#### Abstract

Some peer-to-peer streaming systems make use of linear codes to reduce the rate of the data uploaded by peers with limited upload capabilities. Such “data reduction” techniques are based on a vector-space approach and produce the data to be uploaded by means of linear combinations of the content data in a suitable finite field. In this paper, we propose a more general approach based on group theory. The new approach, while including the vector space approach as a special case, allows to design schemes that cannot be modeled as linear codes. We analyze the properties of the schemes based on the new approach, showing also how a group-based scheme can be used to prevent stream poisoning and how a group-based scheme can be converted into a secret-sharing scheme. Examples of group-based schemes that cannot be described in the vector-space framework are also shown.

#### 1. Introduction

A problem that is currently attracting attention in the research community is the problem of streaming live content to a large number of nodes. The main issue to be solved is due to the amount of upload bandwidth required to the server that, unless multicast is used, is equal to the bandwidth required by a single viewer multiplied by the number of viewers. Although multicast is a possible solution, it has its drawbacks too, especially if the audience is spread among several different autonomous systems (AS).

An approach that recently attracted interest in the research community is the use of peer-to-peer (P2P) solutions. With the P2P approach, each viewer resends the received data to other users, and, ideally, if each user retransmitted the video to another user, the server would just need to “feed” a handful of nodes, and the network would take care of itself. Unfortunately, the application of the P2P paradigm to multimedia streaming has some difficulties. Maybe the most important one is due to the fact that the typical residential user have enough *download* bandwidth to receive the stream but not enough upload bandwidth to retransmit it. This makes the application of the P2P paradigm to video streaming not trivial.

Some peer-to-peer streaming systems [1–5] propose the use of linear codes (someone interprets this approach as an instance of network coding [6]) to overcome the asymmetric bandwidth problem. In order to adapt the upload bandwidth to the user capabilities, the node combines the content data by means of some linear combinations and forwards the result. If the node has a reduced upload bandwidth, the forwarded linear combinations will not be sufficient to recover the original content, but a node can contact more than one peer to receive different sets of linear combinations in order to be able to recover the content data.

The approaches proposed in [1–5] reduce the required data rate by using linear codes obtained as linear transformations of vector spaces over a finite field. The goal of this paper is to introduce a more general approach on data rate reduction based on group theory. We will show that the classical vector space approach is just a specialization of the theory presented here, since vector spaces are just a special type of groups. However, since groups are more general than vector spaces, the theory presented in this paper allows one to create new coding procedures that cannot be described as linear combinations in suitable vector spaces. Note that the only hypothesis required is that the groups involved have a finite number of elements, and in particular, it is not required that the groups are commutative.

Although the application that motivated this work was rate reduction for P2P streaming, we will show that the theory presented here has a wider application range and it allows, for example, the construction of systems that counteract poisoning attacks [7] or allow secret sharing [8, 9].

This paper is organized as follows: in Section 2, we introduce a formalism for group-based reduction schemes (GBRS), in Section 3, we study the properties of GBRS; in Section 4, we give some examples of GBRS that cannot be described with the vector space approach; in Section 5, we give the conclusions.

#### 2. Group-Based Reduction Schemes

Some P2P systems for multimedia streaming solve the problem of the limited bandwidth of residential users by uploading, instead of the whole content, some linear combinations (in a suitable finite field) of the data that constitute the content [1–3, 5]. The goal of this section is to introduce an alternative description of this type of “data reduction” procedures not based, as usual, on vector spaces but on group theory. In order to make the introduction of the group theory approach easier, we first introduce (in Section 2.1) a very general formalization of the reduction process that will be specialized in Section 2.2 to the desired group-based formalization.

For the sake of concreteness, we will refer to the peer-to-peer streaming application, but this does not prevent the application of the presented theory to other applicative contexts of network coding.

