## Abstract

We develop a spread-spectrum based approach to secure communications over existing fiber-optical networks. Secure transmission for a dedicated user is achieved by overlaying a covert channel onto a host channel in the existing active fiber link. The covert channel is optically encoded and temporally spread, and has average power below the noise floor in the fiber, making it hidden for a direct detection thus allowing for cryptographic and steganographic security capabilities. The presence for the host channel in the network provides an ad hoc security expansion and increases the difficulty for an eavesdropper to intercept and decode the secure signal.

© 2006 Optical Society of America

## 1. Introduction

Spread spectrum (SS) communication technology [1] has been used extensively in military radio communication and navigation systems in which covert operation is a major objective, as SS techniques allow low detectability of transmitted signal by an unintended receiver and provide excellent robustness to interference. In these systems, low probability of interception is realized whereby a user’s signal is spread by a unique code, and transformed into noise-like signal of low power density. SS signal is consequently cloaked within background noise, making it difficult to detect and intercept by a hostile eavesdropper. The communication privacy is ensured as the transmitted signal is hidden and moreover can only be recovered properly into the original signal if the receiver knows the same code.

With many of the advantages offered by SS techniques, spread spectrum systems were soon adopted for applications in wireless telephony systems to meet an ever-accelerating worldwide demand for mobile and personal portable communications. The use of SS code division multiple access (CDMA) permits asynchronous multiple access communication for a large population of users, thereby enabling higher bandwidth efficiency for a given wireless spectrum allocation. With these in mind, the SS CDMA technique was recently applied to optical communications [2–4] referred to as optical CDMA (OCDMA) with the aim of applying the advantages of SS to optical systems. It was also demonstrated that OCDMA could be supported by the spectral gaps between WDM channels if appropriate filters are used, thus allowing hybrid CDMA-WDM networks [see Fig. 1(a) and Fig. 1(b)] [5, 6].

In the present work, we exploit the security advantages offered by SS techniques for optical communications and develop the SS-based method for secure transmission over an existing public fiber-optical network. Secure transmission for a dedicated user is achieved by overlaying a covert signal onto a host channel in the existing active fiber link. Secure signal is encoded and temporally spread, and has average power below the noise floor in the communication channel, hence making it hidden for a direct detection. The underlying approach provides both enhanced cryptographic and steganographic [7] security, which inherently comes from the encryption and hiding of the signal.

Furthermore, the presence of the host channel in the network provides an ad hoc security enhancement and increases the difficulty for an eavesdropper to intercept and decode the secure signal, since any slight imperfection in the decoding scheme would cause the host signal to mask over the secure signal to be detected. In contrast to the earlier work [5, 6] (see Fig. 1), the CDMA signal in our proposed technique supports the exact bandwidth interval, which carries most of the power of the host network; see Fig. 1(c).

In the present paper, we will analyze the performance of the proposed integrated network and show that by controlling the initial input power of the signal transmitted by the secure user and the code length (which determines the amount of time spreading) we can achieve a given BER (bit-error-rate) for the required level of performance.

The paper is organized as follows. In Section 2 we describe the configuration of the system and the underlying key technologies to achieve secure transmission. We develop the analytical description of the proposed system in Section 3 and compare it to the results of numerical simulations in Section 4. We illustrate the system performance in Section 5 and discuss the security of the proposed network in Section 6. Section 7 summarizes the main results of the paper.

