# Osa optical encryption system with a binary key code

This invention is based upon work supported in part by U. Government has certain rights in the invention. The present invention relates generally to the provision of security or, more specifically, confidentiality for ultra high bandwidth optical communications over transparent wavelength-division multiplexed WDM networks.

Specifically, random noise on unused channels and varying the inter-code phases on realistic framing repetition are used to obtain an encryption scheme for adding confidentiality to communication transmitted over spectral-phase encoded optical code division multiplexing OCDM networks and for which it is possible to prove desirable security guarantees.

The problem of keeping data transmitted from a sender to a receiver confidential against an adversary acting as an eavesdropper can be solved using encryption schemes, hi a nutshell, a symmetric encryption scheme is a pair of algorithms: See Figure 1described below, depicting an associated model. The basic correctness requirement is that if the secret keys used by sender and receiver are the same, the clear data recovered by the receiver is precisely the one that was sent by the sender.

The basic security or, more precisely, confidentiality requirement is, informally speaking, that if the secret key used by sender and receiver is random and unknown to the adversary, then the adversary obtains no osa optical encryption system with a binary key code about the clear data from the encrypted data.

Note that the adversary is given full access to the encryption and decryption algorithm but no access to the associated secret key. Several stronger variations of this requirement are actually studied, where the adversary can mount more elaborated attacks, such as "chosen-message", and "chosen-ciphertext" attacks. Classic encryption schemes, developed until the 20 th century, where based on basic principles of "confusion" and "diffusion".

The first provable confidential scheme, the One- Time Pad, invented by Vernam in the early 's, and analyzed by Shannon in its pioneering works in the mid 's, was the first provable secure encryption scheme, but is today considered inefficient as a stand-alone scheme as it requires a number of random bits at least equal to the number of data bits. Modern encryption schemes use short e. Such schemes have limited provable osa optical encryption system with a binary key code properties but are widely believed to be secure and are thus employed in all applications.

Communication over OCDM-based networks allows a receiver to obtain data from multiple senders or from osa optical encryption system with a binary key code single sender using multiple parallel data streams.

A public encoding algorithm is used by the sender to simultaneously process these data streams, and a public decoding algorithm is used by the receiver to decode any single one of the sender's data streams.

The optical fiber physical conditions induce inter-code phase shifts on the data encoded by the sender, but such shifts are not changing the receiver's ability to obtain the sender's data. See Figure 2, described below, depicting an associated model. When no encryption procedure is performed, just as with conventional networks, an adversary acting as an eavesdropper can use the same receiver's algorithm to decode data and thus violate data confidentiality.

Prior techniques for providing security for ultra high bandwidth optical communications over WDM networks includes the use of conventional electronic digital encryption which is not readily scalable to very high data rates and is not robust to archival attack and spoofing.

Another prior technique is the use of Essex's phase scrambling of a single modulation broadened laser line which is not robust to known plain text KPT attack.

Such a scheme is described in S. The approach is based on the early proposal that scrambling of the phase of the combined aggregate of OCDM codes in use increases the search space beyond the osa optical encryption system with a binary key code of an exhaustive search attack. The present invention overcomes the limitations of the prior art by applying two coupled realistic and practical means ensuring robustness of OCDM-based security by obscurity against KPT attack, as defined for electronic encryption in the book by B.

First is introduction of the concept of "entropy" infusion by using random noise on some of the non-data carrying codes whose exact code assignments are shared but whose contents are not shared with or relevant to the receiving end. At the expense of reducing spectral efficiency, using other codes for random frameless noise decreases the ability to decipher the phase scrambler key.

However, a compromise can be achieved in order not to reduce the spectral efficiency below a useful transmission rate by introducing a parallel process: The invention will be more clearly understood when the following description is read in conjunction with the accompanying drawings. Figure 2 is a schematic block diagram depicting photonic unencrypted communication between a sender and a receiver.

Figure 3 is a schematic block diagram depicting photonic encrypted communication between a sender and a receiver. Figure 5 is a graphical representation of the variations of the **osa optical encryption system with a binary key code** of unknowns and knowns with n measurements of the optical fields at all frequency bins versus bits for different number of noise channels m and inter-channel phase change rate d.

However, this would significantly slow down the remarkable OCDM-network communication rates to those of conventional networks. Furthermore, one would need one such system for each data stream. Instead, we use "all-optical techniques" to design and deploy encryption schemes over OCDM- based networks, so to simultaneously obtain in a single solution the best of both worlds: An architecture model that can be used as a starting reference model to achieve this goal is depicted in Figure 3, described below.