##### 2.1. Data Reduction Schemes

We will model the *content stream* to be transmitted as a sequence of *content symbols* belonging to a finite *content alphabet *. Each content symbol requires, clearly, per element. The idea for reducing the rate necessary for the uploaded stream is to map every content symbol to a *reduced symbol * belonging to a smaller alphabet. Since the alphabet of is smaller than , the number of bits required for will be smaller.

*Definition 1. *A reduction scheme is given via (i) a finite set and (ii) a set of reduction functions *, *indexed by and sharing the same domain (the content alphabet).

*Remark 1. **Note that no constraint is put on **. In a practical context, it is expected that each ** has smaller cardinality than **. *

A node with limited upload bandwidth chooses at startup a *reduction parameter *. Every time it receives a new content symbol , it reduces it by processing it with the reduction function correspondent to the chosen to obtain the *reduced symbol *
that is encoded with bits and sent to the other peers.

A node that wants to recover the original content symbol contacts peers, receives the corresponding reduced versions , , and recovers by solving the system
Intuitively, if is large enough, the peer can recover . A key concept that we will use in this paper is the concept of a reduction scheme that it is *-recoverable*. Informally, a scheme is -recoverable if every can be recovered by the knowledge of any set of different reduced versions.

*Definition 2 (-recoverable). *Let be a reduction scheme and define, for every set of different reduction parameters ,, , the function as
The reduction scheme will be said to be *-*recoverable if for every choice of different parameters , ,, function is injective.

The reduction scheme will be said to be *-*tight if it is -recoverable and for every choice of reduction parameters , ,, the corresponding function is *not* injective.

*Remark 2. *Note that in Definition 2, we require only to be *injective*, not* bijective*. That is, we *do not* require that system (2) have a solution for every choice of , (it could have none), but we require that *if a solution exists, then it is unique. *

The property of being -recoverable is very interesting for applicative purposes, since it allows each node to choose its parameter at random while granting (with large probability) the possibility of recovering the content , since the probability of having two nodes choosing the same value can be made as small as desired by choosing large enough. A reduction scheme that is -recoverable has also other interesting characteristics such as being resilient to data loss (if the node contacts peer, it can recover as soon as it receives reduced versions out of ), counteracting poisoning [7] (the node uses reduced versions to recover and uses the remaining to check for the correctness of the result [1]), and reducing jitter [10].

*Example 1 (Vandermonde reduction scheme). *In order to give a concrete example of the just described abstract model, it is worthwhile to show how the reduction approach in [1] can be adapted to the described setup. The approach in [1] maps a block of bits of the content stream in a column vector
where each belongs to the Galois field with elements . Each node chooses at start-up time an element and constructs the row vector
In order to produce the reduced version of vector , the node multiplies by to obtain . Value is sent to the other peers, and its transmission requires only bits instead of bits. Therefore, the required upload bandwidth is times smaller.

In order to recover , a node can ask for different values ,, and solve the linear system
Note that matrix in (6) is a Vandermonde matrix, and it is invertible as soon as all the values are different.

Reformulated with the language of the formalization presented here, we can say that the content alphabet is the set of -dimensional vectors with entries in ; that is, ; the reduction functions are parametrized by and are defined as
and, finally, for every .

Note that this reduction scheme is -tight.

##### 2.2. Group-Based Reduction Procedures

The setup described in Section 2.1 is very general. In order to simplify the study, it is worthwhile to restrict the model above by adding to it some structure. A structure that is quite powerful but still quite general to be applied in several cases of practical interest is the structure of *group*. In this paper, we need only basic notions and results of group theory. For the sake of completeness, Appendix A summarizes the concepts used in this paper, and a more detailed description can be found in the literature [11, 12].

In the following we will denote the group operation as a product and will use the symbol for the neutral element of a group. We will denote with the trivial group that contains only the neutral element. Group isomorphism will be denoted with . The ring of integers modulo will be denoted as .

