Abstract
We show in an experiment a covert transmission of QPSK and 64-QAM over up to 100km of SSMF, digitally encrypted with spectral phase mask, buried under ASE noise with negative −15 dB/0.1nm OSNR. We record a post-FEC error free BER for a stealthy channel, at 16 Gbps on a single polarization.
© 2018 Optical Society of America under the terms of the OSA Open Access Publishing Agreement
1. Introduction
Data privacy and confidentiality are among the top priorities of enterprise networks operators, carriers and service providers. Physical layer (PHY) security threats and attacks appear frequently, require constant monitoring, defense, and mitigation of attack impacts. Today, most of the security solutions are implemented in the upper layers of the open systems interconnection (OSI) model. However, the security approaches in these layers are limited by both the processing speed of electronic circuits and the capacity of the optical networks. Furthermore, in the standard digital encryption techniques, metadata remains unencrypted and might be used by an adversary for eliciting sensitive information on the users by data mining techniques [1].
In order to ensure secured transmission, various approaches for PHY security were suggested [2]. Quantum encryption utilizes the fact that measurements perturb quantum systems. In quantum key distribution (QKD) [3] protocols, the key exchange process is information-theoretic secured, however, the data is encrypted in a conventional digital format, based on this key. Another approach to be mentioned is chaotic cryptography [4], which requires complicated hardware. Additional approach exploits the naturally broad spectrum of an amplified spontaneous emission (ASE) of an Erbium-doped fiber amplifier (EDFA) as the signal’s carrier with a very short coherence length, to provide high steganography [5]. Optical code division multiple access (OCDMA) based methods can also be used for secure transmission. In direct-sequence spread spectrum (DSSS) and OCDMA [6], the data is XOR-multiplied with fast time-varying chips to provide both spreading and encryption. Yet, they require hiding underneath a public channel.
A cost-effective approach, which incorporates both steganography and encryption of the physical layer has been recently proposed [6, 7] and demonstrated [8]. In this method, the spectral amplitude of the signal is spread wide by means of sampling to conceal its power spectral density (PSD) below the noise level. Additionally, two phase masks are used: A temporal mask is applied to flatten the signal’s PSD and to eliminate the DC peak in the spectrum. The second mask, a spectral phase mask (SPM) is applied to encrypt the signal in time domain, by transforming the transmitted symbols to a noise-like waveform. At the authorized receiver, the spectral replicas of the signal are folded to the baseband, in a coherent addition process. Whereas the spectral replicas of the noise are added incoherently, to be averaged to a low value. Therefore, the signal’s PSD is reconstructed and in turn, the signal to noise ratio (SNR) is improved. At the eavesdropper receiver, the sampling of the encrypted signal is done in an incoherent manner, i.e in a destructive way. Therefore, the phase information is lost and no real-time nor offline processing can be used to recover the destroyed information.
Contrary to DSSS and OCDMA approaches, in the demonstrated method, the spreading function is done by sampling, and the encryption by phase masks. Therefore, the encryption function is totally independent of the spreading operator, and can be chosen without orthogonality constrains. In addition, an arbitrary waveform is obtained in time domain, rather than chips. Follows, the signal is not recognized as bits but as a noise-like waveform.
In this work, we carry out a set of measurements in order to evaluate the expected system performance. We realized an experimental setup which includes stealthy and encrypted transmitter, receiver and the optical link. The first set of measurements incorporates a QPSK back-to-back transmission at varying stealthiness levels and bit-rates, up to negative OSNR of −15dB/0.1nm and 16Gbps, per single polarization. In this part, the detected SNR, the bit-error rate and the encryption processing gain where measured. Following, in order to realize a DCI scenario, we further extend the transmission distance to 100km and the constellation to 64-QAM, allowing the transmission of 3Gbps at OSNR of 5dB/0.1nm.
The rest of the paper is organized as follows. In Section 2, we present the encryption system, whereas in Section 3 the experimental setup and practical methods are described. The measured and analyzed data is given at Section 4. Finally, conclusions and summary are presented in Section 5.
