Coding and Cryptography: Synergy for a Robust Communication 348675212X, 9783486752120

Citation preview

Coding and Cryptography Synergy for a Robust Communication

ˇ ´ Dr.-Ing. habil. Natasa ˇ Zivic Universität Siegen

Oldenbourg Verlag München

Lektorat: Johannes Breimeier Herstellung: Tina Bonertz Titelbild: shutterstock.com Einbandgestaltung: hauser lacour Bibliograische Information der Deutschen Nationalbibliothek Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliograie; detaillierte bibliograische Daten sind im Internet über http://dnb.dnb.de abrufbar. Library of Congress Cataloging-in-Publication Data A CIP catalog record for this book has been applied for at the Library of Congress. Dieses Werk ist urheberrechtlich geschützt. Die dadurch begründeten Rechte, insbesondere die der Übersetzung, des Nachdrucks, des Vortrags, der Entnahme von Abbildungen und Tabellen, der Funksendung, der Mikroverilmung oder der Vervielfältigung auf anderen Wegen und der Speicherung in Datenverarbeitungsanlagen, bleiben, auch bei nur auszugsweiser Verwertung, vorbehalten. Eine Vervielfältigung dieses Werkes oder von Teilen dieses Werkes ist auch im Einzelfall nur in den Grenzen der gesetzlichen Bestimmungen des Urheberrechtsgesetzes in der jeweils geltenden Fassung zulässig. Sie ist grundsätzlich vergütungsplichtig. Zuwiderhandlungen unterliegen den Strafbestimmungen des Urheberrechts. © 2013 Oldenbourg Wissenschaftsverlag GmbH Rosenheimer Straße 143, 81671 München, Deutschland www.degruyter.com/oldenbourg Ein Unternehmen von De Gruyter Gedruckt in Deutschland Dieses Papier ist alterungsbeständig nach DIN/ISO 9706.

ISBN 978-3-486-75212-0 eISBN 978-3-486-78126-7

Abstract Noisy channels are very often used for digital communications. Messages are protected more and more by cryptographic checksums against manipulations. Most of the modifications caused by transmission can be corrected using methods of channel coding, but there are always messages protected by cryptographic checksums, which could not be corrected. These messages cannot be used because they are untrustworthy. This thesis gives an overview over the possibilities for the transmission of cryptographically protected messages over noisy channels. It covers known mechanisms, which generate error tolerant message authentication codes, but it focuses on methods using cryptographic redundancy added for data integrity and authentication, for message correction. The state of the art channel decoding techniques are used, which deliver reliability values (soft values) for every bit. The method of correction using iterative bit inversion by exploitation of the reliability values can be expanded to many areas of communication technologies. This method will be used in this work for the correction of miscorrections of Reed-Solomon decoders as well as for communication protocols of WiMAX and Hybrid ARQ. Finally, hard verification of cryptographic checksums, which requires their correctness, will be extended to soft verification, accepting cryptographic checksums that are almost correct. This can be compared to the daily life situation, when the handwritten signature is always slightly different, but accepted as long as the difference to a signature, stored as a reference, is under a given threshold. The risk exists, that this soft verification method causes wrong decisions: it can be used by attackers trying to generate near collisions. Therefore a security analysis is performed, which considers the risk of forgery attacks and the probability of wrong decisions. The reduction of information security can be compensated by the extension of the length of cryptographic checksums. Nevertheless, there is a significant coding gain achieved by soft verification resulting in the acceptance of many messages, which would have been rejected as untrustworthy without this method. If it is not sure that a message is correct because of the choice of system parameters, a soft value is assigned to the message, which expresses the trust in the bits of this message. Therefore, soft verification, which is based on the soft output of the channel decoder, can be integrated transparently into the decoder sequence between the channel and source decoder. This book provides a contribution to the improvement of the robustness of data communications.

Table of Contents Abstract

V

1

Introduction

1

2

Fundamentals

5

2.1

Components of a Transmission System ..................................................................... 5

2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5

Message Authentication Codes .................................................................................. 8 General ....................................................................................................................... 8 Generation using a symmetric Block Cipher ........................................................... 11 Generation using a Dedicated Hash Function .......................................................... 12 Security Aspects of Message Authentication Codes ................................................ 13 Message Authentication Codes and Digital Signatures............................................ 15

2.3 2.3.1 2.3.2 2.3.3 2.3.4

Channel Coding ....................................................................................................... 16 Reed-Solomon Codes............................................................................................... 16 Convolutional and Turbo Codes .............................................................................. 19 Soft Input Soft Output Decoding ............................................................................. 21 Concatenated Codes ................................................................................................. 22

2.4

Joint Source and Channel Coding ............................................................................ 24

3

Related Work

3.1

Channel Coding with Bit Inversion ......................................................................... 27

3.2

Error tolerant Cryptographic Checksums ................................................................. 29

3.3

Authentication over Noisy Channels ....................................................................... 32

4

Soft Input Hard Verification

4.1

Correction by Iterative Bit Inversion ....................................................................... 33

4.2

Security Aspects of Soft Input Hard Verification ..................................................... 37

4.3

Correction Improvement by Interleaving and Feedback .......................................... 39

4.4

Correction by Insertion of Known Bits .................................................................... 44

5

Applications of Soft Input Bit Inversion

5.1

Correction of Reed-Solomon Decoding Errors ........................................................ 47

5.2

HARQ IBF Algorithm.............................................................................................. 51

5.3

N-Channel STOP and WAIT Protocol of WiMAX .................................................. 53

27

33

47

VIII

Table of Contents

5.4

Enhanced Packet Combining over HYBRID-ARQ ..................................................56

5.5

Error Correcting and Weighted Noise Tolerant Message Authentication Codes ......58

6

Soft Verification of the Message Authentication Codes

6.1

Soft Verification versus Hard Verification ................................................................61

6.2

Soft Input Soft Verification .......................................................................................61

6.3 6.3.1 6.3.2 6.3.3

Calculation of the Threshold.....................................................................................65 Probability Distribution Function of the Hamming Distance ...................................65 Analysis of the Hamming Distance and the Threshold .............................................71 Simulative Specification of the Threshold ................................................................81

6.4

Verification Gain.......................................................................................................84

7

Security Aspects of Soft Input Soft Verification

7.1 7.1.1 7.1.2

Forgery Attacks .........................................................................................................89 Birthday Paradox for Near Collisions .......................................................................89 Compensation of the Reduced Complexity of a Forgery Attack ..............................92

7.2 7.2.1 7.2.2

Wrong Decisions ......................................................................................................94 Probability of a Wrong Decision ..............................................................................94 Compensation of the Increased Probability of Wrong Decision ...............................98

7.3

Total Compensation ................................................................................................100

7.4

Selection of the Algorithmic Parameters ................................................................105

8

Soft Output of Soft Input Soft Verification

109

9

Applications of Soft Input Soft Verification

113

10

Summary and Future Work

115

61

89

Epilogue

117

Works Cited

119

List of Abbreviations

125

1

Introduction

Source coding and channel coding are standard components of transmission systems, and cryptography is used more and more in today’s communications systems. Source coding uses the statistical characteristics of the source data to increase the efficiency of the transfer of source data i.e. to remove the source redundancy. Channel coding adds redundancy for the recognition and correction of errors that occur during the transmission over a channel. Cryptography is applied in order to guarantee secure information transmission, e.g. for protection against eavesdropping, manipulation of messages or forging an identity of the communication partner or data origin. The security services are specified in the Security Architecture [ISO/IEC 7498-2] of the ISO reference model. This book investigates the transmission of messages, which are protected by cryptographic checksums, over a noisy channel. Cryptographic checksums or Cryptographic Check Values (CCV) are calculated using symmetric encryption algorithms, key controlled hash functions or asymmetric cryptographic mechanisms. Standardized mechanisms for assuring data integrity are given in [ISO/IEC 9797] [Rul93] and for digital signatures in [ISO/IEC 15946-2] [ISO/IEC 14888] [Rul93]. It is assumed that Forward Error Correction (FEC) without repeating mechanism (Automatic Repeat Request, ARQ) is used. Such situations are typical for real-time applications, satellite and space communications or in communication over very noisy transmission systems, in which the repetitions are erroneous with a high probability as well. This is often the case in wireless communications. The generation of cryptographic checksums proceeds usually following the source coding, and before channel coding. Consequently, the verification of the cryptographic checksums proceeds after the channel decoding and before the source decoding (Fig. 1-1). The cooperation between the source and channel coding is known as “Joint Source and Channel Coding” [Mas78] and enables better coding results for the transmitted information compared to the situation that source and channel coding are handled as separate parts of the system.

Source

Source Coding

Generation of Cryptographic Checksum

Channel Coding

Line Coding

Channel

Sink

Source Decoding

Verification of Cryptographic Checksum

Channel Decoding

Line Decoding

Figure 1-1: Communication system with cryptographic mechanism

In spite of the use of error-correcting channel codes, a residual error rate will remain after the channel decoding, which leads to the fact that the verification of the cryptographic checksums can fail. It is often neither possible nor rational to repeat the message. Examples were

2

1 Introduction

mentioned above. The message is useless in case of an error, since it cannot be trusted, because it is not guaranteed that this message is the original one. For that reason, new algorithms are desirable, which can correct the residual errors and enable a successful verification of the secured messages in cases that the message was not manipulated by attackers. Such algorithms will exploit the cooperation between the components of the receiver, especially between the cryptographic mechanisms and channel decoding, as well as between the cryptographic mechanisms and source decoding. Such algorithms, which will be presented, are based on one hand on modern techniques of line and channel coding and on the other on the avalanche effect, which is a property of cryptographic mechanisms. Today´s transmission techniques use SISO (Soft Input Soft Output) decoder at the receiver [Gietaltt03] [LiCo04]. They provide a reliability value for each decoded bit, stating with which probability the bit was “1” or “0” before transmission. The verification process can be extended using these probabilities, and the residual erroneous bits of the secured message can be corrected in many cases. In this way, it is possible to verify the corrected message, and the verified message can then be forwarded and processed. The avalanche effect means that after every change of the input of a cryptographic mechanism on average 50% of the output changes, e.g. an encrypted message or a cryptographic checksum. This change of about 50% of the output already occurs after the change of a single bit. The concept “Joint Channel Coding and Cryptography” was presented in [Ziv08]. This concept is developed further here and provides new possibilities for the cooperation of channel coding and cryptographic mechanisms, in order to improve the robustness of cryptographic mechanisms, but also to increase the quality of the channel coding. This enables the provision of a considerably increased number of successfully verified messages to the next component of the communication system: the source decoding. The security level of these messages can be calculated exactly. The architecture aimed in this book is based on an extended forward and backward information exchange between all neighboured decoding components of the receiver, which is presented as “Joint Source and Channel Coding and Cryptography”. The feedbacks between the source and channel decoding (and back to line decoding), which are interrupted by the introduction of cryptographic mechanisms on the receiver side, should be restored by new techniques of cryptographic checksum verification: the source decoder does not notice if its input comes directly from the channel decoder or from the cryptographic verification process and returns its feedback information; the channel decoder receives feedback information in the same way, as it would be received even without a cryptographic mechanism. Fig. 1-2 presents this situation of transparent integration of the cryptographic mechanisms on the sender side and the receiver side.

Source

Source Coding

Generation of Cryptographic Checksum

Source Decoding

Verification of Cryptographic Checksum

Channel Coding

Line Coding

Channel

Sink

Figure 1-2: Communication system with feedbacks

Channel Decoding

Line Decoding

1 Introduction

3

The presented methods are implemented, and their behaviour is described using simulation results. If the results can be calculated analytically, they are compared with simulation results. The noisy transmission channel is simulated, and the algorithms are implemented, e.g. the coding and decoding algorithms of the channel coding and the cryptographic mechanisms. Chapter 2 provides some basic techniques that are helpful for further understanding. This also includes the overview of the security properties of message authentication codes, since the security aspects of the new algorithms in the later chapters are analysed on their basis. In Chapter 2 it becomes clear that the field of “Cryptography over Noisy Channels” requires a joint consideration of telecommunications, information security and cryptography. Chapter 3 presents studies that are also related to the process of generating cryptographically secured messages for transmission over noisy channels. There are error tolerant algorithms, which provide error tolerant message authentication changing the sender side, and those that support error tolerant authentication on the receiver side. The algorithms of Soft Input Decryption originally published in [Ziv08], which enable the correction of the cryptographic checksums, are presented in Chapter 4, along with further developed variants of these techniques. Chapter 5 describes various applications of the techniques described in Chapter 4 for improving of decoding and the efficiency of communication protocols. The technique presented in Chapter 4, which is referred to in the following as Soft Input Hard Verification, is expanded in Chapter 6 to Soft Input Soft Verification providing additional improvement of the correction rate – but in the first approach at costs of cryptographic security. Chapter 7 is dedicated to the security properties of soft verification, to the reduction of the security level as well as the compensation of this reduction in order to assure the expected level of security – with simultaneous improvement of the correction rate. Chapter 8 defines soft output. It is a first approach to quantitatively express “Trust”, i.e. “Reliability”, which should lead to a new theory of trust. This theory makes possible to achieve the desired architecture shown in Fig. 1-2. The remaining chapters describe possible applications, provide a summary and give an overview of the need for future research. Starting from Chapter 4, all algorithms use soft input and evaluate the reliability information, in order to correct cryptographic and non-cryptographic checksums by iterative algorithms and to verify those successfully, which could not be verified without soft input. No additional redundancy is used, but instead only the existing redundancies of communication and security protocols are used in combination. These algorithms have the following in common: soft input is the basis for a “hard” or “soft” verification. In general, they can be summarized under the expression “Soft Input Verification”. The objective of this book is not merely the presentation of new research results, but a general presentation of the current situation of the use of cryptographic checksums, especially message authentication codes over noisy channels.

2

Fundamentals

2.1

Components of a Transmission System

The typical scheme of a transmission system is shown in Fig. 2-1 and includes the source and three coding components at the sender side, the noisy channel and three decoding components and the sink at the receiver side.

Source

Source Coding

Channel Coding

Line Coding

Channel

Sink

Source Decoding

Channel Decoding

Line Decoding

Figure 2-1: Model of a transmission system with coding aspects

The source can be a person, a computer or device, which generates source information in any form (continuous or discrete, analogue or digital), any content (text, TV signals, music, speech, photos, etc.) and wishes to transmit it. The source encoder converts the source information into a bit sequence, the so called information sequence, after the source redundancy has been removed using statistical characteristics of the source information. In the case that the source information is analogue, the source encoder includes an analogue/digital converter. An ideal source encoder fulfils the following criteria [LiCo04]: – –

the number of bits at output of the source encoder should be minimal and the source information can be uniquely reconstructed from the information sequence.