## 2. The system

An overview of the configuration of the proposed system is illustrated in Fig. 2 with two channels shown, a single WDM channel employing OOK (on-off keying) for the host of the public network and a secure M-ary [8] (M=2) channel for the secure user. For simplicity, we consider only one WDM channel in the public network, where many users access the network via time division multiple access (TDMA). Similar analysis can easily be extended to multiple WDM channels. To increase the security of the “covert” channel, the secure signal has the frequency spectrum profile identical to that in the host channel described in Fig. 1(c). The secure signal is initially encoded and time spread by an OCDMA encoder and consequently becomes noise-like with low power density. The signals from both channels are independently coupled into the optical fiber-optical link where noise from amplifiers due to spontaneous emission adds to the composite signal. In this illustrative example, the system provides dispersion compensation (using e.g. dispersion compensating fiber and/or other dispersion compensators). At the receiving end, a photoreceiver is used for data recovery for the user in the host channel, while a relevant decoder is additionally required for the secure user to recover the secure data. The OCDMA encoder/decoder consists of a coherent spectral phase encoder/decoder shown in Fig. 3, which follows the implementation of pulse shaping technique [9]. The decoder is the same as the encoder with the phase mask replaced with its conjugate [4].

Note that the larger is the number of chips in the phase mask, the longer the code length for encoding and also the greater is the spreading of the secure signal. A random phase assignment to the different Fourier components (“chips”) is preferred in order to maximize the security of the system.

## 3. Theoretical description

In this section, we develop the analytical description of the bit-error-rate (BER) in the proposed communication systems. We assume that the effect of dispersion is properly compensated and the effect of nonlinearity is negligible for small peak powers in our signals [4].

#### 3.1. Probability density function

The performance in both the host and secure channels is limited by the effective noise defined by the contributions due to amplified spontaneous emission, and multi-access interference. While the former can be adequately represented by Gaussian white noise [10], the statistics of the latter is more complicated. However, if *C* is the number of chips in the phase mask of the SS encoder, in the limit when *C* >> 1, by virtue of the central limit theorem, the multi-access interference noise distribution (in both host and secure channels) approaches zero mean Gaussian with the spectrum defined by the original pulse [11, 12]. Figure 4 demonstrates the Gaussian distribution behavior of the real part of the encoded waveform.

The detected optical field amplitude *A* at location *R* and *S* for the host and secure channel shown in Fig. 3 is given by Eq. (1) where √P denotes the signal amplitude, *θ*∈ |-*π,π*| is the random phase and *n* is the complex noise amplitude characterized by zero mean Gaussian distribution.

In the case when a bit zero is sent in the host channel where OOK is employed, or when a secure bit is incorrectly decoded (constituting effective noise) due to a wrong code used in the secure channel (i.e. eavesdropper situation), *A* = *n*. The corresponding intensity probability density function (PDF) has a negative exponential distribution [13]:

where the average noise intensity *N*̄_{0} =〈|*n*|^{2}〉 and *n* ∈ {*n ^{host}*,

*n*} for the host and secure channel respectively. In order to compute the intensity PDF of a bit one in the host channel or a correctly decoded bit in the secure channel, we first rewrite and decompose the components of Eq. (1) into its real and imaginary parts with:

^{eav}where $U={n}_{\mathrm{Re}}+\sqrt{P}\mathit{Cos}\left(\theta \right)\phantom{\rule{.2em}{0ex}}\mathrm{and}\phantom{\rule{.2em}{0ex}}V={n}_{\mathrm{Im}}+\sqrt{P}\mathit{Sin}\left(\theta \right).$ The noise components *n _{Re}* and

*n*are independent and identically Gaussian distributed with zero mean and standard deviation $\sqrt{\frac{{\stackrel{\u0304}{N}}_{1}}{2}}\phantom{\rule{.2em}{0ex}}\mathrm{where}\phantom{\rule{.2em}{0ex}}{\stackrel{\u0304}{N}}_{1}=\u3008{\mid n\mid}^{2}\u3009=\u3008{\mid {n}_{\mathrm{Re}}\mid}^{2}+{\mid {n}_{\mathrm{Im}}\mid}^{2}\u3009$ is the average noise intensity and

_{Im}*n*∈{

*n*,

^{host}*n*} for the host and secure channel respectively. Note that in this case the secure user noise component is no longer

^{secure}*n*due to correct decoding. The distribution functions of

^{eav}*U*and

*V*are identical and can be calculated using the Gaussian distribution of the noise and uniform distribution of

*θ*. E.g. the cumulative distribution function of

*U*is given by:

By taking the derivative with respect to *u* in Eq. (4), the PDF *f _{U}(u)* is given in Eq. (5a) and similarly the PDF

*f*(

_{V}*v*) is given in Eq. (5b).

