts in G . If the size of K is j , we sa y C ( K ) has size j . Bob enumerates all p ossible candidate subsets C ( K ) of G such that (a) The candid ate subset C ( K ) has size at most c = p /d . (b) The num b er of v ertices in the su bgraphs in C ( K ) is at least (1 − p ) n . (c) Each pair of v ertices y i and y j in the union of the su bgraphs in C ( K ) are mutually consisten t. 3. Let ¯ K ⊆ [ n 5 ] b e the set compr ising of in dices in w ′ corresp onding to all symbols y i in the comp onents C ( K ). Bob pic ks an a rbitrary subset I ⊂ ¯ K of size C n 5 . If L ¯ K   L I  − 1 w ′ I  = w ′ ¯ K , he deco des u as the sub-symbols in the vect or L − 1 I w ′ I . Otherwise he discards K and return s to the b eginning of Step 3. Claim 4.1 The d -DOODAD algorithm de c o des Alic e’ s message c orr e ctly with pr ob ability at le ast 1 − n 2 /q ′ . 9 Pr o of: Thr ou gh ou t we assume that Lemma 4.1 holds for all corr esp onding y i and y j (b y th e un ion b ound this happ ens with p robabilit y at least 1 − n 2 /q ′ ). Thus corrupted y i and uncorru pted y j are non-adjacen t in G . W e fir st p ro ve that at least one C ( K ) w ith only uncorru pted symb ols satisfies Steps 2 and 3 . W e examine the three conditions of Step 2. By the definition of m utual consistency an y set with only uncorrup ted symbols satisfies Step 2(c). Since Calvin can corrup t at most pn symbols, th ere m ust b e some C ( K ) satisfying Step 2(b). T o pro v e that C ( K ) also satisfies Step 2(a) , w e ob s erv e the follo wing. If Calvin do es not corrupt at least dn consecutiv e sym b ols b et w een t w o uncorru p ted sym b ols y i and y j (sa y I¡j), th ere m ust b e a s equ ence of at most j − i + 1 u ncorrupted symb ols with indices i = k 0 ≤ k 1 ≤ k 2 ≤ . . . ≤ k j − i = j suc h that any t wo consecutiv e sym b ols in the sequ ence ha ve indices that d iffer b y less than dn . Then b y the defin ition of G , b oth y i and y j m ust b e in the same connected comp onen t of G . But there are at most pn corrupted sym b ols, hence there are at most c = p/d disjoin t sequences of nd consecutiv e corrup ted sym b ols (and th us at most c comp onents in C ( K )). Lastly , w e sho w that an y C ( K ) with only uncorrup ted sym b ols and satisfying Step 2 must also satisfy Step 3. T o see this, n ote that any suc h C ( K ) has at least (1 − p ) n symbols from F q . T h us, b y the d efinitions of m and C for Theorem 3, C ( K ) has at lea st (1 − p ) n 5 ≥ C n 5 uncorrup ted sub-symbols o v er F q ′ . Also, since C ( K ) comprises solely of u n corrupted sym b ols, w ′ ¯ K = v ¯ K , hence for any I , w ′ I = v I . But b y the prop erties of erasure codes, L − 1 I v I = u , Alice’s message v ector. Thus L ¯ K  L − 1 I w ′ I  = L ¯ K u = v ¯ K = w ′ ¯ K . W e now sho w that there do es n ot exist an y C ( K ′ ) such that th e corresp ondin g o utput of the d -DOODAD algorithm u ( C ( K ′ )) differs from Alice’s real messag e u . W e pro ve this by con tradiction. Supp ose a C ( K ′ ) passes all the deco ding steps of th e d -DOODA D algorithm and results in a u ( C ( K ′ )) distinct from Alice’s message u . W e no w mak e a series of observ ations that successiv ely refine the structure of su c h a C ( K ′ ), resulting in the co nclusion that, w.h.p ., C ( K ′ ) con tains no uncorrup ted symb ols, and therefore u ( C ( K ′ )) = u . First, note that C ( K ′ ) must conta in uncorr u pted sym b ols to pass Step 2(b), since p < 1 / 2. In addition, to p ass S tep 2(c), by Lemma 4.1(i), all the un corr u pted symb ols of C ( K ′ ) m ust come b efore all the symb ols corrupted by Calvin. No