The channel encoder transforms the information sequence of the source encoder into the discrete coded sequence – so called codewords. A codeword consists of a binary sequence. The task of the channel encoder is to add redundancy to the information sequence of the source encoder for error recognition and if possible error correction at the receiver. The line encoder adjusts the coded sequence or codewords to transmission over the noisy channel. Transmission over the channel can be baseband or broadband. Transmission over the channel can be wired (coaxial or optical cable, twisted pairs, etc.) or wireless (mobile telephony, radio, microwave, satellite transmission, etc.). Transmission errors always occur due to the imperfection of the channel and they depend on the type of channel. There are several types of channels that are used in communications theory for channel simulations. The most frequently used one is the AWGN (Additive White Gaussian

6

2 Fundamentals

Noise) channel, possibly taking into account Rayleigh fading and/or Rice fading in wireless and mobile communications [Pro02]. In the case of the AWGN channel which serves for the simulations in this book, the noise n(t) is added to the channel input y(t) dependent on the time t (“Additive Noise”), so that the channel output y′(t) is: y ' (t )  y (t )  n(t )

(2-1)

An extension of channel simulations for taking fading into consideration is possible, but not an essential aspect of the following channel simulations, therefore the restriction to the AWGN channel. In case that a BPSK (Binary Phase Shift Keying) modulation is used as line coding, binary values of 0 and 1 are modulated with sin/cos-function by two phases of e.g. 0° and 180°, whereby e.g. 0° is interpreted as binary 0 and 180° as binary 1. The phases of 0° and 180° correspond to the signal states y(t) = ±1. Bits 0 and 1 are therefore line coded as 1 and 1. The probability of the output value y′ using the AWGN channel and BPSK modulation is:

p ( y ' y  1)  p ( y ' y  1) 



1

2

2

e

2 2



1

2

( y ' 1) 2

2

e

(2-2)

( y ' 1) 2 2 2

(2-3)

The power of the alternating part of the noise is σ2. Since the Spectral Density Function (SDF) of the AWGN is the same over the entire frequency spectrum (Fig. 2-2), the noise is called “white noise”, by analogy with the spectrum of white light. Since there is no channel with infinite bandwidth, the noise is, in practice, always band limited. If B is the bandwidth of the channel, σ2 can be calculated as:

2 

N0 2B  N 0 B, 2

B f B

(2-4)

whereby N0 is the unilateral spectral power density of the noise, measured in W/Hz. SDF

N0/2

-B

B

f

Figure 2-2: Spectral density function (SDF) of the noise

The signal-noise-ratio (SNR or S/N) is a measure of a signal disturbance.

2.1 Components of a Transmission System

7

Since, in practice, channel coding and multilevel modulation are often used for transmission, whereby several bits are transmitted in a single transmission step, it is more appropriate to use Eb/N0 instead of S/N, if for example the efficiency of channel codes has to be compared: SNR  10 log

Es , N0

1 Eb E ,  s N0 N0 R  M

(2-5)

whereby Eb is the energy per bit, Es energy of the signal, R the code rate and M the number of modulated bits per transmission step (e.g. M = 2 for QPSK). The Bit Error Rate (BER) is the probability that an output bit behind the channel or a decoder component is erroneous, i.e. the ratio of the number of erroneous output bits and the number of transmitted bits. Since there are several decoder components, it has to be indicated to which decoder component of the receiver the bit error rate refers (see Fig. 2-1). The Symbol Error Rate (SER) is the probability that a symbol, consisting of several bits, is erroneous, i.e. the ratio of the number of erroneous symbols and the number of transmitted symbols. It has to be indicated also to which decoder component of the receiver the symbol error rate refers (see Fig. 2-1). In case that the bits are random and independently of each other incorrect, the word error probability W, that a word of length w contains i errors, becomes:

 w W    BER i (1  BER ) w  i i 

(2-6)

The line decoder receives a noisy or distorted version of the signal sent over the channel. The task of the line decoder is to reconstruct the input of the line encoder as precisely as possible. If the output of the line decoder consists of bits, it is a so-called “hard decision” line decoder. A “soft decision” line decoder, however, outputs a real number for each bit, which corresponds to the observed signal state at the input of the line decoder, e.g. the signal state 0.1 will not be assigned to bit 0 (BPSK assumed) but the value 0.1 will be output, since the signal state 0.1 can also be a result of a signal disturbance of a negative signal state. A “hard decision” and assignment to bit 0 would therefore be an incorrect decision with a certain probability. A “soft decision”, i.e. a real number thus contains the line decoder’s information about the signal state. This knowledge is forwarded to the channel decoder. The channel decoder uses the redundancy added by the channel encoder in order to reconstruct the information sequence of the source encoder. Even in the case of the channel decoder, a distinction is made between hard decision and soft decision, since the channel decoder can also make possibly incorrect decisions. The “hard output” channel decoder emits an information sequence in the form of bits. A “soft output” channel decoder assigns a soft value to each bit of an information sequence. This describes the reliability of the decision, whether each bit is 0 or 1. Additional details follow in Chap. 2.3.3. The source decoder converts the information sequence into the original data. In the case that the original information was analogue, the source decoder assumes the role of a digital/analogue converter which approximates the analogue form of the source signal as closely as possible. Recently, feedbacks between and within the components of the receiver have become significant, since they improve the results of the transmission system:

8

2 Fundamentals – – –

feedback from the channel decoding to the line decoding improves the results of the equalisation and the synchronisation [Bar02] feedback within the channel decoding by iterative correction of the erroneous bits significantly reduces the BER and is used e.g. in the decoding of turbo codes (see Chap. 2.3.3) [Beetalt93] feedback from the source decoding to the channel decoding improves the coding gain and is known as Joint Source and Channel Coding (see Chap. 2.4) [Adetalt02] [DuKi09].

The feedbacks mentioned are shown in Fig. 2-3.

Source

Source Coding

Channel Coding

Line Coding

Channel

Sink

Source Decoding

Channel Decoding

Line Decoding

Figure 2-3: Transmission system with feedbacks at the receiver

2.2

Message Authentication Codes

2.2.1

General

Message Authentication Codes (MACs) are a cryptographic security mechanism that provides the security services data integrity and data origin authentication [Rul93]. Intentional and unintentional changes of the data during transmission are recognised. The receiver can check whether the data received come from the sender from which it was expected, i.e. with which it exchanged a secret key. Therefore, the sender and receiver share a secret key. A cryptographic checksum is attached to the data to be sent. This is called the Message Authentication Code and it is calculated using the secret symmetric key. Message Authentication Codes have been in standard use in the field of banking for several years. Recently, however, they have also been increasingly used in wireless transmission systems and in the field of industry. The MAC function, which is calculated over the message M of any length m, is a symmetric cryptographic function CCF (Cryptographic Check Function), and the result of this function is a MAC of a fixed length n, n ≤ m, which is referred to as a CCV (Cryptographic Check Value): CCF (M) = CCV. The reduction of m bit of the input to n bit of the output results in the fact that different messages may produce the same MAC.

2.2 Message Authentication Codes

Message

Secret key

9

MAC

Noisy Channel

MAC Function

Figure 2-4: MAC mechanism

If one also wants to check the sequence and completeness of a sequence of messages, the message will be given a time-variant parameter (MID, Message IDentifier) before the calculation of the MAC, e.g. sequential number or time stamp.

MID

Secret key

Message

MAC

MAC Function

Figure 2-5: MAC mechanism providing the correctness of sequence

One-Way-Property The term one-way-property means that it is easy to calculate the Message Authentication Code MAC for a message M: MAC = CCF (M)

(2-7)

but it must be difficult to find a Message M′ ≠ M for a given MAC with: MAC = CCF (M′).

(2-8)

Collision Resistance The one-way-property does not suffice under security aspects. It is expanded to the property of collision resistance: it should be difficult to find any messages M and M′, such that CCF (M) = CCF (M′)

(2-9)

Should there be a pair of messages M and M′ with this property, there is an (external) collision (on internal and external collisions, see Chap. 2.2.4). Difficult message finding means that it is practically impossible to find a solution within limited time, limited computing effort and memory and other operating resources.

10

2 Fundamentals

Random Oracle The calculation of the Message Authentication Codes behaves like a random function: For each input, the output looks like a random number to an observer. The output is independent of all inputs that occurred before and cannot be predicted on the basis of all previously known input-output pairs; the probability of occurrence of each output value is the same. In this case one speaks of a random oracle. The CCF (Cryptographic Check Function/MAC calculation) has the property of the avalanche effect [Feetalt00] [HaTa95] and meets the Strict Avalanche Criterion (SAC) [For90] [WeTa86]. Avalanche effect means that the Hamming distance between the output values of two different input values is a binomial random variable with the parameters (n, 0.5). Therefore, the probability that two MACs of the length n differ in d bits is:

n    d Pd   n 2

(2-10)

The Strict Avalanche Criterion (SAC) means: If the input changes, each output bit will be inverted with the probability of 0.5. For that reason, it is expected that on average 50% of the bits of the Message Authentication Code change, if the input changes. There are various standard options for calculating the MAC: – – –

using a symmetric block cipher [ISO/IEC 9797-1] using a hash function, e.g. SHA 256 or RIPE MD 160 with initialisation by a symmetric secret key [ISO/IEC 9797-2] using an universal hash function, also initialised by a symmetric secret key [ISO/IEC 9797-3]

The receiver gets the possibly modified message M′ and the possibly modified MAC′. For verification it calculates the MAC′′ of the received message using the secret key and compares this calculated MAC′′ with the received MAC′. If both checksums are identical, the receiver knows that the data were not modified and come from the sender in possession of the shared secret key (Fig. 2-6). Noisy Channel

Message M’

Secret key

MAC Function

MAC’

Verification successful

MAC’’

Figure 2-6: Verification of the MAC at the receiver

Yes

MAC’=MAC’’

No

Verification unsuccessful

2.2 Message Authentication Codes

11

For later consideration of the security properties of Message Authentication Codes, it is helpful to take a closer look at their internal construction.

2.2.2

Generation using a symmetric Block Cipher

The ISO Standard [ISO/IEC 9797-1] specifies the generation of Message Authentication Codes on the basis of symmetric block ciphers, e.g. using DES, 3DES, AES. This mechanism is also called CBC_MAC, since it corresponds to the Cipher Block Chaining mode of operation, which is defined in [ISO/IEC 10116]. Terms: e j K k

   

the block cipher the block length of e, e.g. j = 64 or 128 (DES, AES) the secret key the length of K, e.g. k = 56, 64, 112, 128, 168, 192 or 256 (depending on the variant of DES, 3DES, AES) Mi  the message blocks of length j, into which the message M is segmented, possibly taking into account a padding-method, which extends the message to a multiple block length; the padding bits are not transmitted Hi  the chained blocks of length j after the encryption of Mi F  the last iteration, which may use additional keys, e.g. K′ g  an Output Function (optional), and the Truncation Function adjusts by cutting the length of G to the desired length n of the Message Authentication Codes. The process is shown in Fig. 2-7. Message M ... M1

Mq

M2 H1

H2

Hq-1 +

+

K

e

K

e

K, K’ ...

F

Hq

g

G

Truncation

MAC

Figure 2-7: MAC calculation using a block cipher (CBC_MAC)

12

2 Fundamentals

2.2.3

Generation using a Dedicated Hash Function

ISO Standard [ISO/IEC 9797-2] specifies the generation of Message Authentication Codes using standardized hash functions, e.g. using SHA-256 or RIPE MD 160 [ISO/IEC 10118]. This method is called H_MAC. In this mechanism, the hash function is initialized using a secret key, and then the hash value is calculated over the message. The internal process is very similar to the process described in Chap. 2.2.2. Terms:

h  K  j  Mi 

the hash function, e.g. RIPE MD 160 or SHA-256 the secret key of length k, e.g. k = 160, 192 or 256 the length of the output after each round, e.g. j = 160 or 256 the message blocks after the segmentation of the message M, possibly after the application of the padding method, which extends the message to a multiple of the input length of the hash function Hi  the chained blocks of the length j after calculation of the hash value of Mi g  an Output Function (optional) with output G, and the Truncation Function adjusts by cutting the length of G to the desired length n of the Message Authentication Codes.

The process is shown in Fig. 2-8. Message M ... M2

M1

K

H1

h

Mq H2

Hq-1

h

h

Hq

g

G

Truncation

MAC

Figure 2-8: MAC calculation using a keyed hash function (H_MAC)

The H_MAC method with the dedicated hash function RIPE MD 160 is used in the simulations in the later chapters.

2.2 Message Authentication Codes

2.2.4

13

Security Aspects of Message Authentication Codes

Message Authentication Codes (MACs) are based on symmetric cryptographic algorithms, which assume a shared, secret key on both the side of the sender and the receiver. It is assumed that the sender and receiver trust each other, and that the key is not disclosed to a third party. There are two types of generic attacks: Forgery Attacks and Key Recovery Attacks. Forgery Attack In a forgery attack the MAC of the sent message M is predicted by an attacker. If this prediction is correct for every message, the corresponding attack is called existential forgery. This would be possible, e.g. if the MAC calculation function did not have the one-wayproperty or was not collision resistant (see Chap. 2.2.1). In the case that the prediction is correct for a specific message, the attack is referred to as a selective forgery attack. Additionally, it is distinguished whether the attacker can determine in advance if his attack will be successful or not (verifiable attack – non verifiable attack). Key Recovery Attack In a key recovery attack, the attacker obtains knowledge of the secret key K. The security of the MAC algorithm is dependent on the length k of the secret key and of the “chaining variable length” j, i.e. of the output length of the iterative compression function. The security/entropy of the MAC algorithm is [Pre93]: security/entropy (MAC) = min (k, 2·j)

(2-11)

An attacker needs on avarage 2k  1 attempts to perform a brute force attack on the secret key. Additionally, he needs n/k pairs of message/MAC, in order to verify that he has found the correct key, since there are 2k/2n keys that yield the same MAC for a message. It is usually j ≥ k ≥ n or even j = k = n in practice. Internal Collision An internal collision of H_MAC (Chap. 2.2.3) happens when there are two message blocks, Mq and Mq′ such that: h(Hq-1,Mq) = h(Hq-1,Mq′)

(2-12)

If an internal collision for two input strings t and t′ has been found, then in the case of H_MAC is: CCF (t || Y) = CCF (t′ || Y)

(2-13)

for each string Y (|| marks the concatenation of two strings). An internal collision of CBC_MAC (Chap. 2.2.2) happens when there are two message blocks Mq and Mq′ with: e(Hq1, Mq) = e(Hq 1, Mq′)

(2-14)

14

2 Fundamentals

If there is an internal collision for two input strings t and t′, then, in the case of CBC_MAC is: CCF (t || Y) = CCF (t′ || Y)

(2-15)

for each string Y, if CCF(t || Y) is known. Thus selective, verifiable forgeries can be constructed from internal collisions, if no countermeasures are taken using the functions g and F, e.g. through the application of an additional secret key. Forgery Attack on the MAC

1 1 , ) since the key is unknown and the 2n 2k MAC appears as a random number. Thereby, the attack is not verifiable for the attacker.