With Eq. (5a) and Eq. (5b), we can calculate the intensity PDF *I _{1}* =

*U*+

^{2}*V*using:

^{2}$$\phantom{\rule{.2em}{0ex}}=\underset{-\sqrt{I}}{\overset{\sqrt{I}}{\int}}\frac{{e}^{\frac{I+P-2\sqrt{P}v}{{\stackrel{>\u0304}{N}}_{1}}}}{{\stackrel{\u0304}{N}}_{1}\pi \sqrt{1-{v}^{2}}}\phantom{\rule{.2em}{0ex}}\mathit{dv}$$

The PDF in Eq. (6) approaches Gaussian when *P* becomes large. The expressions for *N*̄_{0} and *N*̄_{1} for both secure and host users are obtained in the next subsection.

#### 3.2. Statistical description of the signal

In the secure channel, to encode a band-limited pulse *f(t)* which has a bandwidth *W* and arbitrary spectrum *F(ω)* (Fig. 5 with a phase mask of *C* chips, the spectrum of the pulse is divided into *C* equally spaced sections, each having a bandwidth of *Ω* = *W/C*. Each chip acquires an independent random phase *ϕ _{ne}[-π, π]*. The general expression for the encoded signal is given by:

where

and *rect*(*x*) = 1 for |*x*| ≤ 0.5 and equal to zero otherwise.

Equation (8) defines the frequency domain representation of the phase mask, which constitutes the code used by secure user. The number of chips *C* defines the code length.

Since the noise amplitude for both bit zero and bit one in the host channel is equivalent, to compute its average noise intensity we define the noise amplitude *n ^{host}(t)* for the host channel as:

The noise amplitude in the host channel is composed of *q ^{secure}(t)* (the noise contributed by the secure user’s spread signal) and

*q*the additive Gaussian noise present in the fiber. The average noise intensity <

^{add}(t)*N*> in Eq. (9) is given by:

^{host}(t)where *Q ^{secure}(t)* = |

*q*|

^{secure}(t)^{2}and

*Q*is the average additive Gaussian noise power coming from the optical amplifier.

^{add}To calculate <*Q ^{secure}(t)*>, we need to take into account of the contributions from adjacent bits. In the general case, sufficient number of neighboring slots should be included in

*q*which depends on the amount of spreading and the bit period of secure user. In the case if spreading is limited to the nearest neighboring slots. The signal sent by secure user is given by:

^{secure}(t)where *T _{S}* is the bit period of secure user,

*θ’s*are the random phases between different time frames,

*ψ’s*are random Bernoulli variable with mean 0.5 for the different code keying and the functional form

*h( )*and

*k( )*represent the amplitude function for the encoded bit 1 and bit 0 and are defined by Eq. (7–8).

The bit period *T _{S}* is approximately on the order of the time spreading of the pulse ~

*2π/Ω. Ω*is defined by

*W/C*, where

*W*is the pulse bandwidth and

*C*is the number chips in the phase mask. The random phases

*θ’s*between different time frames are based on the assumption that the bit intervals are much longer than the coherence time of the laser. The functional form of

*h( )*and

*k( )*generally depends on the pulse spectrum used. The ensemble average of the intensity of Eq. (11) is given as:

Since the ensemble average of the encoded pulses will yield the same functional form we rewrite Eq. (12a) as:

We further take the time average of <*Q ^{secure}(t)*> with respect to

*T*to account for the different positions of host signal under the secure time spread signal, hence Eq. (12b) becomes:

_{s}Finally, the average noise intensity of the host user is given by:

Following the same approach, we find the expressions for the noise amplitudes of secure user:

*n ^{eav}(t)* and

*n*are the noise amplitudes when incorrect and correct decoding takes place respectively.