*Definition 3. *A group-based reduction scheme (GBRS) is a reduction scheme , where *the content alphabet * and each reduced alphabet , are finite groups and each is a group epimorphism (that is, a surjective homomorphism). Note that there is no loss of generality in requiring that each is an epimorphism, since one can always replace with .

*Remark 3. *Note that the reduction scheme presented in Example 1 is a group-based reduction scheme, since and are groups (with respect to the sum) and maps are clearly group homomorphisms. We will see in Section 4 examples of group-based schemes that are not based on a vector space structure.

###### 2.2.1. Normalized Form

According to Definition 3, in order to specify a group-based scheme, one must specify the content group , the reduced groups , and the epimorphisms . These requirements can be simplified by exploiting the fundamental homomorphism theorem [11] that implies that can be written as where is the natural map associated with [11] and is an isomorphism. Since isomorphic groups are basically the same group, isomorphism does not have any practical consequences in our context, so we can restrict ourselves to the case where reduced alphabets are quotient groups , where is a normal subgroup of (the set of normal subgroups coincides with the set of subgroups that are kernel of some homomorphism [11]) and map is the natural map of in (i.e., , where is the coset of to which belongs) [11].

*Definition 4 (GBRS normalized form). *A group-based reduction scheme is said to be in normalized* form* if for every

(1) for some ,

(2) map is the natural map associated with .

Observe that in order to specify a GBRS in normalized form, it suffices to specify a set of normal subgroups of . With a minor abuse of language, we will use the term *reduction scheme* also for set *. *

With the normalized form, the reduced version of a content symbol is always a coset which can be considered as “ reduced modulo .” The group represents the “uncertainty” that one has about when it knows its reduced version : the smaller the cardinality of , the smaller the uncertainty about . If , no uncertainty is present, and is exactly known.

*Example 2. *It is worthwhile to describe the Vandermonde reduction scheme of Example 1 as a GBRS in normalized form. The kernel of map is the subspace of orthogonal to . The elements of the quotient group are translated versions of the subspace orthogonal to . Note that every coset of is uniquely identified by the value of the product , where is any element of coset (it is easy to see that the product does not depend on the chosen ).

Summarizing, value can be computed as follows: first is mapped to the coset to which it belongs, then any representative of the coset is left multiplied by . It is easy to verify that the latter step is an isomorphism from to . Therefore, in order to study the theoretical properties of the Vandermonde reduction scheme, one can replace each with the natural map .

#### 3. Properties of GBRS

In this section, we will study some properties of GBRS. First, in Section 3.1, we will derive conditions for the existence of a solution of system (2), and we will show that depending on the choice of the subgroups, system (2) could have no solution for some choice of the values . If a reduction scheme is such that some -ple of reduced values is not admissible, one expects that the -ple of reduced values that can be obtained has some redundancy within. This idea is further pursued in Section 3.1.2, where it is also shown that the redundancy can be used to counteract stream poisoning attacks [7].

The Vandermonde reduction scheme described in Example 1 is deeply linked with the secret sharing scheme of [13]. Actually, the secret sharing scheme of Shamir can be derived from the Vandermonde scheme by replacing some information data with random data. This idea is discussed in greater detail in Section 3.2, where it is shown how nonredundant reduction schemes (i.e., schemes such that (2) has always a solution for every -ple of reduced values) can be easily converted in secret sharing schemes.

##### 3.1. Reconstruction

As explained in Section 2.1, recovering the original content requires to solve system (2). In this section, we are going to study the reconstruction problem by showing that given two reduced versions and , one can combine them in order to get a “virtual” reduced version , reduced with respect to the smaller uncertainty group . Intuitively, by combining the virtual reduced version with other reduced versions, one can make the uncertainty group smaller and smaller until the original content symbol is recovered. In some sense, this corresponds to solving system (2) by means of an iterative approach: first, we determine the set of values of that satisfy the first two equations of (2), then we use the third equation to refine the solution, and so on until only one solution remains. The problem to be solved at the first step of the iterative algorithm can be formalized as follows.