The probability of predicting a MAC is max (

External Collision If two messages yield the same MAC, there is an external collision. If an attacker has coln

lected more than 2 2 of known message/MAC pairs, the probability that an (external) collision has occurred is greater than 0.5. He then only needs O(2 nj) selected messages (chosen text) [Pre93], to verify the collision. With this collision, which is used as an internal collision, (selective) forgery attacks can then be performed (see above). The background for calculating the complexity of this attack is the birthday paradox. The birthday paradox should be explained here, since it will play an important role in Chap. 6 and 7, when it will be expanded. Birthday Attack/Birthday Paradox Assume, that a set Q is given out of q elements, e.g. 365 days of a year or 2n different Message Authentication Codes of length n. K elements, which may be repeated are randomly selected out of Q. The probability p, that there are at least two elements amount out of K, which are identical, is: p  1 e



K ( K 1) 2q

(2-16)

If (2-16) is solved for K2 and the term K is neglected, this results in:  1   K  2q  ln 1 p 

(2-17)

K is the number of elements that are needed to get at least two identical elements with the probability p. For p = 0.5, (2-17) becomes:

K  1.17 q

The derivation of the formulas is given e.g. in [Sti95].

(2-18)

2.2 Message Authentication Codes

15

Examples:

If Q are the birthdays in one year – this is where the name of this paradox comes from  only 23 children in a class are needed in order for the probability that two children have the same birthday to be larger than 0.5. If Q are the possible Message Authentication Codes of length n, this results in an external collision with a probability that is greater than 0.5 after

K  1.17 2n  O(2 2 ) n

(2-19)

messages. For this reason, the MAC length of 128, 160, better 192 or 224 bits is chosen today in order to achieve a complexity for a forgery attack of 264, 280, i.e. 296, 2112 (or even of 2128 at a MAC length of 256 bits, e.g. for the software download of metering software requiring metrological approval). There are numerous publications dealing with the security of Message Authentication Codes. These include the key recovery attack by Knudsen on CBC_MAC (needs two known message/MAC-pairs, and 2(jn)/2+1 + 1 selected message/MAC-pairs) [Knu97], the improved Preneel-Oorschot-Knudsen attack (in the case of the DES, k = 56, 3·256 known message/MAC-pairs and 232 selected message/MAC pairs are needed) [KnPr98], [PrOo96], [PrOo99]. Another key recovery attack by Wang [Waetalt05] on the SHA_1 requires 272 selected message/MAC pairs. Methods by [Wie03] refer to the possibilities and the effort in generating collisions, especially using parallel methods. These include also near collisions, which will be considered at the end of Chap. 7.4. Furthermore, there are other attacks that specifically refer to the padding method, the output transformation or the last round iteration. A good overview can be found in the Security Analysis (Annex C) of the ISO-standards [ISO/IEC 9797-1] and [ISO/IEC 9797-2]. These however do not influence the security considerations, which will follow in Chap. 7 for the new verification algorithms, since the MAC algorithms will be applied unchanged.

2.2.5

Message Authentication Codes and Digital Signatures

Today, digital signatures play an important role in the area of e-Commerce and in internet applications. Digital signatures are based on asymmetric cryptographic algorithms. Every participant possesses a key system consisting of a private and a public key. The sender uses its private key to generate a digital signature and the receiver uses the sender’s public key to verify that signature (see Fig. 2-9). For this reason the receiver cannot generate any digital signatures that can be verified using the sender’s public key. In the case that MACs are calculated, however, the receiver can calculate every MAC that the sender can also calculate (see Chap.2.2.2. and 2.2.3).

16

2 Fundamentals

Message

+

Signature

Hash Function

Hash Value Signature Algorithm

Sender ’s private key

a)

Signature ’

Sender ’s public key

b)

Message ’

Hash Value ’ Verification

Hash Function

Verification OK / NOT OK

Figure 2-9: a) Generation and b) Verification of digital signatures

On the basis of the asymmetric property, digital signatures can only be taken into account in chapter Chap. 4 in combination with the Soft Input Hard Verification algorithm, but not in the newly developed Soft Input Soft Verification algorithms (Chap. 6).

2.3

Channel Coding

2.3.1

Reed-Solomon Codes

Reed-Solomon Codes (RS codes) are cyclic linear block codes. They have a special significance, since they are optimal codes; they are particularly suitable for correction of burst errors [ReSo60].

  i   2

Optimal codes can be optimal with respect to the Hamming- or Singleton bound. t

The Hamming bound is defined as:

i 0

n

n k

with n as the number of symbols of a

codeword and k as the number of information symbols. The codes, which satisfy the Hamming bound with equality, are optimal with respect to the Hamming bound and are also referred to as perfect codes. The Singleton bound is defined as: d ≤ n – k + 1. The codes which achieve equality in Singleton bound are optimal with respect to the Singleton bound and are also called MDS (Maximum Distance Separable) codes. A (n, k, d) – RS block code with given values for n (number of symbols of a codeword) and k (number of information symbols) is an MDS code and optimal with respect to the Hamming distance. A consequence is that any k symbols of the codeword uniquely determine the

2.3 Channel Coding

17

codeword. The greatest possible value for d is reached, when d = n  k + 1, i.e. d = number of parity symbols + 1. If t symbol errors should be corrected, it is therefore:

n  k  2t

(2-20)

The Reed-Solomon codes are cyclic q-nary codes. The codewords consist of symbols that are elements of GF(q), with q = 2p, i.e., each symbol consists of p bits. For this reason, a RS code that can correct a symbol can correct up to p wrong bits, if these all belong to that symbol. Thus, it is able to correct an error burst.

Message

Parity

k

n-k

Figure 2-10: Codeword after systematic coding

Coding Let t be the number of correctable symbol errors. Then the generator polynomial will be constructed according to the following principle:

g ( x)  ( x   1 )  ( x   2 )  ( x   3 )  ... ( x   2t )

(2-21)

where α is a primitive element of GF(q). The encoding is performed using the generator polynomial, as usual in case of cyclic codes. At first, the message is represented as a polynomial i(x) with coefficients from GF(q). It must be filled up with “zeros” to a multiple of p, if needed. Then the message polynomial is divided by the generator polynomial, and the division remainder r is attached to the message as a sequence of parity symbols of GF(q).

r ( x)  i( x)  x n k mod g ( x)

(2-22)

The message i(x) together with the attached division remainder r(x) forms the codeword c(x) that is transmitted over the channel. Since the generator polynomial has the degree of 2·t, the number of parity symbols that are the remainder after the division of the message polynomial by the generator polynomial is:

n  k  2t

(2-23)

The length of the codeword is

where:

and:

n  q 1  2 p 1

(2-24)

k  2p  d

(2-25)

d  2  t 1

(2-26)

18

2 Fundamentals

In shortened Reed-Solomon codes, the information part is filled with “zero-symbols” to form k symbols and then the parity is calculated. The appended zero symbols are not transmitted, as the receiver knows their positions in advance and has to (re-)insert them for decoding. Correction Properties The Reed-Solomon decoder can correct up to t errors or up to 2·t erasures. An erasure exists when the positions of the erroneous symbols are known in advance. The information about the position of a wrong symbol is provided by the demodulator or a previous decoding component, if the signal received could not be uniquely assigned to a symbol. There are three possible situations, when a received word is decoded: 1) 2·s + r ≤ 2·t (s = number of errors, r = number of erasures) In that case, the original codeword can be reconstructed. 2) 2·s + r > 2·t In this case, the decoder cannot correct the word and reports an error, or: 3) The decoder corrects wrongly and the decoded codeword is not the original one. Errors are not recognised if the error pattern is a multiple of the generator polynomial, so there is no remainder after the division of the erroneous codeword. Decoding The received codeword v(x) is given by: v(x) = c(x) + e(x)

(2-27)

where c(x) is the original codeword polynomial and e(x) the error polynomial. At first, the syndrome is calculated and the error positions are tried to be localized and corrected (up to t errors or up to 2·t erasures). –

Calculation of the syndrome An RS codeword has 2·t possible syndromes (= remainders), that depend on errors and not on the original codeword. The syndrome can be calculated by insertion of the q2·t roots of the generator polynomial in v(x).

–

Localization of the positions of erroneous symbols This is done by solving a system of equations with t unknown variables. There are efficient algorithms for this that take into account the special form of the equation matrix that appears in RS codes. The calculation is done in two steps:

1) Calculation of the polynomial that describes the error positions. Suitable algorithms: Berlekamp-Massey [Ber68] [Mas69] or Euclidian algorithm [Sugetalt75] 2) Calculation of the roots of the polynomial using the Chien-Search algorithm [Chi64]. This is followed by the calculation of error values by solving another system of equations with t unknowns. Usually, the Forney algorithm [For65-1] is used. The encoding is considerably faster than the decoding, as the numerical complexity is much higher for decoding.

2.3 Channel Coding

2.3.2

19

Convolutional and Turbo Codes

Convolutional codes are error-correcting codes, which are named after the convolution operation of the continuous input sequence of the encoder x (x0 x1 x2 …) with the coefficients of the convolutional encoder g(p) (g0(p) g1(p) … gn(p))). If k is the memory length and n is the number of outputs yj (p) (y0(p) y1(p) y2(p) …), p = 1,2,…n, then the output p is given for the input j by the convolution [JoZi99]:

y

( p)

 x g

or: y (j p ) 

x

( p)

(2-28)

k

i 0

j i

g i( p )

(2-29)

where * stands for the discrete convolution, xji = 0 for all j < i and all operations (i.e. binary additions) are executed as mod 2. The code rate R is the ratio of the number of input bits to the number of output bits of the channel encoder. For example, a convolutional encoder of the code rate R = 1/n and n convolution functions g(1), g(2), …, g(n) over GF(2) is shown in Fig. 2-11.

x

1

...

2

...

k

...

y

...

(1)

=x

*g

y

( 2)

=x

*g

y

( n)

=x

*g

(1)

( 2)

( n)

y

y

y

(1)

(2)

(n)

Figure 2-11: Convolutional encoder of the code rate R = 1/n

Primitive polynomials are used as convolution functions g, whereby xi is the coefficients of the polynomial of the base of 2:

y

( p)

( x)  g

( p)

( x0 , x1 , x2 ,...,xk )  xk 2k  xk 1 2k 1  ... x1 2  x0

(2-30)

It is common to present the binary numbers xk…x1 x0 as decimal numbers. An example of a simple, but often used convolutional encoder is the (5,7) convolutional encoder, which is shown in Fig. 2-12. It is used for the simulations in this book.

20

2 Fundamentals y1 +

x

1

2

+

y2

Figure 2-12: Convolutional encoder (5,7)

Turbo codes were published in [Beetalt93] and constituted a revolutionary contribution to information and coding theory: their use enables transfer rates close to the Shannon limit, i.e. the limit of the maximum transmission capacity. Note: This property is not only met by the turbo codes, but also by the LDPC codes or Gallager codes as well. LDPC codes are linear error correcting block codes, which were developed by Gallager in 1962 in his dissertation at MIT [Gal62]. They have gained greatly in significance in recent years. Turbo codes are used today on (almost) all wired and especially wireless transmission channels. Typically, a turbo encoder consists of two or more convolutional encoders and interleavers, where the convolutional encoders are recursive systematic encoders (RSC). Recursive means that the result of a convolution operation is fed back and used as an input (Fig. 213). Systematic encoders use the input bit as one of the output bits of the encoders (Fig. 213). In Fig. 2-13, bit y2 is the systematic bit, likewise also in Fig. 2-14, in which the encoder from Fig. 2-13 is used as an RSC. All encoders except for the first one use the nonsystematic bits. The code rate of the turbo encoder shown in Fig. 2-14 is 1/3, since it generates three output bits y1, y2 and y3 for a single input bit x. y1 +

x

+

1

2

+

y2

Figure 2-13: RSC encoder of the code rate 1/2

2.3 Channel Coding

21 y1

x

RSC Encoder

Interleaver

RSC Encoder

y2

y3

Figure 2-14: Turbo encoder of the code rate 1/3

There are different types of interleavers, whose task is to convert the bit sequence according to specific rules. A block interleaver is used most frequently, in which a matrix is written by columns and read out by rows. The interleaver significantly influences the Hamming distance of the output sequence of the turbo encoders and thereby the efficiency of the turbo encoder [VuYu00].

2.3.3

Soft Input Soft Output Decoding

Usually block codes are decoded using special decoding algorithms and convolutional codes using Maximum Likelihood or Maximum A-Posteriori algorithms. As already mentioned in Chap. 2.1, soft decision line decoders and Soft Input Soft Output (SISO) channel decoders are applied today, whereby the soft decision from the line decoder is used as soft input and soft output is delivered. The soft output is defined by so-called reliability values or L-values, which are generated for each output bit and expressed in logarithmic form:

L( x' )  ln

P( x  1) P( x  0)

(2-31)

The sign of the reliability value presents a hard decision by the decoder, i.e. assigning either “0” or “1” to the bit. The absolute value of the reliability value |L| indicates the reliability of the hard decision: the larger |L|, the more reliable the hard decision. The theoretical value L = ± ∞ represents the absolute reliability of the hard decision made. For L = 0 however the probability that the hard decisions is correct is 0.5. The SISO (Soft Input Soft Output) decoding [Kaetalt05] has obtained its special importance in the iterative decoding of turbo codes [Beetalt93][Gietalt03]. A turbo decoder that corresponds to the turbo encoder in Fig. 2-14, is shown Fig. 2-15: it receives the real values y1′, y2′ and y3′ from the soft decision line decoder, which correspond to the three output bits of the turbo encoder y1, y2 and y3. Two SISO decodings are executed in each iteration of the turbo decoding. Each of the two SISO decoders corresponds to an RSC encoder in Fig. 2-13. The output of each decoder consists of the reliability value obtained as a-posteriori value and used as an additional input as a-priori information for the next round of decoding (extrinsic information). The results of the decoding are improved in each iteration of the turbo decoding. After 810 iterations there are typically no more improvements. At the end, x′ is issued as a hard output together with L(x′) as soft output.