w notice that the u n corrupted and the corrupted symb ols in C ( K ′ ) m u st b e separated by a sep ar ating set R of at least nd consecutiv e symbols not in C ( K ′ ). I f not, Lemma 4.1(ii) w ould imply that w.h .p . C ( K ′ ) do es not satisfy Step 2(c) of d -DOOD AD. No w note that the separating set R must con tain at least dn consecutiv e symb ols corrupted b y C alvin. This follo w s from the fact that C ( K ′ ) consists of connected comp onents. Namely , if R con tains less than dn corru pted symb ols, there m ust exist an uncorrup ted sy mb ol y i and a corrup ted sym b ol y j , b oth in C ( K ′ ), satisfying | j − i | < dn . But this by Lemma 4.1(ii) w ould contradict Step 2(c) . Notice that if d > p w e may conclude our pro of at this p oin t. W e now observe that there are at most ( p − d ) n corrup ted symbols in C ( K ′ ). This follo ws from the fact that R con tains dn consecutiv e symbols corrupted by Calvin (not in C ( K ′ )), and the f act that Calvin can corrupt at most pn sym b ols. This, together with Step 2(b) of d -DOOD AD, imp lies that the comp onent set C ( K ′ ) conta ins a prop er su b set C ( K ′′ ) w ith at least C n uncorrupted sy mb ols. Finally , let I b e any subset of C n 5 uncorrup ted su b-sym b ols in C ( K ′′ ). Let I ′ b e an y other subset of C n 5 sym b ols in C ( K ′′ ). Consider the corresp ondin g message vect ors u = L − 1 I w ′ I and u ′ = L − 1 I ′ w ′ I ′ that Step 3 of d -DOOD AD ma y d ecod e to. Since ¯ K ′ is of s ize a t least (1 − p ) n 5 , b y the prop ert y of erasure cod es [6 ], if u ′ 6 = u , then L ¯ K ′ u ′ 6 = L ¯ K ′ u . Thus L ¯ K ′  L − 1 I ′ w ′ I ′  6 = L ¯ K ′  L − 1 I w ′ I  = L ¯ K ′ u = w ′ ¯ K ′ , con tradicting Step 3. 5 Conclusion In this w ork w e c haracterize the capacit y of online adv er s arial channels and their v ariants un der the additive and ove rwrite error mo dels. Our r esults are tigh t and co ding sc hemes efficien t. Throughout, we assume that the comm u nication is o v er a s ize q alphab et, assumed to b e large compared to the blo c k-length n . An in triguin g problem left un touc h ed in this work co ncerns comm unication in th e online adv ersarial setting o v er “small”, e.g . bin ary , alphab ets. Th e authent ication sc hemes used extensively in this w ork dep end integ rally on the th e alph ab et size b eing large. They do n ot extend na ¨ ıv ely to the binary alphab et case, w here new tec hniques seem to b e needed. 10 References [1] E. R. Berlek amp . Algebr aic Co ding The ory . McGra w Hill, New Y ork, NY, 1968. [2] D. Bla c kw ell, L. Breiman, and A. J. Th omasian. The capacities of certain c han n el classes un der random co ding. The Ann als of M athematic al Statistics , 31(3):558 –567, 19 60. [3] T. M. Cov er and J. A. T h omas. Elements of inf ormation the ory, 2nd e dition . Wile y-In terscience, New Y ork, NY, USA, 2006. [4] I. Csisz´ ar and J. Korn er. Inform ation The ory: Co ding The or ems for Discr ete Memoryless Systems, 2nd e dition . Ak ademiai Kiado, New Y ork, NY, 1997. [5] S. Jaggi, M. Langb erg, T. Ho, and M. Effros. Correctio n of Adv ersarial Errors in Net w orks. In pr o c e e dings of IEEE International Symp osium on Information The ory (ISIT) , p ages 1455–1 459, 2005. [6] F.J. MacWilliams a nd N.J.A. S loane. The theory of err or-correcting co des. N orth-Hol land, Amster- dam , 1977. [7] M. Mitzenmac her and E . Upfal. Pr ob ability and Computing, R andomize d Algorith ms and Pr ob abilistic Ana lysis . Cambridge Univ ersit y Press, Cambridge, UK, 2005. [8] R. Mot w ani an d P . Ragha v an. R andomize d Algorith