*Problem 1. *Let and be normal subgroups of , and let and . Find all the such that and (or, equivalently, find the intersection ).

The following property gives an answer to Problem 1.

Property 1. *Let and be normal subgroups of , and let and . Let
**
be the set of content symbols that have and as reduced versions. *(1)* Set is not empty if and only if
or, equivalently, . Note that since chosen to represent .*(2)* if (10) is satisfied, set can be written as
where is any element of . In other words, is a coset of .*

*Proof. **Step 1 (If , then condition (10) holds). *Let . Since and , there must exist and such that
that implies , that is, (10).*Step 2 (If condition (10) holds, then ). *If , one can find and such that . It follows that . Since and , it follows that . Incidentally, note that if one knows how to decompose an element of into a product of an element of and an element of , this procedure allows to find a solution in .*Step 3 (If , then (11) holds). *Define homomorphism as and observe that , that is, is the inverse image of . Since is an homomorphism, it is known that (if ) is a coset of . The thesis will follow if one can prove that
Equation (13) can be proved by observing that if and only if (i.e., equivalent to ) and (i.e., equivalent to ).

Several remarks about Property 1 are in order.

*Remarks 3.1. *(1) Suppose system (2) has solution . Clearly, must necessarily belong to set (11) so that set (11) can be written as . It follows that (11) is the *reduced version of the solution ** with respect to group *. This implies that Property 1 can be applied to every step of the iterative algorithm outlined at the beginning of this section.

Note that the availability of an iterative algorithm that solves system (2) one equation at time can be interesting from an implementation point of view, since it allows to spread the computational burden over the time, updating the solution as soon as new data are received. Depending on the applicative context, this can be more convenient than waiting for all data to arrive before starting the reconstruction.

(2) Note that condition (10) poses a compatibility condition on the pair . Such a condition can, however, be trivially true if is equal to the whole group . If is a proper subset of , not every pair is admissible, and this, intuitively, implies that there is some redundancy in the pair . This aspect will be discussed more in detail in Section 3.1.2.

###### 3.1.1. The Reconstruction Problem and the Lattice of Normal Subgroups

Property 1 has a nice interpretation in the context of the lattice of the normal subgroups of (see Appendix B for a brief summary about lattices and [11] for a more detailed exposition). According to Property 1, the uncertainty group of the combined version is the greatest lower bound of and (i.e., their first common descendant on the lattice graph), while the group associated with constraint (10) is the smallest upper bound (i.e., their first common ancestor on the lattice graph).

*Example 3. *Figure 1 shows the lattice graph of the subspaces of , together with the subspaces involved in the Vandermonde reduction scheme. In the case of Figure 1, is implemented as the polynomials with coefficients in modulo .

Each node in Figure 1 is labeled with a basis of the space, and the elements of are represented as integer numbers in whose digits in the binary representation are the coefficients of the corresponding element of (e.g., 3 corresponds to ). The top node, labeled with , represents the whole space , while the bottom node, labeled with , represents the trivial space.

As explained in Example 2, the groups associated with the Vandermonde scheme are the -dimensional subspaces orthogonal to vectors of type (5). In Figure 1, these vector spaces are 2-dimensional and correspond to the four nodes marked with a bold circle. In order to obtain the intersection of two of the spaces associated with the Vandermonde scheme, one needs to find the first common descendant of the two spaces. By considering all the six different unordered pairs of spaces, one obtains the six one-dimensional spaces marked with bold hexagons in Figure 1.

Note that any triple of spaces has as common descendant the trivial space , coherently with the fact that the scheme is 3-recoverable. Moreover, any pair of spaces has as common ancestor, the whole space , coherently with the fact that system (6) is solvable for any vector of reduced values.

###### 3.1.2. Redundancy in a GBRS

It is worthwhile commenting about the meaning of constraint (10) in the context of network coding for peer-to-peer streaming. Remember that and represent two reduced versions received from two peers. According to Property 1, if and have been obtained by reducing the same content symbol , then and are “compatible” according to (10). If , constraint (10) is not trivial, and not all the pairs are valid.