^{secure}(t)*q*is the effective noise from the spreading of the host signal during the decoding stage,

^{host}(t)*q*is the effective noise originating from the secure user due to incorrect decoding and

^{incorrect}(t)*q*is the same as before. We take the average of the noise intensities in Eqs. (15) and (16) and obtain:

^{add}(t)To calculate <*Q ^{host}(t)*, the time spread signal amplitude

*q*of the host user after decoding is given by:

^{host}(t)where *k* spans over adjacent slots to take into account of neighboring contributions, *ψ’s* and *θ’s* have identical definitions as before, *T _{H}* is the bit period of the host user and the function

*h*again represents the functional form of the spread signal amplitude of host user. As a result the ensemble average of the intensity is given as:

_{()}The expression for <*Q ^{incorrect}(t)*> is given by the first component of Eq. (12b) i.e., the ensemble average of the intensity of encoded waveform:

Finally the time average values:

Eqs. (14) and Eqs. (22–23) provide the complete description of the average noise intensities in our system for both host and secure users. The theoretical analysis for them can be performed for any arbitrary pulse spectrum, in the specific case of the band-limited pulse with the spectrum shown in Fig. 6 (corresponding to the Sinc profile in the time domain $f\mathit{\left(}t\mathit{\right)}=\sqrt{{P}_{0}}\mathit{Sinc}\mathit{\left(}\frac{\mathrm{Wt}}{2}\mathit{\right)}$, where *Sinc(t)* = *Sin(t)/t)*

We have:

where *P _{S}* is the initial peak power of secure signal.

where *P _{H}* is the initial peak power of host signal.

#### 3.3 Bit-error rate

By using Eqs. (2) and (6) the expression for BER is given as:

where I_{th} is the optimal threshold power defined by:

The BER for host and secure user can be calculated accordingly by appropriate substitution of Eqs. (24–26) and *P* = *P _{S}* or

*P*. Eq. (27) can be used to compute the bit-error-rate of the system subject to different code lengths, amounts of additive noise in the fiber, and operating signal powers and bit rates between secure and host users.

_{H}## 4. Simulation results

We verify our theoretical analysis by comparing the theoretical PDFs with the results of the simulations of decoded signal power for both secure and host users shown in Fig. 7. To allow for enhanced security, random phase assignments in the phase mask are employed for the encoding of the secure user. The frequency spectrum profiles for both users are identical, and the signal detection for both channels is performed with their corresponding clock signals. The effect of dispersion is properly compensated and nonlinearity is assumed to be negligible. It can be seen that the simulation results fit almost perfectly with the underlying theoretical probability density functions.

## 5. System performance

This section illustrates the various features and advantages of the proposed system to secure transmission. Shown in Fig. 8(a) and Fig. 8(b) are the simulated waveforms found in various parts of the proposed system while secure communication is taking place. Once the secure signal S(t) passes through the encoder, it is time spread and becomes noise-like with much reduced intensity [S`(t) in Fig. 8(a)]. After propagation, the secure encoded signal (blue dashed line) appears similar to the noise component contributed by the amplifier (green). Moreover, the average power of the secure signal is much lower than the amplifier noise and as a consequence the secure signal is fully masked by the amplifier noise.

Figure 8(b) shows that for the standard power detector used in the host channel, the recovered signal (top panel in Fig. 8(b) is similar to the initial input signal (top left panel in Fig. 8(a). In the secure channel however, when an appropriate decoder is used, the secure signal (dotted blue line) gets properly recovered, while the component of the host signal is forced to time spread and become noise-like with intensity much lower than the recovered signal (bottom right panels in Fig. 8(b).

Figure 9 summarizes the results for the BER in four different scenarios. There, the “columns” [Fig. 9(a), Fig. 9(c) vs. Fig. 9(b), Fig. 9(d)] correspond to different levels of additive noise power (due to e.g. spontaneous emission in the EDFA) present in the network while the “rows” [Fig. 9(a), Fig. 9(b) vs. Fig. 9(c), Fig. 9(d)] correspond to different time spreading applied to the secure user. As follows from Fig. 9, there exists an operating point whereby both users would enjoy the same BER, its value can be reduced by increasing the time spreading in the secure channel (albeit at the price of the corresponding reduction of the bit rate in the secure channel). In the limit of large time spreading introduced by the secure encoder, the ultimate performance of the system would only be limited by the amount of additive noise present in the fiber.