22

2 Fundamentals

The commonly used SISO decoding algorithms are MAP (Maximum A Posteriori) [Baetalt74], which is also called the BCJR algorithm after its inventors, and SOVA (Soft Output Viterbi Algorithm) [HaHö89]. Both algorithms are older than turbo codes, but they had to wait for the invention of turbo codes to gain their importance. MAP is somewhat more complex than SOVA, but provides better results than SOVA for low E b/N0. Both algorithms show similar decoding results for higher Eb/N0.

y1

y2

y3

L I N E E N C O D I N G

C H A N N E L

L I N E D E C O D I N G

SISO Decoder 1

y1 '

L1

y2 '

y3 ' L2

Interleaver Interleaver

SISO Decoder 2

Deinterleaver Deinterleaver

L(x’) x'

Figure 2-15: Turbo decoder

The MAP algorithm was implemented and used for the simulations and results in this book. SISO algorithms have not only achieved significance in the decoding of convolutional und turbo codes, but are also successfully used in the decoding of block codes, e.g. ReedSolomon codes [PoVu99] [KöVa02].

2.3.4

Concatenated Codes

The term concatenated codes refers to the serial connection or parallel connection of different encoders. Each of them adds redundancy for error recognition and/or error correction. The expression “Concatenation of Codes” was introduced for the first time by Forney in 1966 in his publications [For66-1] and [For66-2] after he had published essential parts of his dissertation at MIT in a report [For65-2]. Super Channel

Outer Encoder

Inner Encoder

Figure 2-16: Concatenation of an inner and outer code

Channel

Inner Decoder

Outer Decoder

2.3 Channel Coding

23

There he explained his first theoretical results of concatenated codes as: Concatenation of an arbitrarily large number of codes can yield a probability of error that decreases exponentially with the overall block length, while the decoding complexity increases only algebraically; and A concatenation of a finite number of codes yields an error exponent that is inferior to that attainable with a single stage, but is nonzero at all rates below capacity. Expressions such as “Concatenated codes” [LiCo04], “General concatenated codes” [Bos98] or “General concatenated coding system” [McSw93] can be found in the literature. Fig. 2-16 shows a concatenation of two codes, which are referred to as the inner and outer code. Often the concatenation of the outer and inner encoders is called the “Super Encoder”, i.e. the concatenation of the inner and outer decoder is named the “Super Decoder”. The channel with an inner encoder and inner decoder is often called a “Super Channel” [For66-1]. Since concatenated codes were used in space missions for the first time in 1977 in the Voyager programme, they have remained an efficient type of error correcting codes along with LDPC codes (see Chap. 2.3.1). Usually a convolutional code or turbo code is used as the inner code [Ode70]. A longer block code is used as the outer code, since longer symbol lengths are more robust against burst errors. Mostly the Reed-Solomon code is used over GF(28). Additionally, an interleaver is often inserted between the outer and inner encoder, which provides a spreading of burst errors. The combination of an inner convolutional code and outer Reed-Solomon code was implemented for the first time in Voyager 2 [LuTa02] and is still used in satellite transmission, such as in DVB-S Digital Television Standard [DVB97]. In DVB-S2 Digital Television Standard [DVB09], a LDPC code is used as the inner code and an algebraic code as the outer code [Bla03]. Compact discs use a concatenation of two ReedSolomon codes of different lengths with an interleaver. Concatenated codes will be used in this book as well. Thereby, the inner code is a convolutional code, and the outer code consists of: – –

a cryptographic checksum a cyclic code, e.g. Reed-Solomon code.

A SISO decoder is used as a convolutional decoder for the inner code, so that reliability values are available for the outer decoder. This means that the outer decoder can also operate according to the SISO principle and in turn supply the source decoder with soft values (soft output). If Fig. 2-17 and Fig. 1-1 are compared, it can be recognised that the added cryptographic checksums in Fig. 1-1 can be seen as an outer code or even the outermost (if there are several concatenated codes) code. Generation of Cryptographic Checksum

Channel Coding

Channel

Channel Decoding

Inner Codes Outer Codes

Figure 2-17: Cryptographic checksums and channel coding as outer and inner codes

Verification of Cryptographic Checksum

24

2 Fundamentals

In the case of use of cryptographic checksums as outer code, additional security against intentional manipulations (caused by attacks) is provided. Security services for data integrity and authentication of data origin are supported. The use of cryptographic checksums was not originally intended as outer code for the improvement of channel coding, but instead for providing security services. As recently as in this book they are considered as outer code of the channel coding, as they are actually used to improve the chances of correction along with providing security services. The message M of the length m, and the cryptographic checksum CCV (Cryptographic Check Value) of the length n, results in a systematic (m + n, m) block code:

Message M

Cryptographic Checksum CCV

m

n

Figure 2-18: Lengths of the message and the cryptographic checksum

If the code rate of the channel code is R, the resulting code rate Rtotal is: Rtotal 

m R mn

(2-32)

The resulting code rate is obviously reduced. This is the price for adding the cryptographic checksum, which however protects against manipulation and supports authentication of data origin.

2.4

Joint Source and Channel Coding

Joint source and channel coding is a very promising technique for improving the quality of the signal at the sink in communication over wireless channels. Following the work of C. Shannon from the year 1948 [Sha48], which was revolutionary for information and communications theory, and the theorem contained in it, a source of the entropy H can be reliably transmitted over a channel with the capacity C, if H ≤ C. This condition means that the source encoder minimises the source rate to the entropy H. The channel coding and decoding should be used without any knowledge of the type of source and only channel-dependent. Source and channel coding should work independently from each other. For that reason, this theorem is often also called the “separation theorem”. Today however it is known that this theorem is only valid under optimal conditions, and that better results can be achieved, if the en-/decoders cooperate and exchange their knowledge of the channel and the characteristics of the source information. Depending on the type of source, e.g. whether it is a digital or analogue source, there are different concepts of joint source and channel coding techniques. Digital Joint Source and Channel Coding Techniques Digital joint source and channel coding techniques are used in cases and applications if the source and channel are digital. This is usually the case in today’s communication systems. More extensive literature can be found under [ChZa00] [Lietalt07] [Zaetalt96].

2.4 Joint Source and Channel Coding

25

Iterative Joint Source and Channel Coding Techniques SISO or LDPC decoders can be iteratively combined in order to obtain better decoding results compared to the standard joint source and channel coding techniques. Video transmission and audio transmission are the mostly used areas of application of iterative joint source and channel coding techniques. So called Extrinsic Information Transfer-EXIT Charts [Bri99][Hag04] are an important tool for visualising the convergent behaviour of iterative decoding algorithms. n

Quantizer & Mapping Source Encoder

Interleaver

Channel Encoder

+

y'

Smearing Filter

Interleaver

Channel Decoder

y

Softbit Source Decoding

Use of a-Priori Information

Deinterleaver

y' + Parameter Estimation

x'

Figure 2-19: Example of an iterative joint source and channel coding system [AdVa04]

In order to improve iterative joint source and channel coding techniques, an iterative decoding following the turbo principle is suggested (turbo error concealment) [AdVa04]. Softbit source decoding is a typical error concealment technique, which combines the reliability values of the SISO decoder with the a priori knowledge of the individual parameters of the source decoder. As a result, the a-posteriori information is generated as input for the individual optimal estimation of each parameter of the source decoder. Thereby, the optimum is specified according to the Minimum Mean Squared Error (MMSE) between the parameters estimated on the basis of the a-posteriori information and the original parameters of the source decoder. The comparison of the a-priori information with the a-posteriori information provides the extrinsic information, which is fed back to the channel decoder. As usual an interleaver/scrambler is interposed between the source encoder and channel encoder, which smoothes the statistical behaviour of the application. The scheme of the system is depicted in Fig. 2-19, where x designates the input signal, y the output of the channel encoder and n the noise.

26

2 Fundamentals

Other Techniques Other joint source and channel coding techniques are hybrid digital–analogue (HDA) joint source and channel coding techniques [Wietalt10] [Beetalt09] and near analogue joint source and channel coding techniques [Chu00]. Joint Source and Channel Coding and Generation/Verification of Cryptographic Checksum In the case that joint source and channel coding techniques are used, the feedback of the source decoding to the channel decoding is interrupted because of the presence of the verification module of the cryptographic checksum. The soft output values of the channel decoding can no longer be transferred to the source decoding (Fig. 2-20).

Source

Source Coding

Generation of Cryptographic Checksum

Channel Coding

Line Coding

Channel

Sink

Source Decoding

Verification of Cryptographic Checksum

Channel Decoding

Line Decoding

Figure 2-20: Blocking of feedbacks through the integration of cryptographic checksums

It can be easily recognised that the insertion of the cryptographic checksum as an outer channel code is easy if the interfaces for source coding and source decoding are preserved unchanged. This book aims at arranging the insertion of cryptographic checksums so that the interfaces to source coding and source decoding continue to be preserved for the techniques of joint source and channel coding. This means that the verification process of the cryptographic checksums must provide the source decoder, i.e. the deinterleaver (see Fig. 2-20) with soft values, so that the verification of the cryptographic checksums behaves transparently for the source decoder. The feedback of the extrinsic information from the source decoder thereby proceeds over the verification module of cryptographic checksums to the SISO channel decoder.

3

Related Work

3.1

Channel Coding with Bit Inversion

Different techniques will be combined in this book, especially decoding techniques for channel codes and the verification of cryptographic checksums to guarantee data integrity and authentication, whereby the redundancy added by different layers is evaluated across layers. Thereby, the security services that are based on cryptographic mechanisms play a central role. The related work and references considered in this chapter therefore come from areas that deal with bit inversion, channel coding techniques, authentication and data integrity in transmission over noisy channels. The channel decoding technique used in this book is based on reliability values (soft values, soft output, L-values, see Chap. 2.3.3), whereby error correction is achieved by inverting bits that are assumed to be the most probably erroneous. The use of reliability values can be traced back to the General Minimum Distance (GMD)algorithms by Forney from 1966 [For66-1] [For66-2]. Forney used the reliability information of the received symbols in order to improve the algebraic decoding of the binary and nonbinary codes. For a (n,k) linear block code with a minimal Hamming Distance dmin, a list of at most (d min  1) / 2 codeword candidates is generated, in which hard decision bits of the received sequence are modified corresponding to the reliability values. In the case that dmin is even, the received sequence is modified by the erasure of one, three,..., dmin  1 symbols with the lowest reliability values. In the case that dmin is odd, the received sequence is modified by erasure of zero, two,..., dmin  1 symbols with the lowest reliability values. Every modified sequence is decoded algebraically using the error-and-erasure-algorithm. For codeword candidates decoded in this way, a soft decision metric is calculated. The candidate with the best metric is then selected as the decoded solution. The idea for inversion of bits with the lowest reliability values originates from Chase in 1972 [Cha72] as a generalisation of the General Minimum Distance (GMD) algorithms. Chase developed three algorithms: Algorithm 1, Algorithm 2 and Algorithm 3. In Algorithm 3 as in the GMD-algorithm, a list of at most (d min / 2  1) codeword candidates is generated, whereby the erasure-operation is replaced by complementing of the symbols with the lowest reliability values. Every modified sequence is coded algebraically by the error-correctiononly algorithm. Again, the candidate with the best metric is selected. The Chase Algorithm 3 achieves approximately the same error correction for binary codes at the same calculation complexity as the GMD algorithm. Algorithm 2 by Chase is an improved version of Algorithm 3. Here a longer list of codeword candidates is generated. In the first step, a reliability value is assigned to each symbol of the received sequence. Then a group of error patterns that are ordered corresponding to their reliability values is generated. Using a XOR-operation of the received sequence and the error

28

3 Related Work

pattern, the modified sequences are generated and algebraically decoded by the errorcorrection-only algorithm. Algorithm 2 achieves improved error correction at higher calculation complexity than Algorithm 3.

n    codeword candidates by inverAlgorithm 1 by Chase generates a list of at most  d / 2   min   sion of all combinations of exactly d min / 2 symbols in the received hard decision sequence. This algorithm has never played an important role because of the required high computing resources. Of all three Chase algorithms, Algorithm 2 achieves the best ratio of error correction to decoding complexity.

Another group of algorithms whose decoding principle exploits the reliability values ordered according to their absolute values, are the Most Reliable Basis (MRB) [Dor74] [Yaetalt03], Most Reliable Independent Positions (MRIP) Reprocessing [Faetalt03], Least Reliable Basis (LRB) [Foetalt98] and Ordered Statistic Decoding [Vuetalt05] algorithms. In the Forney and Chase algorithms mentioned above, a partial ordering of the lowest reliability values suffices to identify the “Least Reliable Positions” (LRP) of the sequence to be decoded. In contrast, MRIP decoding, which is also used for the binary (n,k) linear block code, requires not only a complete ordering of the codeword candidates, using the reliability values, but also for the identification of k independent positions (k MRIP) with the k highest reliability values. In the first step, a reliability value is assigned to every symbol of the received sequence, and the symbols are arranged in descending order of their absolute reliability values. Afterwards k independent positions are found by the permutation of the columns of the code generator matrix, and elementary row operations of the permutated generator matrix. These k MRIPs form the “most reliable basis (MRB)”. The list of codeword candidates reduced using the MRB is tested. The candidate with the best metric is selected as the decoded solution. Similarly, the LRB algorithm uses n  k positions with the lowest reliability values as Least Reliable Independent Positions (LRIP).

The Ordered Statistic Decoding (OSD) algorithm [FoLi95] from 1995 is a MRIP reprocessing algorithm, which selects MRIPs in sequence in several stages, whereby the noise statistics are taken into account. These statistics are used to determine when the optimal or a specified correction level is achieved. Like the MRIP algorithms, the OSD algorithms find k MRIPs and generate a sequence of codeword candidates using inversion combinations of l (l ≤ k) of k MRIPs. Each modified sequence is correlated with the decoded codeword. The candidate with the maximum correlation is selected as codeword. This algorithm can be easily implemented and demands low computing complexity. Other related algorithms are Information Set Decoding [Pra62] and Permutation Decoding [Mac64]. If there are k linear independent bits in the received codeword for a ( n,k)-code, a unique codeword can be constructed that accords to the received sequence in these k bits. Since these k bits uniquely determine a codeword, this group of k bits is called an “information set” [CoGo90]. If the received sequence has no errors in the bits of the “information set”, the error pattern can be easily reconstructed: the bits of the “information set” are coded again in order to find the unique codeword that agrees with the received codeword in the k bits. At the end both codewords are subtracted from each other, and this yields to the error pattern which enables the correction of the codeword.