2. The encryption system
2.1. Encryption by sampling and phase masks
In the demonstrated experiment, the transmitted data stream is separated to segments of symbols, , which are mapped to 64-QAM or QPSK in a few measurements sets. Subsequently, an -upsampler operator is applied on the symbols segment to create a block of samples. The upsampling operator is in turn responsible to replicate times the PSD of in the spectrum domain, this can be seen in the summation term, in Eq. (1). Afterwards, the Fourier transform of the upsampled symbol stream,, is encoded using a SPM, as follows:
where is the SPM and is the transfer function of the pulse shaping root-raised cosine (RRC) filter. The length of the SPM is the same as the block length, , corresponding to a spectral granularity of Hz, where is the digital to analog converter (DAC) sampling rate. The sampling operator is illustrated Fig. 1(a), for 16 spectral replicas, corresponding to . Due to the RRC filter, that rolls-off at 16GHz, only the eight replicas at the center of the double-sided spectrum are accounted. Each of the SPM elements, , is uniformly distributed in the range of as stated by:The inverse mask, , is later used as the decryption key. One should consider that before the SMP, the signal consists of sparse symbols, separated by zeroes, this can be seen in the blue curve in Fig. 1(b). The SPM uniformly distributes the energy of the sampled symbols in the time domain, making it stealth. The signal after the SPM is represented by the red curve, in Fig. 1(b).In order to provide the desired degree of stealthiness, an additive white Gaussian noise (AWGN) is deliberately added by optical means. Therefore, is attenuated and amplified after being transmitted. The detected and filtered ASE noise has a variance of is represented by and added to the received signal in Eq. (3).
The signal travels through an optical channel with a varying distance up to 100km, which includes a noise loading mechanism at the beginning and filters at its end. Then, the signal is detected in a coherent receiver and sampled by analog to digital converter (ADC). The sampled signal can be expressed as follows:
where is the phase noise term associated with the symbol, is the intermediate frequency arise from the frequency differences of the local oscillator (LO) and the transmitter’s laser, and are the chromatic dispersion (CD) and receiver impulse responses, respectively. Note that the transmitter’s response is excluded from Eq. (3) since it is pre-equalized at the transmitter. The pre-equalization has two-fold effect: maintaining the flatness of the signal’s PSD in the optical domain, in order to achieve maximum stealthiness. In addition, it preserves the white nature of the noise after detection and thus it allows one to obtain the theoretical processing gain.The authorized receiver recovers the signal and deciphers the encrypted symbols by means of real-time DSP. The DSP block implements standard coherent algorithm: IQ imbalance compensation, phase noise - carrier phase estimation (CPE) and IF cancellation, CD compensation and equalization for the electronic circuits response. During the decryption process a conjugate phase mask () is applied on the recovered analog and signal, and the signal is further sampled in order to enable a coherent addition of all the spectral replicas as follows:
where the upper summation term represents the signal’s term (denoted by ) and the lower term represents the noise term (denoted by ).While an eavesdropper is trying to detect the signal, he applies a wrong phase mask, thus, the summation of is done while each replica is multiplied with a different arbitrary spectral phase elements [6]. The signal is therefore built in a destructive way, via incoherent addition process.
2.2. Performance: quantitative analysis and measures
The ability of the authorized user to detect the covert signal relies on two principles: decryption and processing gain. In this subsection we quantitatively analyze the SNR performance of the authorized user. A set of measures is presented, and later compared with the experimental results at Section 4.
It is useful to define the SNR of the received “analog” signal at the authorized receiver, , after removing the SPM and before the coherent addition process. This SNR is achieved by one of the two following methods: calculating the SNR of the “analog” signal, as stated in Eq. (5). Alternatively, the same SNR is obtained by filtering the baseband replica, namely executing the summation in Eq. (5) over instead of over , essentially yielding the same SNR. Therefore, as given at Eq. (5) is considered as the SNR of a single replica detection, corresponding to a conventional two samples per symbol (SPS) transmission.