A particularly important feature of the proposed system is its increased security. As this represents the most important aspect of the work presented, we shall discuss it in detail in the next section.

## 6. Communication security

Generally, the presence of a covert signal can be detected by the analysis of the 1) Spectrum, 2) Monitoring of signal power and 3) Statistical analysis of power fluctuations. Below we demonstrate that a direct attack by any of these methods will not allow detection of the secure signal in the proposed system.

#### 6.1 Analysis of spectrum

When an eavesdropper tries to confirm secure transmission by looking at the power spectrum shown in Fig. 10, because the secure signal occupies the same spectrum as the host channel with much lower magnitude (comparable to amplifier noise component), this makes it very difficult for an eavesdropper or the host user to find out if secure transmission is indeed taking place. The use of identical spectrum compared to that used in the public network is one of the major steganographic security advantages as opposed to [5, 6] where the use of appropriate filters may potentially allow the detection of secure signals.

#### 6.2. Monitoring of signal power

As illustrated in Fig. 8(b), when an eavesdropper intercepts the signal and attempts to “brute-force” the encoding using a tunable decoder to detect the secure signal. Since the public channel is present and occupying identical frequency spectrum as the secure signal, no filtering is possible to filter out the unwanted public signal from the standpoint of the eavesdropper. As a result any imperfect decoding that comes from the brute-force approach, will cause massive spreading of the host “public” signal (red line) and “overwhelm” significantly the secure component (blue) - see middle panel in Fig. 8(b) hindering the determination of a correct code. The presence of the public channel increases the security of the secure channel by forcing the eavesdropper to suffer a lower SNR due to the extensive effective noise that comes from the spreading of public signals while decoding takes place.

#### 6.3. Statistical analysis of power fluctuations

A third method in which an eavesdropper can confirm secure transmission is by analyzing the statistics of power fluctuation and try to look for inconsistency in the underlying PDFs. It is shown in Fig. 11 that the distribution of normalized power for additive noise and secure encoded signal is by far similar, hence disallowing the detection of active secure communication. The use of random encoding especially for a large number of chips in the phase masks ensures the secure signal to have similar statistics as opposed to the amplifier noise which is always present in the network. As a result the nature of the secure signal by construction allows itself to be masked and avoid being detected.

#### 6.4. Quantitative description

We further explore the security capabilities of the proposed system using the standard Q-factor [14] that describes the BER/SNR performance of a communication system (with the higher values of the Q-factor corresponding to better BER). Here we study the variation of the Q-factor with respect to the percentage of correct chips present in an imperfect decoder used by an eavesdropper.

The Q-factor is defined as

where (*I ^{secure}*,

*σ*) and (

^{secure}*I*,

^{eav}*σ*) represent the mean and the standard deviation of the intensity from decoding using a pseudo correct phase mask (superscripted by

^{eav}*secure*) and a totally incorrect phase mask (superscripted by

*eav*).

We assume that the eavesdropper tries to determine the code by using a tunable detector. In one possible strategy, looking for a possible increase in the opening of the eye diagram vs. the value of the phase of a particular chip the eavesdropper can hope to identify its correct value. The larger is the contrast in the eye opening (or equivalently in the corresponding Q-factor) between the “correct” and “wrong” choices of the phase, the faster and more efficient would be such a search.

In Fig. 12 we plot the variation of the Q-factor with the fraction of the “chips” that the eavesdropper already identified, in two (otherwise equivalent) systems with (red) and without (blue) the public channel. As perfect refinement of each phase by the eavesdropper is not practically possible, in this simulation we assign a finite phase error to the “correct” chips (represented by the Gaussian random variable with the standard deviation 0.1 added to the actual phase value used by the encoder). The initial guess of the eavesdropper (the “incorrect” chips) is assumed to be chosen at random.