3.2 Error tolerant Cryptographic Checksums

29

The similarity of the Information Set Decoding to the algorithms described in this book is that a group of k bits of the received sequence is used to find the correct sequence. Otherwise, the algorithms described in this book differ from Information Set Decoding. The algorithm of Permutation Decoding [Mac64] originates from 1964 and searches a set of automorphisms in the linear code, which form the so called PD set. The algorithm can best be explained on the example of Reed-Solomon Codes, where every symbol consists of p bits, if GF(2p) is used. The PD set includes all possible permutations of bits of the same bit position within the symbols (bit positions correspond to the rows if each symbol is represented as a column). The algorithm assumes that the incorrect bits are concentrated in a few symbols after the permutations, and they can be then corrected by the symbol-oriented correction of the Reed-Solomon code. This procedure is especially suited for cyclic codes. The principle of bit inversion is used in [Ngetalt09] in connection with the decoding of LDPC codes. Two algorithms are suggested that invert only one bit per iteration. The inverted bit is selected so that the syndrome weight is on average increased by the weight of the error pattern. The algorithm is ended when the minimum syndrome weight no longer changes. In a variant of this algorithm, additional reliability values (soft input) are used that do not make the algorithm more complex but more effective.

3.2

Error tolerant Cryptographic Checksums

The Message Authentication Codes (MACs) (see Fig. 2-4 and 2-6) are not suitable for many applications, e.g. multimedia or voice transmission or in the case of wireless transmission and communication with a high error rate that remains uncorrected by the channel decoder, since every uncorrected error in the message or a MAC leads to a rejection of the message. For this reason, new techniques are suggested that allow a certain, small number of errors in the input of the MAC. Messages that are only slightly different result in the same cryptographic checksum using these techniques. At first, the Approximate Message Authentication Code (AMAC) was published [GrFu99], which positively verifies a received message even if the sent and received messages differ in a few bits. AMAC is a probabilistic cryptographic checksum with the following properties: – – – – –

AMACs of two slightly different messages should be identical AMACs of two messages that have slightly larger difference, should only be slightly different AMACs of two very different messages should be very different the bit positions in which the messages differ should not have any influence on the AMAC the AMAC should behave like a MAC in the case of different keys: the AMAC should on average differ in 50% of the bit positions, whereby the value of each bit has the probability of 0.5.

The principle of the AMAC calculation is as follows (see Fig. 3-1): The message, e.g. an image file, is written bit by bit, line by line into a table, whereby the number of columns corresponds to the length of the MAC, that is e.g. 128 bits. Then the table is divided into “pages” e.g. 256 lines each (PAGES). All bits are XORed with the bit sequence of a pseudo random number generator (XOR PRNG). A randomly generated row

30

3 Related Work

PRNG (i) is added to every page so that an odd number of rows are generated (ADD ROW). Another row, MAJORITY (i) is added to these 257 rows, whereby every bit in this row indicates whether the corresponding column contains more “1” or more “0” Bits (MAJORITY). These added rows form on one hand a “page”, which is in turn XORed with the bit sequence of a pseudorandom number generator (XOR PRNG) and supplemented with a randomly generated row (ADD ROW). Finally, the MAJORITY row is formed again, which indicates for each column, whether it contains more “1” or more “0” bits. This vector MAJORITY forms the AMAC. 1

1

128

1

2

1

128

1

2 XOR PRNG

1

1

8

2

128

1

1

2

128

1

1

1

8

8

2

2 +1

8

PRNG(1)

2 +1 28 + 2

XOR PRNG ADD ROW 1

8

2 8 2 +1

PRNG(256)

8

128 MAJORITY(1)

PRNG(1) MAJORITY(1)

MAJORITY 1

ADD ROW

1

8

16

128

8

8

PAGES

2

1

2 +1 8 2 +2

PRNG(256) MAJORITY(256)

8

2 8 2 +1 8 2 +2

MAJORITY(256) PRNG(256) MAJORITY

AMAC

Figure 3-1: AMAC algorithm

Both transmitter and receiver need the same pseudorandom number generator, a shared key and a unique initialisation vector. The AMAC is therefore, unlike the MAC, not generated using a key-controlled one-way function, but considering the number and distribution of “0” and “1” bits locally and globally. If the majority of “0” and “1” changes locally, i.e. within a single “page”, then the corresponding vector changes. If vectors of several “pages” change, i.e. if the changes were so significant in multiple “pages” that the majority of “0” and “1” changed, then the resulting AMAC will change in several positions. The more significant the changes were, the larger the changes in AMAC. Attackers can of course manipulate locally, but not at too many local positions. The probabilistic properties of the AMACs are analyzed in [GrFu99]. The IMAC algorithm (Approximate Image Message Authentication Code) is explained in [Xietalt01], which applies the AMAC algorithm to JPEG images and takes into account the different meaning of the bits and their sensitivity to changes. A modification of AMAC is suggested in [Bon06], so-called Noise Tolerant Message Authentication Code (NTMAC). NTMAC is a compromise between MAC and the AMAC presented above. Since the MAC on one hand is unpractical for applications that are supposed to

3.2 Error tolerant Cryptographic Checksums

31

tolerate a small number of errors and on the other AMAC tolerates too many errors, NTMAC is constructed such that it only tolerates a few errors, e.g. up to 32. The NTMAC uses MACs, see Chap. 2.2.1. The algorithm splits the message into blocks of the same size whereby a secret key controls which bit of a partition comes into which block. The blocks are disjunctive; their union results in the whole message. A MAC is calculated for every block. These MACs are punctured and the concatenation of the punctured MACs forms the NTMAC (see Fig. 3.2). Unchanged MACs of the blocks result in unchanged parts of the NTMACs. The receiver can therefore recognise which blocks of the message are modified, whereby an attacker does not know the assignment of the bit positions of the message into blocks i.e. he does not know the bit positions in the NTMAC. The algorithm is improved compared to the AMAC algorithm, because it reduces the number of allowed modifications and enables an error localisation. 1 1

1

128

128

∏(i, j)

Partition 1

Sub-Key 1

subMAC 1,1 Partition 1

Block 1,n MAC 1,m

Block 1,n

. . .

MAC 1,m subMAC 1,m

.. .

. . . 1

MAC 1,1

.. .

.. .

Partition 1

128 Block 1,1 MAC 1,1

Block 1,1

128

MAC m,1

Block m,1 MAC m,1

subMAC m,1

.. .

Block m,1

.. .

Partition m

∏(i, j) Sub-Key n

subMAC 1,1

||

subMAC 1,m

Partition m Block m,n

||…………..||

subMAC m,n

Block m,n MAC m,n

=

Partition m

MAC m,n subMAC m,n

NTMAC

Figure 3-2: NTMAC algorithm

The result of accepting an incorrect message as correct is called “false acceptance” and defined in [Bon06]. This can, for example, occur in case of a collision of MACs or if the MACs differ in the bit positions that are punctured. For this reason, another variant of the NTMAC algorithm was introduced which uses a Cyclic Redundancy Code (CRC) instead of a MAC. It is called CRC-NTMAC and described and analysed in [LiBo05] (see Fig. 3-3). Instead of the MAC calculation, CRCs are calculated and not punctured. At the end the concatenated CRCs are encrypted. The encrypted CRCs, which have the same length as the punctured MACs, reduce the probability of acceptance of incorrect messages.

32

3 Related Work 1 1

1

128

Block 1,1

CRC 1,1

.. .

∏(i, j)

.. .

Partition 1

128 Block 1,1

128

Partition 1

Key

Block 1,n

Block 1,n

CRC 1,m

.. .

. . .

. . . 1

128

Block m,1

Block m,1

CRC m,1

∏ Key

.. .

.. .

Partition m

Partition m

(i, j)

Block m,n

Block m,n

CRC m,n

ENTCIPHERMENT (CRC 1,1 ||… …|| CRC 1,m || … … || CRC m,1 || … … || CRC m,n)

=

CRC-NTMAC

Figure 3-3: CRC-NTMAC algorithm

The new variants of the NTMAC which make both error recognition and error correction possible are presented in Chap. 5.5.

3.3

Authentication over Noisy Channels

The focus of this book is the successful verification of messages whose authenticity is provided using cryptographic checksums, if these are corrected after a noisy transmission. The same topic appears in the publication “Authentication over noisy channels” [Laetalt09], in which an information theoretic approach is followed. Authentication is provided however not via verification of cryptographic checksums, but using very large codeword books, which are generated by the sender and may be known publicly. A subset is assigned to every possible key, and in turn a set of codewords is assigned to every possible message of a subset. The requirements on the sizes and sub-sizes of the dictionary are given by the requirement of creating a wiretap channel, whose perfect secrecy capacity is greater than 0. For any message M, a codeword is selected from the associated subset using the key K, which is assigned to the message M and then sent. The receiver gets a codeword modified by the transmission noise and searches the entire codeword book for that one or a similar codeword. Once it has found it, the receiver checks whether it is a part of the subset assigned to the key K. If this is the case, the message is authentic. It is assumed in this algorithm that the channel is noisy and an attacker will in no case receive the sent codeword. The security aspects, i.e., the probability of success of these attacks, as well as various attacker models are considered for this scheme in [Laetalt09]. The basic and advanced literature on the topic of informational theoretic authentication techniques can be found in [Laetalt09]. They are however not connected to the verification of cryptographic checksums using reliability values of channel coding, which will be investigated in the following chapters.

4

Soft Input Hard Verification

4.1

Correction by Iterative Bit Inversion

The algorithm described in this chapter was published under the name “Soft Input Decryption (SID)” [RuZi06][Ziv08]. After the refinement and improvement of this algorithm, this title is not adequately differentiated anymore. For this reason, the algorithm is now called “Soft Input Hard Verification”, in order to distinguish it from the later following “Soft Input Soft Verification” algorithm (starting from Chap. 6). According to this nomenclature, the standard verification of Message Authentication Codes (see Chap. 2.2.1 and Fig. 2-6) corresponds to a “Hard Input Hard Verification”. Soft Input Hard Verification works iteratively and uses the soft output values of a SISO channel decoder as input. Sender and receiver use cryptographic mechanisms for generating and verifying cryptographic checksums, e.g. digital signatures [ISO/IEC 9796] [ISO/IEC 14888] or Message Authentication Codes [ISO/IEC 9797-1,-2,-3]. These mechanisms were explained in Chapter 2.2. The input of the verification is a block, which contains the message and its cryptographic checksum (corresponds to a systematic outer code – see Chap. 2.3.4). This block will be called soft input block in the following. The SISO channel decoder supplies each bit of a soft input block with a reliability value, which is referred to as a soft value or L-value (see Chap. 2.3.3). The algorithm of Soft Input Hard Verification functions as follows [RuZi06] (see Fig. 4-1): At first, it is checked as usual, if the cryptographic checksum is correct. The result is YES (RIGHT) or NO (WRONG). If the result of the verification is YES, the message is accepted as correct and authentic and forwarded to the source decoder, i.e. the application process. If the source decoder expects soft values, it receives the highest (maximal) |L|-values, since the source decoder can rely on the values of the bits. If the result of the verification is NO, this means that the received message with the cryptographic checksum was modified during the transmission. Assuming that the modification was caused by noisy transmission and could not be corrected by the SISO channel decoder, the bits of the message and the checksum that are most likely erroneous are now inverted. The L-values are used for this purpose, which the SISO channel decoder has forwarded to the verification process. A set of bits that are most probably erroneous are inverted in the soft input block [Cha72], and this modified block is verified again. Should the verification again yield the result NO, another set of bits, which are most probably erroneous, is inverted. These iterations are performed until the result of the verification is YES, or the algorithm is ended.

34

4 Soft Input Hard Verification CHANNEL

DEMODULATOR

SISO CHANNEL DECODER

Soft Input Hard Verification

L(M’), L(CCV’)

M’’, CCV’’ CCV’’=CCV’ M’’=M’

INVERSION OF BITS OF M’ AND CCV’ L(M’), L(CCV’)

CCV’’=CCF (M’’)

MAX NUMBER OF ITERATIONS imax EXCEEDED

NO

MESSAGE UNSUCCESSFULLY VERIFIED

MESSAGE SUCCESSFULLY YES VERIFIED

NO

YES

SOURCE DECODER

Figure 4-1: Algorithm of Soft Input Hard Verification

The algorithm presented in Fig. 4-1 can also be applied if digital signatures based on asymmetric cryptographic algorithms are used for the generation of the cryptographic checksum CCV (see Chap. 2.2.5). In this case, the verification step of Fig. 4-1: M’’, CCV’’

M’’, CCV’’

CCV’’=CCF (M’’)

YES

Figure 4-2: Verification step of Fig. 4-1

is replaced by:

NO

4.1 Correction by Iterative Bit Inversion

35

M’’, CCV’’

M’’, CCV’’

Signature correct?

NO

YES

Figure 4-3: Verification step of Fig. 4-1 for digital signatures

Therefore, the iterative Soft Input Hard Verification algorithm is also suitable for digitally signed messages. There are different strategies for the selection of bit groups of the soft input block which are inverted in every iteration. The inversion strategy determines whether and how fast the correct message can be found. Examples of possible inversion strategies are [Ziv08]: Static Strategy The reliability values are ordered in a list according to their absolute values, from the minimum to the maximum value. The inversion sequence follows a binary counter with a start value of 1, which is incremented per iteration. The LSB (Least Significant Bit) on the right corresponds to the bit with the lowest |L|-value, the bit next to the LSB corresponds to the bit with the next lowest |L|-value, etc. The positions of the bits in the incremental binary counter that have the value “1” correspond to the positions of the bits that are to be inverted. The number k of the lowest |L|-values to be taken into account determines the number of bits of the binary counter and the maximum number of inverted bits. Therefore, the maximum number of verifications is imax = 2k. Dynamic Strategy The dynamic strategy calculates the minimum reliability value for bit groups, in order to find the next bit group that has to be inverted. It can occur that a bit group has a smaller reliability value than the reliability value of the bits that would be selected according to the static strategy. The wrong bit group can be found more rapidly using this strategy. The calculation of the reliability values of bit groups proceeds using the rules of L–Algebra [Hag94].

36

4 Soft Input Hard Verification

Error Rate based Strategy The error rate based strategy takes into account the error probabilities behind the SISO channel decoder. The strategy begins with the inversion of as many bits with the lowest |L|-values as are most likely wrong. Error rate based and dynamic strategies can be combined. There are still other researches needed in order to find the optimal strategy. The optimal strategy depends on the error behaviour of the channel including the channel coding/decoding. In this and all other chapters the static strategy is used. The results of simulations of Soft Input Hard Verification are presented in Fig. 4-4. The following simulation parameters apply: – – – – – – – –

Length of the soft input block: 320 bit (the separation into a message and a checksum plays no role in the execution of the algorithm; however, it does in the security considerations (Chap. 4.2)) MAC, H_MAC, a signature with appendix or a signature giving message recovery can be used as CCF Convolutional encoder 1/2 (see Chap. 2.3.2, Fig. 2-12) Turbo encoder 1/3 (see Chap. 2.3.2, Fig. 2-14) with 2 RSC encoders 1/2 (see Chap. 2.3.2, Fig. 2-13) BPSK modulation with soft decision AWGN Channel MAP decoding algorithm for convolutional and turbo decoding (see Chap. 2.3.2, Fig. 2-15) 50,000 simulations per point on the curve

CCER (Cryptographic Check Error Rate) is defined [Ziv08] as the measure for the correction and verification capability:

CCER 

Number of non-verified messages Number of received messages

(4-1)

Fig. 4-4 shows that more messages can be successfully transmitted over the channel, if Soft Input Hard Verification is used. In the case of convolutional codes, all messages can be successfully verified using Soft Input Hard Verification (imax = 216), if Eb/N0 ≥ 2.5 dB. CCER at 1.75 dB was reduced from 1/30 to 0 (imax = 216) in the case of turbo codes. Note: Successful verification of “all” messages refers to the 50,000 simulations executed per Eb/N0.