Intuitively, this is very similar to the case when redundant bits are added to protect communications from errors. Actually, adding redundant bits to the information to be transmitted constrains the set of admissible sequences of bits, and if the received sequence does not satisfy the constraints induced by the redundant bits, the receiver can deduce that an error occurred. Here, similarly, if and do not satisfy (10), we can deduce that at least one reduced value must be incorrect. In Section 3.1.3, it is shown how it is possible to exploit this possibility to counteract poisoning attacks when network coding is used for streaming over peer-to-peer networks.

The idea that if , then some redundancy is present, is confirmed by the following result.

Property 2. *Let the notation be as in Property 1. The following equality holds:
*

*Proof. *Since is isomorphic to [11], it follows that
By exploiting (15), one can write

By taking the logarithms of (14) and reorganizing, one obtains Observe that the sum in parenthesis represents the number of bits that we used to receive the two reduced versions, while the last term on the right-hand side of (17) can be interpreted as the number of bits necessary to describe the result of the combination of the two reduced versions. It follows that their difference can be interpreted as the “redundancy” of the system in the sense that it is the difference between the number of bits spent and the number of bits that we got after the combination. Note that if (the case when condition (10) is always verified), then the last term of (17) is zero; that is, no redundancy is added.

*Definition 5. *Scheme will be said to be nonredundant if for every choice of different , such that , then .

*Example 4. *Consider the case of the Vandermonde reduction scheme. In this case, and are two spaces, of dimension , orthogonal, respectively, to vectors and . The intersection is the space of the vectors that are orthogonal to *both * and , and, as known, it has dimension . In the Vandermonde scheme, product is the vector space sum . Since spaces and have dimension , their sum has dimension (that corresponds to the no redundancy case ) unless the two spaces coincide. Therefore, the Vandermonde scheme has no redundancy.

We will introduce in the following a reduction scheme based on the Chinese remainder theorem (CRT) that allows for the introduction of redundancy.

###### 3.1.3. Counteracting Stream Poisoning

One important security threat in P2P streaming is the *stream poisoning attack* where a node sends wrong packets on the P2P network with the objective of disrupting the communication [7]. A reduction-based approach can help counteracting this attack. The idea is very simple: if the reduction scheme is -recoverable, a node asks data to peers, uses reduced versions to recover the content, and then uses the remaining reduced versions to check the correctness of the result; by the knowledge of which tests fail, it is possible to spot who tried the attack [1] (if all the tests fail, it means that a corrupted value was used in the reconstruction process; the node can retry the tests using a different subset of in the reconstruction step). It is possible to show that this test is robust against a coordinated attack of at most peers [1].

A drawback of the test above is that one needs to recover first the content symbol and then do the test. If, by chance, a corrupted value is used in the reconstruction process, the node needs to try the reconstruction again. It would be more efficient if the node was able to spot the corrupted data *before* doing the reconstruction process.

This can be done by using a redundant scheme and exploiting Property 1 by checking (10) before attempting the reconstruction.

##### 3.2. Generalized Secret Sharing

Secret-sharing techniques allow one to share a secret among people with the constraint that (i) people, putting their information together, can recover the secret and (ii) people that put their information together cannot deduce *anything* about the secret [8, 13]. We will say that the scheme achieves *perfect secrecy*. Note that secret sharing is a problem very similar to the reduction problem described in this paper but with the additional constraint of (ii).

Actually, the Vandermonde reduction scheme described in Example 1 can be easily converted into the secret-sharing scheme described in [8, 13]. More precisely, suppose that the secret to be shared is represented by a value . The scheme of [13] builds vector in (4) by setting and choosing at random. Successively, reduced values are created and distributed among the participants. In order to recover the secret, one collects reduced versions, gets by solving (6), and takes the first component of the result. Note that taking the first component of is equivalent to right-multiplying by .