where and are the signal and the noise terms of the detected and recovered “analog” signal, before it is sampled. equals to the variance of the transmitted symbols, while assuming that the signal is normalize to the same variance at the receiver DSP. Additionally, is the variance of the noise over the entire spectrum of all the transmitted replicas. Considering Eq. (4), the SNR for the authorized user, after the coherent addition process, takes the following form:as the signal power is coherently added thus multiplied by while the noise power is incoherently added thus multiplied by .By comparing the SNR after the coherent addition as presented in Eq. (6) to the SNR of the “analog” recovered signal in Eq. (5), one can obtain the processing gain, as given below:
The processing gain of is proportional to the number of the coherently added replicas that exist within the available analog bandwidth. Since a RRC filter with two SPS is used, the BW is half of the signal’s digital bandwidth, therefore replicas are counted within the available analog bandwidth. The noise folding, shown at the lower term in Eq. (4), preserves the white Gaussian nature of the noise, thus the following bit error rate is derived:In addition, the resulting bit-rate per single polarization, , is given by:where is the DAC’s speed in [samp/sec] and is the order of the QAM constellation. Considering Eqs. (7) and (9), one can observe the intrinsic trade-off between the bit-rate and the processing gain, as the information capacity is conserved for a given constant bandwidth.3. Experimental Setup
The experimental setup is depicted in Fig. 2 and the hardware parameters are shown in Table 1. At the transmitter, offline DSP is used to generate encrypted and stealthy QPSK or 64-QAM symbols. In turn, a high-speed DAC is used to convert the uploaded samples to an analog signal. Subsequently, two RF amplifiers drive the in-phase (I) and quadrature (Q) components into a DP-MZM coherent transmitter, which its output is optically attenuated and amplified by EDFA to obtain a controlled ASE noise adjustment. The expected analog SNR () is given as follows [9]:
where is the signal’s double-side bandwidth and PER is polarization extinction ratio, corresponding to the intensity of the transmitted polarization which is aligned to the receiver axis. For of 32 GHz, and PER of 80%, the experimental ratio is: . It should be noted that Eq. (10) holds for the regime where the ASE is the dominant noise mechanism. Using this ratio, one can compare the detected analog SNR to the observed OSNR, and thus confirm the reliability of the receiver and the signal recovery DSP.At this stage, the optical signal is both encrypted and buried under the ASE noise. An example of typical encrypted and stealthy signal, with negative OSNR of −15 dB/0.1nm, is shown in Fig. 3. The signal is combined with a public channel separated by 200GHz, and both channels propagate through SSMF. To evaluate the actual performance of an optically routed system, the signal passes through arrayed waveguide grating (AWG) multiplexer before it is amplified. In such way, the signal experiences a narrowband optical filtering before it loaded with ASE. This scenario considered more challenging in terms of noise enhancement in the receiver side [10].
At the receiver side, a sequence of two bandpass optical filters (BPFs), interleaved with an EDFA, is added before the integrated coherent receiver (ICR). The amplifier is aimed to enhanced the receiver sensitivity by adjusting the optical input power to the correct level. The first BPF selects the desired WDM channel while the second BPF is used to avoid the saturation of the amplifier and the ICR by discarding unnecessary ASE. The ICR is then used to convert the optical signal into I and Q orthogonal components. Subsequently, the analog I and Q signals are digitized and buffered using ADC. The received samples are processed offline to correct the system impairments and decipher the information bits.
4. Measurement Results
The optical spectrum of the encrypted and stealthy signal is presented in Fig. 3(a). The inset shows a zoom-in of the encrypted and stealthy signal at −15 dB/0.1nm OSNR, demonstrating that the signal is totally buried under the ASE noise. Figure 3(b) presents the BER of the decoded symbols versus the SNR of the authorized user, for both the theoretical prediction and actual measurements, indicating good agreement between the two cases.
The processing gain of the authorized user is presented in Fig. 4(a), by plotting the analog SNR versus the improved SNR after sampling. Each of the dashed curves represents different bandwidth of a single replica, corresponding to different upsampling factors () of Eq. (7). The lower group of solid line curves represents the measured SNR for single replica which is the classical non-encrypted QPSK transmission case. A black solid line obeys the linear SNR-OSNR relation stated in Eq. (10). It is observed that all the continuous curves coincide with the theoretical black solid line as expected, up to a saturation level starting at 5dB/0.1nm OSNR.