ms . Cambridge Universit y Press, New Y ork, NY, USA, 1995. [9] L. Nutman and M. Langb erg. Adversarial Mo d els and Resilient Sc hemes for Net work Co ding. In pr o c e e dings of IEE E Interna tional Sym p osium on Info rmation The ory , pages 171– 175, 2008. [10] W. W. Pe terson. Enco din g and error-correction pro cedu res for Bose-Chaudh uri co des. IRE T r ansac- tions on Information The ory , IT-60:459–4 70, 19 60. [11] A. Sahai and S. Mitter. The n ecessit y and sufficiency of an ytime capacit y for stabilization of a linear system o v er a noisy comm unication link, Part I: scalar systems. IEEE T r ansactions on Information The ory , 52(8):336 9–3395 , 2006. [12] A. Sarwate. Robust and adaptiv e comm unication under uncertain in terfer en ce. PhD thesis, B e rkeley , 2008. A List of parameters of our co des Capacit y Minim um q Complexit y Probabilit y of Error Theorem 1 1 − 2 p q > n O  n 2 log n log 3 q  0 Theorem 2 1 − p n Ω(1 /δ 2 ) O  n 2 log n log 3 q  O  nq − δ 2  Theorem 3 d < p < 0 . 5 1 − 2 p + d n Ω( n 2 /δ 2 ) O  n p/d +2 log n log 3 q  O  n 2 q − δ 2 /n 2  p < d, p < 0 . 5 1 − p n Ω( n 2 /δ 2 ) O  n 2 log n log 3 q  O  n 2 q − δ 2 /n 2  T able 1: Bound s on the capacit y C , alphab et size q r equired to ac hiev e capacit y , compu tational complexit y , and probabilit y of error, of our main results. T he b ounds are in terms of the paramete rs p (adv ersary’s p o w er), d (adv ersary’s d ela y), n (blo c k-length), q (field-size), and δ (difference b et ween the C and rate R ). T able 1 is obtained b y careful analysis of the parameters of th e algorithms corresp ond ing to Theorems 1, 2 and 3. The corresp ond ing v alues for the scenarios in Theorem 4 are omitted since they are elemen t-wise 11 iden tical to those in the table. The v alues in T able 1 substitute the rate-o v erhead paramete r δ for the pac ket-siz e p arameter m used in the pr o ofs of T h eorems 2 and 3 since w e feel th is c h oice of v ariables is more “natural” when examining the tradeoffs b et ween co de parameters. Also, the algorithms pr esented in the pro ofs of Theorems 2 and 3 corresp ond to a particular setting of the δ parameter; we omitted this degree of f reedom in th e p resen tation of the pro ofs, for ease of exp osition. Lastly , no effort h as b een made to optimize the trad eoffs b et ween the parameters in T able 1; in fact, we ha v e pr eliminary results on schemes that imp ro ve on some of these parameters (work in progress). B Pro of of Theorem 1 As discuss ed in the Introdu ction, the lo w er b ound of T heorem 1 follo ws from kn o wn constructions [10, 1]. T o complete th e pro of, then, all that is needed is a corresp onding u pp er b ound on the capacit y . The required up p er b ound is no v el. How ev er, it is a sp ecial case of upp er b ound of Theorem 3, and follo w s directly if the p arameter d in the corresp onding pro of is set to zero. C Pro of of Theorem 4 In the jam -or-liste n online mo d el, C alvin is assum ed to b e u na ware of the v alue of the s y mb ols x i that he corrupts. Theorem 4 s tates that a jam-o r-listen adve rsary is still as p ow erful as th e previously d escrib ed online adversaries, and is actually a corollary of T h eorems 1, 2 and 3. First of all, the cod e constru ctions corresp onding to the lo w er b ound s are the same as in Theorems 1, 2 and 3. As for th e upp er b ounds , it is not hard to verify that the attac ks for Calvin outlined in eac h of the settings addressed in th e pap er corresp ond to a ja m-or-liste n adv ersary , an d hence are v alid atta c ks for this scenario as we ll. 12