Here, note that, in addition to using an encryption algorithm, the sender also uses osa optical encryption system with a binary key code scheduling algorithm that combines material from the secret key and from the data stream into multiple parallel pseudo-data streams, which play a role analogue to the multiple data streams in the architecture depicted in Figure 2.

In practice, the scheduling algorithm is required to be as simple as possible. In this model, the basic correctness requirement is a natural adaptation of the correctness requirement in the model in Figure 1: Similarly, the confidentiality requirement in this model is also an adaptation of the analogue requirement in the model in Figure 1. If the secret key used by sender and receiver is random and unknown to the adversary, then the adversary obtains no information about the clear data from the encrypted data.

Here, note that the adversary **osa optical encryption system with a binary key code** given full access to the scheduling, encryption and decryption algorithm, but not to the associated secret key. The stronger variations of this requirement, i. Furthermore, while the model in Figure 3 only considers the case of a single data stream from the sender, we note that it can be extended into a model that allows multiple concurrent data streams as well.

Finally, note that Figure 4 depicts a system with a specific realization of the scheduling, encryption and decryption algorithms from the class of methods in Figure 3. Figure 1 is a block diagram of digital encryption with an encryption algorithmtaking as input a data stream and a key streamand returning a ciphertext stream that maybe eavesdropped by the adversary, and a decryption algorithmtaking as input the ciphertext stream returned by the encryption algorithm and a key streamand returning a data stream that would osa optical encryption system with a binary key code equal to the data streamlO4 input to the encryption algorithm Figure 2 is a block diagram of photonic unencrypted communication between a sender and a receiverwith an encoding algorithmtaking as input multiple data osa optical encryption system with a binary key code, andand returning an encoded stream affected by intercode phase shiftsand a decoding algorithmtaking as input the encoded stream returned by the encoding algorithm, and returning any data stream that would be equal to a data stream input to the encoding algorithm.

Figure 3 is a block diagram depicting photonic encrypted communication between a osa optical encryption system with a binary key code and a receiverwhich extends Figure 2 by replacing the encoding resp. Referring to the figures and to Figure 4 in particular, there is shown a schematic representation of the synchronous OCDM system with n orthogonal codes each used to encode an independent channel where m channels shown in round coders are carrying frameless noise streams and n-m channels shown as octagons are carrying real data.

After adjusting their intercode optical phase shifts using an inline phase modulatorassociated with **osa optical encryption system with a binary key code** respective channel, before the coded signals are synchronously combined in the n: The scrambler is a coder representing a diagonal matrix that changes the relative phases of the n frequency bins inp phase step settings. In addition, a monomial matrix can be used to permute the frequency assigned to the code osa optical encryption system with a binary key code implemented in the encoders and decoders as is known in the art.

Alternatively, the combined effects of the diagonal and monomial matrices can be directly implemented osa optical encryption system with a binary key code the codes established in the encoders and decoders. The combined orthogonal matrix identifies the set of codes in use, some of which are carrying data in the general case when not all the codes are in use.

In the following, the effect of the diagonal and the diagonal plus monomial matrices are both referred as the scrambler key and for simplicity, in the main embodiment of description here, we will just consider the scrambling via the diagonal matrix. The scrambler key is shared with the receiving end of system and is unknown to the eavesdropper tapping the transmission and osa optical encryption system with a binary key code of its short length the key can be updated at will using a secure key distribution method.

At the receiving end of the system the descrambler performs the opposite role to the scrambler using key before the l: The noise- carrying channels are ignored and the data-carrying channels are decoded. Note that the relative intercode optical phase shifts are useful in masking the transmission against an eavesdropper but are not necessary for the receiver to successfully decrypt the transmission.

The KPT attack described in Goldberg supra posits an eavesdropper making n simultaneous noise- free analog measurements of the optical electric field at each of the n wavelengths comprising the OCDM signal and further assumes the eavesdropper has complete knowledge of the set of the orthogonal codes in use and the data impressed on each of those codes KPT at the precise moment of the field measurement.

The eavesdropper is only unaware of the n scrambler phases assumed binary and fixed or the n-l inter-code phase differences assuming the inter-code phasing change completely between successive parallel measurements. With repeated measurements, the eavesdropper can accumulate sufficient information about the system to determine the values of the scrambler phase settings, the key. In the following, a threefold approach 1 prevents full knowledge of the plain text in use: The system design is based on the following two techniques that add unshared entropy to the system.