4.2 Security Aspects of Soft Input Hard Verification

37

1 a) c) b) 10

-1

d) 1/30

CCER

1.13 1.13 e) 10

-2

2.10 10

-3

10

-4

2.33

f)

2.01

1

2

3

4

5

6

7

Eb /N0 [dB] Figure 4-4:

Verification gain of Soft Input Hard Verification a) b) c) d) e) f)

4.2

convolutional code with standard verification (Hard Input Hard Verification) convolutional code with Soft Input Hard Verification with max. the 8 lowest |L|-values (imax = 28) as b) with max. the 16 lowest |L|-Values (imax = 216) turbo code with standard verification (Hard Input Hard Verification) as b) with turbo code instead of convolutional code (imax = 28) as c) with turbo code instead of convolutional code (imax = 216)

Security Aspects of Soft Input Hard Verification

There are two possibilities that result in wrong decisions of the verification: Forgery attacks during transmission, which cause a collision during the first verification or random collisions due to the iterative correction process. Forgery attacks can be performed in two ways: The attacker collects (see Chap. 2.2.4) K  1.17 2n

(4-2)

message/MAC-pairs and finds an external collision with a probability of 0.5, which can be used for a provable selective forgery attack. The second option is that an attacker sends a message with a (random) checksum and hopes for a collision during verification. The probability that an attack of this kind would be successful (“successful attack”), is: Psa 

1 2n

(4-3)

In Soft Input Hard Verification up to imax verifications are completed whereby in each round a collision can occur. An attacker can even influence which bits of the message are going to be inverted by affecting the signal/noise ratio.

38

4 Soft Input Hard Verification

The probability of this collision is the probability of a successful forgery attack, but also the probability Pwd of a wrong decision. A wrong decision may happen, when an erroneous message has been accepted as a correct one, without any manipulation of the message by an attacker. Therefore:

Pwd  Psa

(4-4)

The cases of the first verification (before the iterative correction process begins) and after the first verification (during the iterative correction process) have to be considered separately. 1st verification A wrong decision or a collision can only occur if a message M was changed into a message M′ and CCF (M′) = CCV′. The probability that the message M′ is not the original message, depends on the BER after the SISO decoding, and is equal to 1  (1  BER)m (m is the length of the message). Then, the probability of a wrong decision P wd is: Pwd  (1  (1  BER) m )

1 1  n n 2 2

(4-5)

2nd and every following verification i (i = 2, 3,…, imax, iterations 1, 2,…, imax  1): A wrong decision occurs if the message M′ was changed into a message M′′ by the bit inversions and CCF (M′′) = CCV′′. The probability of a wrong decision after imax  1 iterations is:

Pwd  a 

with:

a

 (1  a)

i max 1 i 0

1 2n

i

(4-6)

(4-7)

Thus the maximum collision probability after imax verifications taking into account (4-5) is: Pwd  1  (1  a)imax

(4-8)

The increased probability of a wrong decision for imax = 28 and imax = 216 is shown in Fig. 4-5 in comparison to the probability of a wrong decision using Hard Input Hard Verification (imax = 1), depending on the length of the cryptographic checksum. In the case of a cryptographic checksum of a length of 160 bits, the probability of a wrong decision per message increases after 28 iterations from 2160 to 2152, i.e. after 216 iterations to 2144 ; in the case of a length of 192 bits of the cryptographic checksum P wd increases from 2192 to 2184 after 28 iterations, and to 2176 after 216 iterations. Equation (4-5) is a special case of the security analysis in Chap. 7. Other numerical examples are given in Chap. 7, and the risk of increased successful attacks and wrong decisions will be compensated by the extension of the length of the cryptographic checksum.

4.3 Correction Improvement by Interleaving and Feedback

39

2 -110 imax = 216 2

imax = 28

-130

imax = 1 2 -150

2 -170 Pwd

2 -190

2 -210

2 -230

2 -250 128 136 144 152 160 168 176 184 192 200 208 216 224 232 240 248 256 n

Figure 4-5: The probability of a wrong decision using the standard verification (Hard Input Hard Verification) (imax = 1) and the Soft Input Hard Verification (imax = 28, 216)

4.3

Correction Improvement by Interleaving and Feedback

The Soft Input Hard Verification from Chap. 4.1 is expanded by a feedback to the input of the SISO channel decoder. If the soft input blocks could be successfully corrected, they are used for the correction of erroneous blocks. This algorithm is referred to as Soft Input Hard Verification using Feedback (in [RuZi08] called Feedback in Joint Channel Coding and Cryptography). This algorithm with feedback uses at least two soft input blocks, whereby every soft input block contains a message with a cryptographic checksum. Two messages M1 and M2 are selected as input, which concatenated form the message v, i.e. two (partial) messages M1 and M2 are formed out of a single message v. –

block a consists of message M1 of length m1, and the cryptographic checksum CCV1 of length n1: a  a1a2 ...am1  n1  ma1ma2 ...mam1 na1na2 ...nan1

–

(4-9)

block b consists of message M2 of length m2, and the cryptographic checksum CCV2 of length n2: b  b1b2 ...bm2 n2  mb1mb2 ...mbm2 nb1nb2 ...nbn2

(4-10)

Blocks a and b form the block u by interleaving (Fig. 4-6):

 if m1  n1  m2  n2 a1b1a2b2 ...am1  n1 bm2  n2 ,  ...bm2  n2 , u  a1b1...bm2  n2 a2 ...am1  n1 b m n m 2  n 2  2 2 1  m1  n1 m1  n1  if m1  n1  m2  n2 

(4-11)

40

4 Soft Input Hard Verification For simplification it is assumed, that m2 + n2 is a multiple of m1 + n1. M1

V:

M2 ...

...

GENERATION OF CRYPTOGRAPHIC CHECKSUM

GENERATION OF CRYPTOGRAPHIC CHECKSUM CCV2

CCV 1 M 1 || CCV1

M2

BLOCK a

|| CCV2

BLOCK b INTERLEAVING u CHANNEL CODING

Figure 4-6: Construction and channel coding of the block u

The block u is sent over the noisy channel after the channel coding and modulation (e.g. BPSK). It is assumed that the receiver knows how the block u has been formed. The algorithm on the receiver side is shown in Fig. 4-7 and functions as follows: The verification process receives the block u′ from the SISO channel decoder with the reliability values for each bit. It divides u′ into the soft input blocks a′ and b′. It attempts to correct the soft input block a′ according to the algorithm from Chap. 4.1. Should this be successful, reliability values L = ± ∞ (e.g. L = + ∞ for “0” and L =  ∞ for “1”) are assigned to all bits of a′. The reliability values L = ± ∞ of the bits of the corrected soft input block a′ are fed back to the input of the SISO channel decoder. A new round of SISO decoding follows. The verification of the soft input block b′ is performed after the second SISO channel decoding,. For this reason, it is rational to specify the length of a as smaller than that of b. For the purposes of clarity, the error cases in Fig. 4-7 are not taken into account: a nonsuccessful correction of soft input block a′ terminates the algorithm, whereby results from step 1 (BERcd1) are output. The algorithm is explained in detail in [RuZi08] and [Ziv08]. The scheme explained above is called sequential (Fig. 4-7) since the three steps are completed sequentially. BERs, which are important for the results of simulations, are shown after every step of the algorithm: BERcd1 – BER after the first SISO channel decoding BER1.SID  BER after the 1st Soft Input Hard Verification (in [RuZi06] called Soft Input Decryption-SID) BERcd2 – BER after the second SISO channel decoding BER2.SID – BER after the 2nd Soft Input Hard Verification

4.3 Correction Improvement by Interleaving and Feedback

1st Step

41

SISO CHANNEL DECODING

BER cd1

u' DEINTERLEAVING OF u’ SOFT INPUT BLOCK a’

2 nd Step

SOFT INPUT BLOCK b’

SOFT INPUT HARD VERIFICATION OF a’ L(a’)=±∞

L(b’)=0

BER

1.SID

BER

cd2

BER

2.SID

SISO CHANNEL DECODING

3 rd Step

SOFT INPUT HARD VERIFICATION OF b’

Figure 4-7: Sequential scheme of Soft Input Hard Verification with interleaving and feedback

Simulation results of the scheme presented in Fig. 4-6 and Fig. 4-7 are shown in Fig. 4-8 [Ziv08]. Following parameters are applied: m1 + n1 = 320 and m2 + n2 = 320. In contrast to Chap. 4.1 the simulation results are stated in BER instead of in CCER, as the correction of individual bits using the feedback (2nd step) is performed, supported by already correctly decoded bits in the trellis. For this reason, there is no reduction of the CCER after the 2nd step, but just a reduction of the BER. Nevertheless, there is a reduction of the CCER after the 1st and 3rd step (Soft Input Hard Verification), as already shown in Chap. 4.1 and Fig. 4-4. BER is exposed, which is reduced in all three steps, to show the influence of each step on the error rate. The significant coding gain can be recognized as a result of the feedback of the corrected bits (and L-Values) after the second SISO channel decoding.

42

4 Soft Input Hard Verification 10

-1

10

-2

10

-3

0.92dB

0.93dB

0.47dB 10

-4

0.28dB

BER 10

-5

10

-6

10

-7

10

-8

10

-9

0.25dB 0.40dB 0.28dB

BERcd1 BER1.SID BERcd2 BER2.SID

1

3

2

4

5

Eb /N0 [dB] Figure 4-8: BER after each correction step of the sequential scheme

The second algorithm of Soft Input Hard Verification with interleaving and feedback is a parallel scheme (Fig. 4-9) of the soft input blocks a′ and b′. If one of the blocks a′ and b′ can be corrected and verified, the L-Values for the bits of this block are fed back to the SISO channel decoder, and then the not yet corrected block is going to be corrected and verified. It is clear that the parallel scheme provides better results than the sequential scheme. The feedback is not required, if both blocks can be corrected and verified in the first step, as well as if none of the blocks can be corrected and verified in the first step. A detailed description of both algorithms can be found in [Ziv08] and [ZiRu10].

1st Step

SISO CHANNEL DECODING

BER

u'

cd1

DEINTERLEAVING OF u’

SOFT INPUT BLOCK a’

SOFT INPUT BLOCK b’ 2 nd Step

SOFT INPUT HARD VERIFICATION OF a’ L(a’)= ±∞

L(b ’)=0

SOFT INPUT HARD VERIFICATION OF b’ BER 1.SID

SISO CHANNEL DECODING

L(b’)= ± ∞

L(a ’)=0

SISO CHANNEL DECODING BER cd 2 3 rd Step

SOFT INPUT HARD VERIFICATION OF b’

SOFT INPUT HARD VERIFICATION OF a’ BER 2.SID

a, b

a, b

Figure 4-9: Parallel scheme of Soft Input Hard Verification with interleaving and feedback

4.3 Correction Improvement by Interleaving and Feedback

43

The error cases in Fig. 4-9 are not taken into account for the sake of clarity: An unsuccessful correction of soft input block a′ and soft input block b′ terminates the algorithm, whereby the results from step 1st are output. The scheme explained above is called parallel (Fig. 4-9), since it is depicted graphically as two parallel branches. The simulation results of the parallel scheme of Fig. 4-9 are presented in Fig. 4-10. Thereby m1 + n1 = 320 = m2 + n2 and the same simulation parameters as in the sequential scheme are used. The large coding gain already results after the first step, in which the attempt is made to correct both soft input blocks. 10

-1

10

-2

10

-3

10

-4

1.02dB 1.46dB

BER 10

-5

10

-6

10

-7

10

-8

10

-9

BERcd1 BER1.SID BERcd2 BER2.SID

1

2

3

4

5

Eb /N0 [dB] Figure 4-10: BER after each correction step of the parallel scheme

The comparison of the coding gains between the sequential and parallel scheme in Fig. 4-11 shows, as expected, better results for the parallel scheme. The reason is in the first correction step of the parallel scheme, whereby both soft input blocks a and b are tried to be corrected at the same time, and it is sufficient, if one of both of them can be corrected. The chance increases that the soft input block that could not be corrected in the 1st step could be corrected in the 2nd step, using the feedback with the L-values of the corrected soft input block.

44

4 Soft Input Hard Verification 10

-1

10

-2

10

-3

10

-4

BER 10

-5

10

-6

10

-7

10

-8

10

-9

0.76dB

0.23dB BERcd1 BER2.SID (parallel) BER2.SID (sequential)

0.82dB 0.82dB

1

2

3

4

5

Eb /N0 [dB] Figure 4-11: Coding gains of the sequential and parallel scheme

4.4

Correction by Insertion of Known Bits

One variant of Soft Input Hard Verification with interleaving uses known soft input blocks as feedback, which are especially well suited for feedback, because they are known [ZiTc08] [Zietalt10]. The known bits can be for example synchronisation information, length fields, address information or additional stuffed bits, which are generated on both sides using the same scheme. The bits of the known block are interleaved with the bits of the block, which is unknown to the receiver (see Chap. 4.3). The algorithm is as follows (Fig. 4-12 and 4-13): The block with the known bits does not need to be corrected. In the first step at the receiver side infinite |L|-values are directly entered into the first SISO channel decoding for the bits of the known block, e.g. block a. In this way, the probability of correction for the other block – block b consisting of the message M and CCV – is significantly increased. In the second step, the soft input block with the message M and CCV is corrected, corresponding to the algorithm from Chap. 4.1.

4.4 Correction by Insertion of Known Bits KNOWN BITS V:

45

M

...

...