As said above, secret sharing has the additional constraint of perfect secrecy; that is, any set of participants cannot deduce anything about the secret. This can be easily verified by observing that does not belong to the space generated by any set of vectors of type , (note that ), and this implies that from the knowledge of reduced values, nothing can be inferred about the value of .

In this section we will show how the procedure used to convert the Vandermonde scheme into a secret sharing scheme can be generalized to any GBRS. Observe that the above described secret sharing procedure can be reformulated as follows: map the information to be shared into a vector belonging to the one-dimensional space generated by , successively add to a random vector belonging to the -dimensional space orthogonal to , and finally vector is processed with the reduction scheme. The fact that the intersection between and is trivial allows one to recover uniquely (and ) from .

In order to extend the secrete sharing scheme in the GBRS context, we need an *obfuscating subgroup * that will play the role of .

The generalized secret sharing scheme is the following: let be any set of representatives of ; we encode the information to be shared as an element , we draw at random and compute , then we apply the reduction scheme to . After recovering , one can obtain by applying , the natural map associated with , to . The only thing that remains to be checked is to verify when this scheme achieves perfect secrecy. Remember that a reduced value is a coset of a quotient group , where is a normal subgroup of . Let be the reduced version of , with a random element of . Our objective is to deduce some information about from the knowledge of . We will say that a value is *compatible with * if there are and such that , or, alternatively,
Note that if is *not* compatible with , then we obtain some information about the secret value, since we know that the secret *cannot* be . Therefore, the scheme will achieve *perfect secrecy with reduction group * if every is compatible with for every .

*Remark 4. *From (18), it follows at once that is compatible with if and only if any other element of is compatible with . This implies that one can change the set of representatives without changing the secrecy characteristics of the scheme*. *

*Definition 6. *Let and be normal subgroups of . We say that perfect secrecy is achieved if for every , every is compatible with .

Property 3. *Let and be normal subgroups of . Perfect secrecy is achieved if and only if .*

*Proof. **If **, then perfect secrecy is achieved.* If , it is obvious that for every .*If **, then perfect secrecy is not achieved.* Suppose now that ; that is, there is that does not belong to . Observe that according to Remark 4, we can suppose without loss of generality, ; we will prove that is not compatible with . Indeed, if was compatible with , (18) would imply . Therefore, is not compatible with , and perfect secrecy is not achieved.

If condition is fulfilled, it is possible to prove that perfect secrecy is achieved even in a stronger, information theoretical sense. Indeed, although Property 3 claims that if , then any can be obtained from any information symbol , it could happen that the probability of obtaining from could depend on . In this case, an attacker could deduce from something about . The following result shows that this is not the case.

Property 4. *Let be a random variable assuming values in , and let be a random variables assuming values in and uniformly distributed. If , then for every ,
**
According to Property 4, , the reduced version of , is statistically independent on , and this implies that mutual information [14] is zero, so that an attacker cannot deduce anything about from .*

The proof of Property 4 is simplified by using the following lemma.

Lemma 1. *Let . If , cardinality does not depend on .*

*Proof. **Step 1 (If , then ). *This follows at once by observing that .*Step 2 ( If , then ). *This follows at once by observing that .

*Step 3 (*Since both and 0 are normal subgroups of , . It follows that every can be written as with and . By exploiting Steps 1 and 2 above, one deduces that

*for every*).*Proof of Property 4. *It is a simple verification

One can interpret Property 3 by saying that in order to have perfect secrecy, one must choose large enough so that, when combined with any that can result from the combining process, it generates the whole group . This is what is done in the secret sharing scheme based on the Vandermonde scheme. In this case, is a space of dimension that when combined with any nontrivial space resulting from the Vandermonde scheme, it generates the whole space .

Property 5. *Let be a nonredundant -recoverable reduction scheme with . Obfuscating group together with reduction scheme is a secret-sharing scheme that achieves perfect secrecy.*

*Proof. *Since scheme is not redundant, then we have, by definition, as soon as .