As expected, Fig. 12 demonstrates that in the presence of the public channel, there is a lower Q-factor. Since a lower Q-factor dictates a lower likelihood of detecting a correct bit, the decrease of the Q-factor implies security enhancement in the presence of the public channel. In addition, we observe a gentler slope when the public channel is present, representing a slow rate of increase in Q-factor with respect to % of correct chips present. As a result, it poses substantial difficulty to an eavesdropper who attempts to implement an iterative fine-tuning progressive search approach for determining a correct code to break the security of the system, since the improvement in Q is insufficient to justify a lock down on any specific phase code in a chip.

## 6. Conclusions

We have proposed and demonstrated a practical application of applying the coherent spectral phase encoding to secure transmission over an existing public fiber-optical network with enhanced security and acceptable BER performance. The key technologies addressed here provide a powerful and attractive way to use the existing optical networks for highly secure communications.

## Acknowledgments

The authors would like to thank P. R. Prucnal and I. Glesk for valuable discussions.

## References and links

**1. **A. J. Viterbi, “Spread spectrum communications - myths and realities,” IEEE Commun. Mag. **17**, 11–18 (1979) [CrossRef]

**2. **P. R. Prucnal, M. A. Santoro, and T. R. Fan, “Spread spectrum fiber-optic local area network using optical processing,” J. Lightwave Technol. **4**, 547 (1986). [CrossRef]

**3. **J. Shah, “Optical CDMA,” Opt. Photon. Newslett. **14**, 42–47 (2003) [CrossRef]

**4. **J. A. Salehi, A. M. Weiner, and J. P. Heritage, “Coherent ultrashort light pulse code-division multiple access communication systems,” J. Lightwave Technol. **8**, 478–491 (1990) [CrossRef]

**5. **S. Galli, R. Menendez, P. Toliver, T. Banwell, J. Jackel, J. Young, and S. Etermad “Experimental results on the simultaneous transmission of two 2.5 Gbps optical-CDMA channels and a 10 Gbps OOK channel within the same WDM window,” Proc. OFC 2005 OWB3

**6. **S. Shen and A.M. Weiner “Suppression of WDM interference for error-free detection of ultrashort-pulse CDMA signals in spectrally overlaid hybrid WDM-CDMA operation,” IEEE Photonics Technol Lett. **13**, 82–84 (2001) [CrossRef]

**7. **
Steganography defines the science of hiding information by embedding messages within other in such a way that no one apart from the intended recipient knows of the existence of the message.

**8. **E. E. Narimanov and B. B. Wu, “Advanced coding techniques for asynchronous fiber-optical CDMA,” Proc. CLEO 2005 JThE70

**9. **A. M. Weiner, D. E. Leaird, J. S. Patel, and J. R. Wullert, “Programmable shaping of femtosecond optical pulses by use of a 128-element liquid crystal phase modulator,” IEEE J. Quantum Electron. **28**, 908–920 (1992) [CrossRef]

**10. **E. Desurvire, *Erbium-Doped Fiber Amplifiers, Principles and Applications* (John Wiley & Sons, Inc., New York, 1994)

**11. **J. A. Salehi, A. M. Weiner, and J.P. Heritage, “Temporal and statistical analysis of ultrashort light pulse code-division multiple access communications network,” in Proceedings of IEEE Int. Conf. on Communications **2**, 728–733 (1989)

**12. **E. E. Narimanov, “Information capacity of nonlinear fiber-optical systems: fundamental limits and OCDMA performance,” in *Optical Code Division Multiple Access: Fundamentals and Applications*,
P. R. Prucnal, ed. (CRC, 2005)

**13. **S. M. Ross, *Introduction To Probability Models 6 ^{th} Edition* (Academic Press, 1997) [PubMed]

**14. **G. P. Agrawal, *Fiber-Optical Communication Systems 3 ^{rd} Edition* (Wiley-Interscience, 2002) [PubMed]