GENERATION OF CRYPTOGRAPHIC CHECKSUM CCV

M || CCV BLOCK a

BLOCK b INTERLEAVEING u CHANNEL CODING

Figure 4-12: Construction and channel coding of block u by insertion of known bits

1st Step

SISO CHANNEL DECODING

u'

BER cd

DEINTERLEAVING OF u’ SOFT INPUT BLOCK a’

2 nd Step

SOFT INPUT BLOCK b’

SOFT INPUT HARD VERIFICATION OF b’

BER

SID

Figure 4-13: Algorithm with feedback of known bits

Obviously the code rate increases by insertion of additional (known) bits. Since the code rate is no longer that of the channel encoder because of the added known bits, the original code rate should be reached again by puncturing. The puncturing is performed after the channel coding and depuncturing before the channel decoding. Note: The code rate decreases also by insertion of the cryptographic checksum CCV (see Chap. 4.1 and 4.3). Nevertheless, the reduction of the code rate in these cases is conditioned on the existence of the cryptographic checksums for security reasons and was therefore not taken into account. However, the code rate decreases in the algorithm presented in this chapter by the insertion of known bits for improvement of the decoding. For this reason, the reduction of the code rate has to be considered in this case, if the known bits are not punctured.

46

4 Soft Input Hard Verification

The simulation results are shown in Fig. 4-14 for the case that the length of block a is 160 bits and of block b 480 bits (160 bits CCV and 320 bits of the message). “0” bits are inserted as known bits (as the simplest choice). The MAP algorithm is used as SISO decoding algorithm, like in the simulations in the previous chapters. The other simulation parameters are the same as in Chap. 4.1. 160 bits are punctured, since there are 160 inserted bits. The puncturing is executed so that every fourth bit is punctured. 10

-1

10

-2

10

-3

10

-4

0.79dB

BER 10

-5

10

-6

10

-7

10

-8

10

-9

0.63dB

BERcd BERSID

1

2

3

4

5

Eb /N0 [dB] Figure 4-14: Coding gain of the algorithm for correction by insertion of known bits with puncturing

If systematic codes are used, the systematic bits of the coded inserted known bits do not need to be transmitted. For that reason, the code rate is less reduced by the insertion of known bits [Xu05] than in the case of non systematic codes. The known bits are inserted again at the correct positions at the input of the channel decoder.

5

Applications of Soft Input Bit Inversion

5.1

Correction of Reed-Solomon Decoding Errors

A frequently used concatenated code is examined in this Chapter, in which a convolutional code is used as the inner code and the Reed-Solomon code as the outer code. In spite of this error correction, miscorrections caused by the Reed-Solomon decoder may happen on very noisy channels. For that reason, an additional outer code is added in [ReZi10], which consists of a Cyclic Redundancy Check (CRC). For the CRC, exactly one symbol of the message is used, i.e. the message itself is one symbol shorter than that allowed by the Reed-Solomon code. If GF(24) is used, a CRC-4 is inserted, in case of GF(26) a CRC-6 and for GF(28) a CRC-8. The length of the message and of the CRCs is expressed corresponding to the ReedSolomon code in symbols. The sequence of the coding is shown in Fig. 5-1. MESSAGE

CRC

u= MESSAGE, CRC RS CODING

v= MESSAGE, CRC, RS PARITY CONVOLUTIONAL CODING

Figure 5-1: Coding of the message

On the receiver side (Fig. 5-2), a SISO convolutional decoder is used, which supplies an Lvalue for each bit. A hard decision- or soft decision Reed-Solomon decoder follows, which decodes the message with the CRC. Then, the CRC of the message is calculated. If the CRC supplied by the Reed-Solomon decoder does not agree with the recalculated CRC, a false correction by the Reed-Solomon decoder has happened, known as a miscorrection. In this case, again the bits with the lowest |L|-values are changed following the bit inversion strategy (see Chap. 4.1) until the CRCs agree. To identify a miscorrection of the Reed-Solomon decoder, a short CRC suffices. The code rate is reduced by exactly one input symbol.

48

5 Applications of Soft Input Bit Inversion

SISO CHANNEL DECODER v’ = MESSAGE’, CRC’, RS PARITY L(v’) RS DECODER u’ = MESSAGE’’, CRC’’ CRC’’’=CRC(MESSAGE’’)

INVERSION OF BITS OF v’

CRC’’’

NO

CRC’’=CRC’’’

YES

NO

SUCCESSFULLY CORRECTED MESSAGE

MAX NUMBER OF ITERATIONS i max EXCEEDED

YES

UNSUCCESSFULLY CORRECTED MESSAGE

Figure 5-2: Decoding and correction of the message

The results of the simulations are shown in Fig. 5-3 for the SER (Symbol Error Rate): Number of incorrect symbols (5-1) SER  Number of transmitted symbols The convolutional encoder from Fig. 2-12 (Chap. 2.3.2) and the same MAP decoder as in Chap. 4 are used. The simulation parameters are:

–

10 message symbols and 1 CRC symbol over GF(24) for RS(15,11). The code rate (without convolutional code) is:

k 1 2 (5-2)  3 n for comparison, a RS(12,8) was simulated, which has the same code rate of 2/3 and a Hamming distance of 5 8, 12 and 16 lowest |L|-values are used for the bit inversion, i.e. up to 28, 212 and 216 bit inversion iterations 50,000 simulations for each Eb/N0 R

– – –

The results of the simulations show a coding gain of up to 0.3 dB at a maximum of 28 iterations, up to 0.6 dB at a maximum of 2 12 iterations and up to 0.8 dB at a maximum of 216 iterations.

5.1 Correction of Reed-Solomon Decoding Errors

Figure 5-3: Symbol Error Rate at the same code rate for: a) RS(12,8) without iterations b) RS(15,11) with iterations with max. 8 lowest |L|-values c) RS(15,11) with iterations with max. 12 lowest |L|-values d) RS(15,11) with iterations with max. 16 lowest |L|-values

Figure 5-4: Symbol Error Rate at the same code rate for: a) RS(56,48) without iterations b) RS(63,55) with iterations with max. 8 lowest |L|-values c) RS(63,55) with iterations with max. 12 lowest |L|-values d) RS(63,55) with iterations with max.16 lowest |L|-values

49

50

5 Applications of Soft Input Bit Inversion

Next, GF(26) and a RS(63,55) are selected with a CRC-6, and for comparison a RS(56,48), both with a code rate of 6/7 and a Hamming distance of 9. The results of the simulations are shown in Fig. 5-4. The same simulation parameters apply as before. The results of the simulations now show a coding gain of up to 0.45 dB with up to 2 8 iterations, up to 0.5 dB at a maximum of 212 iterations and even up to 0.75 dB at a maximum of 216 iterations. Finally, a RS code is selected over GF(28): RS(255,223) with a CRC-8 as the last symbol and RS(240,208) for comparison. Both have a code rate of 13/15 and a Hamming distance of 33. The results of the simulations with the same simulation parameters as before are shown in Fig. 5-5.

Figure 5-5: Symbol Error Rate with the same code rate for: a) RS(240,208) without iterations b) RS(255,223) with iterations with max. 8 lowest |L|-values c) RS(255,223) with iterations with max. 12 lowest |L|-values d) RS(255,223) with iterations with max. 16 lowest |L|-values

The simulation results evince a coding gain of up to 0.2 dB at a maximum of 2 8 iterations, up to 0.3 dB at a maximum of 212 iterations and up to 0.4 dB at a maximum of 216 iterations of the bit inversions. At a Hamming distance of 33 and GF(28), the correction capability of the RS code is extraordinarily high and the codewords are very long, so that it is very difficult to correct a codeword using iterative bit inversion, if it could not be corrected by the RS code. Other analyses and tests are required in order to determine with which code parameters the cooperation of CRC secured RS codes and iterative soft input based bit inversion is the most effective.

5.2 HARQ IBF Algorithm

5.2

51

HARQ IBF Algorithm

Today, many modern wireless network protocols (WiMAX, UMTS etc.) use HARQ (Hybrid Automatic Repeat Request). The Type II HARQ [Wic91] algorithm is an improved variant of the Type I HARQ algorithm. In the Type I, ED- (Error Detection) and FEC- (Forward Error Correction) bits are added to every message. In the case of Type II (Incremental Redundancy (IR) mode), ED- and part of the FEC-bits are transmitted at the first transmission, and in the case of repeated transmissions only ED-bits are added. In this way, the Type II saves on transmission capacity, since the FEC bits double the transmission volume or even increase it several times. The Type II HARQ algorithm is used in the framework of WiMAX (Worldwide Interoperability for Microwave Access) [IEEE Standard 802.16-2004]. Hereby, a CRC with ARQ procedure is used as the outer code and a turbo code as the inner code. In the case of an incorrect CRC, the erroneous packet is requested again for error correction. In order to reduce the number of repetitions in the case of an incorrect CRC, the bit inversion strategy on the basis of L-values of the turbo decoder was introduced (see Fig. 5-6 for coding and Fig. 5-7 for decoding and correction of the message). In [Re-Zi11-1], the HARQ Iterative Bit Flipping (HARQ IBF) algorithm was presented and showed that the bit inversion strategy on the basis of available L-values avoids repeated transmission of a significant number of blocks. MESSAGE

CRC

u= MESSAGE, CRC TURBO CHANNEL CODING

Figure 5-6: Coding of the message

TURBO CHANNEL DECODER u’ = MESSAGE’, CRC’ L(u’) MESSAGE’’ = MESSAGE’

MESSAGE’’, CRC’’

CRC’’ = CRC’

INVERTING OF BITS OF u’ NO

CRC’’=CRC(MESSAGE’’)

YES

NO

SUCCESSFULLY CORRECTED MESSAGE

SEND ACKNOWLEDGMENT

Figure 5-7: Decoding and correction of the message

MAX NUMBER OF ITERATIONS i max EXCEEDED

YES

UNSUCCESSFULLY CORRECTED MESSAGE

DO NOT SEND ACKNOWLEDGMENT

52

5 Applications of Soft Input Bit Inversion

The simulation results are shown in Fig. 5-8, which expresses the coding gain of the suggested algorithm compared to the standard Type II Hybrid ARQ algorithm. In this example, a message length of 118 bytes and CRC 16 were used. The turbo code from Fig. 2-14 (Chap. 2.3.2) and the same turbo decoder as in Chap. 2.3.2 (Fig. 2-15) using MAP algorithm are applied.

Figure 5-8: Bit Error Rate a) Type II HARQ without bit inversion b) HARQ IBF with max. 8 lowest |L|-values c) HARQ IBF with max. 12 lowest |L|-values d) HARQ IBF with max. 16 lowest |L|-values

The Packet Error Rate (PER) is shown in Fig. 5-9. A packet consists of the message with CRC. All additional corrected packets do not need to be repeated. The Packet Error Rate is therefore also the Packet Retransmission Rate, which is reduced.

5.3 N-Channel STOP and WAIT Protocol of WiMAX

53

Figure 5-9: Packet Error Rate a) Type II HARQ without bit inversion b) HARQ IBF with max. 8 lowest |L|-values c) HARQ IBF with max. 12 lowest |L|-values d) HARQ IBF with max. 16 lowest |L|-values

5.3

N-Channel STOP and WAIT Protocol of WiMAX

The Stop-and-Wait protocol is one of the simplest forms of ARQ [Taetalt08] and requires few overhead bits. The sender repeats a block until the block is successfully received. A sequence number of the current and following block ensures the correct block sequence, and an ACK (Acknowledgement) confirms the correct block. Since the sender must wait for the successful receipt of the transmitted block, the channel capacity is wasted. A possible solution of this problem is the transmission over N channels. In this way, N ARQ processes run parallel, whereby each channel receives a time slot for the transmission, while some wait for the ACK. In the case of a defective transmission over a channel, other channels can continue to send without problems (Fig. 5-10) (see ITU-T X.25 Multi Link Procedure). The N-Channel Stop-and-Wait protocol was suggested for WiMAX in [ReZi11-2]. Secured packets are transmitted using CRC. The idea in [ReZi11-2] is to protect the CRCs of these packets that are transmitted over different channels, using Reed-Solomon checksums. N  1 messages (parts) are transmitted over N  1 channels, while the Reed-Solomon checksum over the CRCs of the N  1 messages is transmitted over channel N. In this way, the CRCs are corrected first by the Reed-Solomon decoder. The erroneous CRCs are corrected, and their positions can be identified using the error locator polynomial (see Chap. 2.3.1). In the next step, the erroneous packets are corrected by iterative bit inversion using the lowest reliability values delivered by the turbo decoder.

54

5 Applications of Soft Input Bit Inversion

CHANNEL 1

CHANNEL 2

SENDER

RECEIVER

.. . CHANNEL N

FEEDBACK CHANNEL

Figure 5-10: N-Channel Stop-and-Wait protocol

Fig. 5-11 shows how the RS checksum is calculated over the CRCs of the messages. In this example N = 8 and an RS (255, 223) are used. A CRC-16 is calculated for every message that is transmitted over channel 1 to 7. The systematic part of the RS codeword (k symbols) does not need to be transmitted, but only the RS checksum, since the receiver itself can calculate the systematic part from the received data over the other channels. CRC1

CRC2

CRC3

CRC N-1

SPLITTING IN GF(2 P ) SYMBOLS

S1

S2

S3

SHORTENED

S1 S2 S3

. . .

Sk

RS(2 P - 1, k ) ENCODER

S 2N-2

P1

...

Pn-k

K Channel not transmitted

Figure 5-11: Calculation of RS checksum

The simulation results are shown for N = 8, RS(255,223) in Fig. 5-12 and 5-13.

5.3 N-Channel STOP and WAIT Protocol of WiMAX

Figure 5-12: Bit Error Rate for N-Channel Stop-and-Wait protocol for WiMAX a) without iterations b) with iterations with max. 8 lowest |L|-values c) with iterations with max.16 lowest |L|-values

Figure 5-13: Packet Error Rate for N-Channel Stop-and-Wait protocol for WiMAX a) without iterations b) with iterations with max. 8 lowest |L|-values c) with iterations with max.16 lowest |L|-values

55

56

5 Applications of Soft Input Bit Inversion

5.4

Enhanced Packet Combining over HYBRID-ARQ

A new algorithm for Enhanced Packet Combining over Hybrid-ARQ (IEPC) was suggested in [Reetalt11-1]; it is based on the combination of Enhanced ARQ (EARQ) [Chetalt98] and the HARQ Iterative Bit Flipping decoding (HARQ IBF) [ReZi11-1] algorithm (see Chap. 5.2). In the case of the repeated transmission (retransmission) of packets, two or more copies of the packet are combined for the recognition of the even and odd number of erroneous bits. The recognition of an odd number of erroneous bits is simple and is performed by the Enhanced ARQ (EARQ) algorithm using XOR operations. The recognised erroneous bits are then corrected by bit inversion based on the soft output. In contrast, the recognition of an even number of erroneous bits is not simple. A solution was proposed in [Bhu05], but costs the transmission of additional control information. In [Reetalt11-1], recognition of an even number of erroneous bits is done using soft information based on the Log-Likelihood-Ratio (LLR). Recognition of all erroneous bits is accomplished as follows: – –

– –

for an odd number of erroneous bits, these are recognised using the EARQ algorithm for an even number of erroneous bits, two sets of bits are formed: the bits with the lowest |L|-values after the first transmission are in set L1; correspondingly, the bits with the lowest |L|-values after the repeated transmission are in the second set L2. The soft output of the turbo channel decoder is used as the reliability value the intersection of L1 and L2 is formed the intersection contains the bits that will be iteratively inverted until the packet is free of errors – this is checked by the existing CRC – (see Chap. 5.2), or the maximum number of iterations is achieved

The standard HARQ sender is used as the sender (see Fig. 5-6). The receiver largely corresponds to Fig. 5-7, whereby the bits, that are inverted, are taken from the intersection L1 ∩ L2. The simulation results for two different packet lengths are shown in Fig. 5-14 and 5-15. As recommended for WiMAX, a turbo code was used (see Fig. 2-14). The MAP decoder from Chap. 4 was applied. Two different packet lengths were selected and compared to the behaviour of other published algorithms: simple HARQ [Wic91], HARQ Incremental Redundancy (HARQ IR) [Man84], HARQ Chase Combining (HARQ CC) [Cha85], HARQ Iterative Bit Flipping Decoding (HARQ IBF) [ReZi11-1], EARQ [Chetalt98] and Packet Reverse Packet Combining (PRPC) [Bhu05].