According to Property 5, constructing secret-sharing schemes that achieve perfect secrecy is simple as soon as one has a nonredundant scheme with enough subgroups: just use one of the subgroups as the obfuscating group.

#### 4. Examples of Alternative Reduction Schemes

In order to show the flexibility and the generality of the presented theory, in this section, we present some schemes that are not expressible as schemes based on vector spaces over finite fields. With respect to the Vandermonde scheme, the schemes presented here have the characteristic that they do not require arithmetic in finite fields but only ordinary integer arithmetic, and this, depending on the applicative context, could be interesting from a complexity point of view. Moreover, the redundancy of the schemes presented here can be easily adapted to the specific application requirements: low redundancy (or none at all) if efficiency is required and more redundancy if error protection is needed.

##### 4.1. CRT-Based Reduction Scheme

Let be mutually prime numbers (i.e., the greatest common divisor of and is 1), and let . We will consider the group of the integers modulo . Every subgroup of has the form , where divides . The reduction of with subgroup is . Note that since divides , coset does not depend on the representative chosen for .

Let us consider, as an example, the case . In this case, the content symbols are integers in the range , the reduction with subgroup is the usual reduction modulo , and Property 1 reduces itself to the Chinese remainder theorem. A reduction scheme based on the group is uniquely specified by giving a set of subgroups of .

Figure 2 shows the lattice of the subgroups of . Subgroup is labeled with in Figure 2; therefore, the bottom node of Figure 2 represents the trivial group , while the top node represents the content alphabet . By choosing the nodes marked with a star, one obtains a reduction scheme with no redundancy that enjoys the 4-reconstruction (tight) property, while choosing the node marked with a circle, one obtains a scheme that enjoys a 3-reconstruction property but not tight, since in some cases, only two reduced versions suffice. Moreover, the scheme associated with the circles is redundant, since the least upper bound of two nodes marked with circles is not the top node.

##### 4.2. Point Lattice Reduction Schemes

Let be a square matrix with integer entries with . The *point lattice* of base is the set obtained by taking *integer* linear combinations of the columns of ; that is,
(Typically, is called simply *lattice*; here we use the term *point lattice* in order to avoid confusion with the lattices introduced in Appendix B.) A point lattice is clearly a subgroup of . It is known [11, 15] that . Since is finite, it is a suitable group for building reduction schemes.

Consider, for example, the case where . It is easy to see that each class of can be uniquely identified by its representative belonging to the set . Such a representative can be encoded by using four bits: two bits per component. Note that each subgroup of has the form , where is an integer matrix such that has integer entries [15]. By exploiting the Hermite normal form theorem, it is possible to show that can be supposed without loss of generality in lower triangular form. If and are the diagonal elements of , it is easy to check that every class of can be uniquely identified by its representative belonging to the set . Since must divide , we are granted that both and must be powers of two, making the binary representation of the representative trivial.

Figure 3 shows the lattice graph of the subgroups of . (The lattice graph of Figure 3 can be obtained by using the algorithm in [16].) As for the case of Figure 2, each node in Figure 3 is labeled with the corresponding matrix; therefore, the top node corresponds to the content alphabet , while the bottom node corresponds to the trivial group .

Several choices for reduction schemes are possible.

(1) Use the two subgroups marked with full circles and the one marked with an empty circle. This gives a 2-tight scheme (the first common descendant of each pair of nodes is the node corresponding to ) without redundancy (the first common ancestor of each pair of nodes is the node corresponding to ).

If , represents the symbol to be reduced, it is easy to show that the reduction with respect to the subgroups shown in Figure 3 can be done as follows: Note that the result of each reduction in (23) requires two bits to be encoded, and this is coherent with the fact that this scheme is 2-tight and non redundant.

Note that reductions (23) do not require arithmetic in a Galois field but only normal integer arithmetic. This can be interesting from an implementation point of view.