Additionally, the vertical gaps between the dashed and continuous curves on Fig. 4(a) represent the processing gain of the decryption. For example, the dashed versus continuous blue curves (125MHz) is associated with processing gain of 256. Indeed, it is demonstrated that 24 dB gain is achieved between the continuous blue (single replica case) and the dashed blue (the analog double side band of 32GHz accommodates 256 replicas of 125MHz). It should be noted that there is a tradeoff between the processing gain and the bit-rate (according to Eq. (9)).
Constellation diagram and eye diagram as received by the eavesdropper with arbitrary phase mask are shown in Figs. 4(b.1) and 4(b.2), respectively. Similarly, same measurements as received by the authorized user with correct phase mask, are shown in Figs. 4(b.3) and 4(b.4).
Figures 5(a)–5(c) shows the authorized user constellation diagrams taken after 100km transmission, with varying OSNR values of 28, 15 and 5 dB/0.1nm, respectively. In the 100km transmission case the DSP also includes CD compensation and coarse IF correction blocks. Therefore, SNR is approaching the theoretical limit, as can be seen in Fig. 4 where the theoretical analog SNR and the measured analog SNR coincide, and no saturation is observed. Consequently, the digital SNR is improved accordingly, approaching 32 dB.
5. Conclusions
We experimentally demonstrate an encrypted and stealthy end-to-end transmission system over 100km SSMF, using commercially available optical communication components. Even though the signal is fully buried under ASE noise and cannot be neither observed nor detected by an eavesdropper, it is successfully detected by the authorized user with a pre-FEC BER of better than 1e-3.
Funding
Israel Innovation Authority, KAMIN grant (53362).
References and links
1. L. Xu, C. Jiang, J. Wang, J. Yuan, and Y. Ren, “Information Security in Big Data: Privacy and Data Mining,” IEEE Access 28(4), 1149–1176 (2014).
2. B. Wu, B. J. Shastri, P. Mittal, A. N. Tait, and P. R. Prucnal, “Optical signal processing and stealth transmission for privacy,” IEEE J-STSP 9(7), 1185–1194 (2015).
3. H. K. Lo, M. Curty, and K. Tamaki, “Secure quantum key distribution,” Nat. Photonics 8(8), 595–604 (2014). [CrossRef]
4. A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. García-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fibre-optic links,” Nature 438(7066), 343–346 (2005). [CrossRef] [PubMed]
5. B. Wu, Z. Wang, Y. Tian, M. P. Fok, B. J. Shastri, D. R. Kanoff, and P. R. Prucnal, “Optical steganography based on amplified spontaneous emission noise,” Opt. Express 21(2), 2065–2071 (2013). [CrossRef] [PubMed]
6. T. Yeminy, D. Sadot, and Z. Zalevsky, “Spectral and temporal stealthy fiber-optic communication using sampling and phase encoding,” Opt. Express 19(21), 20182–20198 (2011). [CrossRef] [PubMed]
7. T. Yeminy, D. Sadot, and Z. Zalevsky, “Sampling impairments influence over fiber-optic signal decryption,” Opt. Commun. 291(15), 193–201 (2013). [CrossRef]
8. E. Wohlgemuth, T. Yeminy, D. Sadot, and Z. Zalevsky, “Experimental demonstration of encryption and steganography in optical fiber communications,” in Proceedings of European Conference of Optical Communications (ECOC, 2017).
9. R. J. Essiambre, G. Kramer, P. J. Winzer, G. J. Foschini, and B. Goebel, “Capacity Limits of Optical Fiber Networks,” J. Lightwave Technol. 28(4), 662–701 (2010). [CrossRef]
10. P. J. Winzer, A. H. Gnauck, C. R. Doerr, M. Magarini, and L. L. Buhl, “Spectrally Efficient Long-Haul Optical Networking Using 112-Gb/s Polarization-Multiplexed 16-QAM,” J. Lightwave Technol. 28(4), 547–556 (2010). [CrossRef]