First, out of a total of n streams entering into the ml combiner in Figure 4, a set of m random frameless noise streams is imposed thus effectively leaving n-m streams dedicated to data transmission. Both techniques are built on top of previously explored techniques, such as orthogonal coding, and scrambling via a random monomial matrix. As a result of combining all these techniques, the only randomness shared between sender and receiver is the nonzero content of the random scrambling diagonal times monomial code matrix.

At a osa optical encryption system with a binary key code level, our encryption algorithm can be seen as follows: Accordingly, the decryption algorithm will crucially use decoding via the matching orthogonal codes to recover the data stream. In a main embodiment of this invention, we define an optical symmetric encryption scheme as a triple Schedule,OpEncrypt,OpDecrypt with the following syntax and properties.

Let i denote time, let k denote the fixed-length key that is shared by both sender and receiver, and let r t denote the frameless noise random stream that is used by the sender and not shared with the receiver. The details of how k is shared by sender and receiver are left arbitrary and are up to the encryption scheme's application scenario; we only assume that all bits in k axe uniformly and independently distributed. On input a plaintext data stream m tthe key k, and the random stream r tthe optical scheduling function Schedule returns n pseudo-data streams deo i.

On input the optical ciphertext signal s t and the key k, the optical decrypting function OpDecrypt returns a stream m ' t t or a special symbol, indicating failure in decoding. We say that the optical scheme Schedule,OpEncrypt,OpDecrypt is correct if for any time t, it holds that with probability 1 the stream m 'ft decrypted by the receiver is equal to the plaintext stream m twhere stream m ' t is obtained as in the following steps, associated with the functioning of the optical communication scheme:.

The above steps can be intuitively described as follows: Finally, we only need to describe the algorithms Schedule, OpEncrypt, OpDecrypt to complete the description of this scheme. We first describe osa optical encryption system with a binary key code this scheme achieves reliable optical communication; i.

Then this scheme uses they-th row resp. Given these inputs, this function returns data stream m ' tcomputed as follows. Finally, the next bit on the 7-th pseudo-data stream, fox j-1, In particular, note that this holds regardless of the value of phi j t. When eavesdropping the ciphertext signal s tan adversary can apply optical 'beat detection' techniques to recover a per- wavelength decomposition of the ciphertext signal.

This follows precisely from the randomness of such bits on the pseudo-data streams, which implies a similar group operation between the vector of signs of the inter-code phase shifts and the vector of random pseudo-data bits.

As a consequence of these observations, the eavesdropper's task is that of solving a linear system with knowns i. The eavesdropper's goal is that of gradually reducing the amount of entropy in the systems, and thus the number of unknowns, by increasing the measured quantities. Examples are shown in Figure 5, where the "unknown" and "known" lines are depicted versus the number of sampling measurements made by the eavesdropper; it should be noted that the unknown line always starts above the known line, but whether the unknowns line remains above the known lines thus guaranteeing security within the search space of the codes crucially depends on the parameter values.

In particular, consider the center panel in Figure 5, where the number of unknowns grows equally to the number of knowns and thus the number of unknowns is always larger than the number of knowns. This implies that the eavesdropper never learns about the content of the scrambling matrix. Even if the adversary can afford a chosen-message- attack meaning that it can see encryptions of messages of its choice and later is successful if it learns which among two chosen messages was encrypted by the systemor a chosen- cipher-text CCT attack meaning that it can see decryptions of even adaptively chosen cipher-texts and later is osa optical encryption system with a binary key code if it learns which among two chosen messages was decrypted by the systemthe adversary learns no information at all in an information- theoretic sense about the content of the scrambling matrix.

At best, the adversary can learn all of the m random streams and the dynamically changing inter-code phase shifts, which are random and thus meaningless to the adversary. This combination of shared randomness the scrambling matrix and unshared randomness the random streams and the dynamically changing inter-code phase shifts represent an unusual novel design approach, in that no previous encryption algorithm in the electronic or optical domain shared these features. In addition, the size of the key being only on the order of n, makes key distribution, the expensive part of current digital encryption, quite affordable.

As usual, increased security comes with a loss of spectral efficiency. In a first alternative embodiment of the invention, the random diagonal matrix containing the values for the shared key is further multiplied by a random monomial matrix i.

For such scheme, the amount of global randomness in the system only increases to 4 random bits per data bit. In a third alternative embodiment of the invention, a scheme with an arbitrary rate d for update of intercode phase shifts can be achieved by an appropriate generalization of the scheme described in the main embodiment of this invention. In a fourth alternative embodiment of the invention, the following realistic scenario e. The above system is modified by careful scheduling of the 5B header and 48B payload for the ATM format.

We analyze the security of the resulting system in this scenario by further assuming that the header is completely known and the payload is completely unknown to the adversary during its attack.