(2) If the two subgroups marked with full circles and the one marked with the star are chosen, one obtains a scheme that is not 2-tight anymore, since, for example, node 2 and node 6 have as common descendant node 13. The scheme, however, is not redundant, since every pair of nodes has as common ancestor node 1.

(3) If the two subgroups marked with full circles and the ones marked with a triangle are chosen (nodes 6, 11, and 12) one obtains a redundant scheme, since nodes 6 and 12 have as common ancestor node 9.

*Remark 5. *It is worth observing that the scheme proposed here is *not to be confused* with lattice-based error correction codes proposed in the literature (see [17] for an introduction). Generally speaking, lattice-based error correction schemes exploits the “metric” properties of lattices that derive from the fact that a lattice is subset of . In our case, we use the lattice only as an abstract group and not as the subset of a metric space. This distinction can be made clearer by observing that if one in an error correction scheme replaces the lattice with another one, almost surely the properties of the error correction scheme will change; in our scheme, one can replace the lattice with any other isomorphic group, and the overall properties of the scheme *will not change. *

#### 5. Conclusions

This paper proposed a general framework for reduction schemes based on group theory. The new framework, while containing the vector space approach as a special case, allows to design schemes that cannot be modeled as linear codes. The properties of the GBRS have been analyzed, and it has also been shown how a GBRS can be used to prevent stream poisoning and how GBRS can be converted into a secret-sharing scheme achieving perfect secrecy. Examples of group-based schemes that cannot be described in the vector space framework have also been shown.

#### Appendices

#### A. Basic Concepts of Group Theory

In this paper, we are going to use some basic results and concepts from group theory. In order to make this paper as self-contained as possible, we recall here the main concepts used in this paper and refer the reader to the literature for more details [11].

If is a group and is a subgroup of , is said to be a *normal subgroup* of (and will write ) if for every and , it holds . If is a subgroup of , one can define their quotient as the set of the classes associated with the equivalence relation . If , one can give to the structure of a group by defining the group operation, as usual, by [11]. If is a subgroup of we will denote with the natural map associated with , that is, the map that associates with each the coset of to which belongs.

If and are subgroups of , we define It is known that if and are normal subgroups of , then is a normal subgroup of , and it is equal to [11].

#### B. Ordered Lattices

A structure that we will need in this paper is the *lattice* structure, a special type of partially ordered set.

*Definition 7. *A lattice is a partially ordered set in which any two elements have a least upper bound and a greatest lower bound [11].

Many algebraic structures are lattices. The simplest example is maybe the set of subsets of a given set ordered by inclusion. In this case, the least upper bound corresponds to set union, while the least lower bound corresponds to set intersection. Another example of lattice is given by natural numbers ordered by divisibility (i.e., if divides ). In this case, the least upper bound is the greatest common divisor, while the least lower bound corresponds is the least common multiple [11]. Here, we are interested in the lattice of *normal subgroups* of a given group. It is possible to show that the set of normal subgroups of is a lattice, with set inclusion as the relation order, and that the least upper bound of and is , while the greatest lower bound is .

##### B.1. Lattice Graph

Finite lattices have a useful graphic representation exploiting the idea of *covering*. We say that * covers * if “ is immediately above ;” that is, if and there exists no such that . We can represent the order relation by creating an oriented graph whose nodes are the lattice points, and there is an edge going from to if covers . Since it is possible to show that in a finite lattice if and only if there exist a sequence of , such that (i) covers for every and (ii) , , it is easy to see that if and only if there is a path that goes from to . It is easy to verify that the least upper bound of and is the first common ancestor of and , while the greatest lower bound is the first common descendant.

Figure 4 shows two examples of lattice graphs. In Figure 4(a), one can see the graph of ordered by divisibility, while in Figure 4(b), one can see the graph of the subsets of . It is common to draw the graph representing a lattice in order to have the edges always going from top to bottom.

**(a)**

**(b)**