5.4 Enhanced Packet Combining over HYBRID-ARQ

Figure 5-14: Bit Error Rate at a packet length of 112 bits (96 message bits, CRC-16) a) HARQ IR b) simple HARQ c) HARQ CC d) HARQ IBF e) PRPC f) EARQ g) IEPC with Iterations with max. 12 lowest |L|-values h) IEPC with Iterations with max. 16 lowest |L|-values

Figure 5-15: Bit Error Rate at a packet length of 1024 bits (1008 message bits, CRC-16) a) HARQ IR b) simple HARQ c) HARQ CC d) HARQ IBF e) PRPC f) EARQ g) IEPC with iterations with max. 12 lowest |L|-values h) IEPC with iterations with max. 16 lowest |L|-values

57

58

5 Applications of Soft Input Bit Inversion

5.5

Error Correcting and Weighted Noise Tolerant Message Authentication Codes

Noise Tolerant Message Authentication Codes (NTMACs) were published in [Bon06], [LiBo05] and described in Chap. 3.2. They were designed in order to reduce the problem of hard verification of Message Authentication Codes. The algorithm for generating NTMACs was presented in Fig. 3-2 in Chap. 3.2. In [Reetalt 11-2], a simplified version with 4 blocks (n = 4) and only a single partition (m = 1) was considered. A proposal for the expansion of the properties of the error recognition of NTMACs to Error Correcting NTMACs (ECNTMACs) was presented in [Reetalt11-2]. Since NTMACs recognise errors inside of blocks, this property is used in [Reetalt11-2] in order to separately verify and correct every erroneous block by bit inversion iterations. The algorithm from Chap. 4.1 was used with the difference that no channel code was applied; instead, the L-values were supplied directly from the BPSK demodulation (y′ is the output value of the BPSK demodulator, σ2 is the standard deviation of the AWGN noise on the channel):

L  2

2 y'

(5-3)

Generating EC-NTMAC is identical to generating NTMAC (see Fig. 3-2 in Chap. 3.2), and the verification is extended through bit inversion iterations into block error correction, whereby each block including the MAC corresponds to a soft input block from Fig. 4-1 in Chap. 4.1. In [Reetalt11-2] another variant of EC-NTMAC was proposed under the name of Error Correcting Weighted NTMAC (EC-WNTMAC). This variant takes into account the fact that blocks can be of varying importance, e.g. conditioned on the compression protocol used: a coefficient Wi is assigned to each block (the weight of the block i), determining how many iteration attempts will be completed in order to correct this block. For “more important” blocks, i.e. blocks with greater information content, more iteration attempts are performed than for less important blocks. Simulations are performed for EC-NTMAC and EC-WNTMAC with the following parameters: – – – – – –

length of the message: 2048 Bits length of the MAC: 512 Bits a message with MAC is split into 4 blocks of equal length (512 message bits and 128 bits of CCV/MAC) BPSK modulation AWGN channel the maximum number I of the bit inversion iterations in the case of EC-WNTMAC [Reetalt11-2] is calculated as follows:

I  2 Wi

(5-4)

with Wi = {1, 2, 1, 4}, i = 1,…,4, and ß = 3. Consequently, the maximum number of iterations for Block 1 equals 2 3, for Block 2 equals 26, for Block 3 equals 23 and for Block 4 equals 212

5.5 Error Correcting and Weighted Noise Tolerant Message Authentication Codes –

59

the maximum number of bit inversion iterations in the case of EC-NTMAC is identical for every block, since all blocks are of equal importance, and is calculated as 1/4 of the total maximum number of iterations in the case of EC-WNTMAC. Thus, the maximum number of iterations is equal for EC-NTMAC and EC-WNTMAC: I

23  26  23  212  1044 4

(5-5)

The results of the simulations that express the coding gain are shown in Fig. 5-16. At a BER of 105, a coding gain of 0.5 dB is achieved with EC-NTMAC, compared to the case without bit inversion iterations. In EC-WNTMAC, an additional coding gain of 1.5 dB is achieved compared to EC-NTMAC. An extensive security analysis of EC-NTMAC and EC-WNTMAC can be found in [Reetalt11-2].

Figure 5-16: Bit Error Rate for message length of 2048 bits and MAC length of 512 bits: a) NTMAC b) EC-NTMAC c) EC-WNTMAC

6

Soft Verification of the Message Authentication Codes

6.1

Soft Verification versus Hard Verification

In the algorithms presented in Chap. 4 and 5, cryptographic checksums and cyclic checksums are only accepted as correct if their comparison with the recalculated checksums yields the result YES, i.e. a (binary) hard decision YES or NO is made. Here, and in the following chapters, this hard decision is expanded into a soft decision, which enables the sending of soft output to the source decoder in the sense of the joint source and channel coding, i.e. to the next higher layer of the ISO reference model. The algorithms are presented that accept the message as correct or authentic, even if its received cryptographic checksum differs by a few bits from the recalculated cryptographic checksum. In this way, the previous verification, which is based on the hard decision YES or NO, will be modified so that the output of the cryptographic verification is not just YES or NO, but YES with a certain probability or NO. In case of a cryptographic checksum, this soft value corresponds to a trust in the accuracy and authenticity of the message and is therefore referred to as a trust value (trust output). The new type of verification is referred to as soft verification. The terminology is derived from line decoding and channel decoding, where the transition from hard decision with the output of bits to soft decision with the output of reliability values has also been performed (see Chap. 2.3.3). The logic, that a cryptographic checksum or digital signature is accepted as long as it does not differ too much from a reference is comparable to the situation with handwritten signatures: Although the handwritten signature turns out differently every time it is produced or differs from the reference signature, it will be accepted as long as it does not differ too significantly from the reference signature.

6.2

Soft Input Soft Verification

In this and in the following chapters, messages will be considered whose data integrity and authenticity is provided by MACs. The algorithm functions also with other symmetric cryptographically generated checksums, but not in the case of asymmetric cryptographic algorithms, since there the sender and receiver use different keys (see Chap. 2.2.5). The reasons will be explained at the end of Chap. 6.2., after showing the algorithm in Fig. 6-3. The algorithm for soft verification [Ziv11] is based on the avalanche effect of cryptographic functions [Feetalt00] [HaTa95]: If only one bit of a message is changed, every output bit of the cryptographic checksum changes with a probability of 0.5 or on average 50% of the bits of the cryptographic checksum change. The same applies of course to a different number of changed bits in the message, but then the avalanche effect is no longer quite so demonstra-

62

6 Soft Verification of the Message Authentication Codes

tive. The probability Pd, that d bits of the checksum of length n will change, if the message M n  1 is changed, equals   n (Bernoulli distribution). This probability is shown in Fig. 6-1 for d  2 various n. Fig. 6-2 shows the behaviour logarithmically, in order to illustrate the probability Pd for very small or very large d (0 ≤ d ≤ n). 0,08 a)

0,07

b) 0,06 c) d)

0,05

Pd 0,04 0,03 0,02 0,01 0 0

20

40

60

80

100

120

140

160

180

d

Figure 6-1: Probability Pd depending on d for: a) n = 128, b) n = 160, c) n = 192, d) n = 224 1E+00 1E-01 1E-02 1E-03 1E-04 1E-05 1E-06 1E-07 1E-08 1E-09 Pd 1E-10 1E-11 1E-12 1E-13 1E-14 1E-15 1E-16 1E-17 1E-18 1E-19 1E-20 0

20

40

60

80

a)

b)

100

120

c)

140

d)

160

180

200

d

Figure 6-2: Logarithmic presentation of Pd depending on d for: a) n = 128, b) n = 160, c) n = 192, d) n = 224

The number of bits in the message that are changed is of no importance (see Chap. 2.2.4). The probability that only a few bits of the cryptographic checksum are modified in case of a changed message is very low according to this. Therefore, if the cryptographic checksum

6.2 Soft Input Soft Verification

63

calculated for the message differs from the received checksum in only a few bits, whereby the number of changed bits corresponds to the error probability of the transmission, it can be assumed with a high probability that the message is correct and that the cryptographic checksum was modified during a noisy transmission. The Soft Input Soft Verification algorithm works with two exceptions as does the Soft Input Hard Verification algorithm from Chap. 4: The reliability values of the SISO channel decoder are used as input, and the message bits are inverted until the correct message is found. Exception 1: hard verification accepts a message as correct, if the checksum is correct (hard decision); soft verification accepts a message as correct, if the cryptographic checksum differs from the received checksum in a few bit positions only: the Hamming distance HD(CCV′, CCV′′) between the received checksum CCV′ and the checksum CCV′′ recalculated from the received message must be below a specific threshold value: HD(CCV′, CCV′′) ≤ dmax. Exception 2: The bit inversion is performed only for the message bits and not for the bits of the checksum. This increases the probability that the correct message will be found in a certain number of iterations. The algorithm of Soft Input Soft Verification is shown in Fig. 6-3. CHANNEL

DEMODULATOR

Soft Input Soft Verification

SISO CHANNEL DECODER CCV’’=CCF(M’’) L(M’), L(CCV’)

M’’

CCV’’= CCF (M’)

INVERSION OF BITS OF M’ L(M’)

HD (CCV’ ,CCV’’) ≤ d max

MESSAGE SUCCESSFULLY VERIFIED

YES

NO

MAX NUMBER OF ITERATIONS i max EXCEEDED

NO

MESSAGE UNSUCCESSFULLY VERIFIED

YES

CALCULATION OF SOFT OUTPUT

SOURCE DECODER

Figure 6-3: Algorithm of Soft Input Soft Verification

After receiving the message M′ and the cryptographic checksum CCV′, the following four cases are possible: 1) 2) 3) 4)

Message M′ is UNMODIFIED, checksum CCV′ is UNMODIFIED Message M′ is MODIFIED, checksum CCV′ is MODIFIED Message M′ is MODIFIED, checksum CCV′ is UNMODIFIED Message M′ is UNMODIFIED, checksum CCV′ is MODIFIED

64

6 Soft Verification of the Message Authentication Codes

Case 1 In this case is d = HD(CCV′, CCV′′) = 0. Case 2 If the message and the checksum are modified, the recalculated checksum differs with high probability in a large number of bits from the received checksum, plus or minus a number of bits in the checksum that are modified due to transmission errors. These bits, which are modified in the checksum due to transmission errors, do not change the statistic of d. Case 3 If the message is received modified and the checksum is received unmodified, the recalculated checksum differs with high probability in a large number of bits from the received checksum (see Fig. 6-1). Case 4 If the message was received unmodified and the checksum modified, the Hamming distance d = HD(CCV′, CCV′′) corresponds to the number of modified bits in the checksum. It can be concluded that the Hamming distance d = HD(CCV′, CCV′′) is equal to 0 or very small, if the received message is correct. The Hamming distance is approximately n/2, if the received message is not the original one (see Fig. 6-1). The probability and security considerations are discussed in the following chapters. The method of soft verification has the great advantage compared to hard verification, because the bit inversions are restricted only to the message until the solution is found, while in hard verification, the bits of both the message and the checksum must be corrected. This results in a higher correction rate and in an acceleration of the algorithm. In the module “INVERSION OF BITS OF M′” (see Fig. 6-3) different combinations of bits are inverted in each round; they are selected by the bit inversion strategy (see Chap. 4.1) on the basis of the lowest |L|-values. Soft output is given at the end of the algorithm. If the algorithm was successfully concluded, i.e. d = HD(CCV′, CCV′′) ≤ dmax, it outputs a soft value that is determined by d and the number of performed iterations. The calculation of this reliability value (soft value) will be presented in Chap. 8, after the security analysis is completed (Chap. 7). If no solution was found, the received message is issued with the reliability value of 0. The reliability value, which expresses the trustworthiness, refers to all bits of the message. Additionally, the reliability value is forwarded for every bit received from the SISO channel decoder. Thus, the source decoder, i.e. the application can decide how it will proceed with the (un)trustworthy message. Concerning the discussion of whether the Soft Input Soft Verification algorithm is also suitable for digital signatures as cryptographic checksums, the necessary expansion of verification is considered (see Chap. 4.1, Fig. 4-3). If the received checksum is a digital signature, the hash value of the original message can be obtained using the sender’s public key, if the digital signature was not modified during the transmission. If the digital signature was modified, the hash value regained from the signa-

6.3 Calculation of the Threshold

65

ture will differ in approximately 50% of the bit positions and is therefore not suitable as a reference value for the verification. If digital signatures were used as cryptographic checksums, and the received message would be modified, the receiver should be able to generate a digital signature of the received message using bit inversion algorithm. This is, however, not possible, since the receiver possesses only the sender’s public key and not the sender’s private key. In cases in which the digital signature was received without errors, the hash value can be used as a reference value in the verification algorithm (see Fig. 4-3). The probability that the digital signature was transmitted without errors, can for example be calculated using Equation (2-6). This probability is, however, low and therefore digital signatures will be not considered further.

6.3

Calculation of the Threshold

6.3.1

Probability Distribution Function of the Hamming Distance

The threshold dmax is deciding in the soft verification algorithm. dmax determines, which cryptographic checksums are accepted, how high the probability for error correction is, and how the security level is influenced. For determining the threshold dmax, it is necessary to take into account the Bit Error Rate of the input to the Soft Input Soft Verification algorithm. The error rate, error propagation and error distribution depend on the channel encoder and decoder. This behaviour cannot be generally described. In the following, it is assumed for the sake of the model, that every bit is random and independent of the other bits of the output of the SISO channel decoder. The occurrence and distribution of bit- and word errors can be described using the bit error rate BER after the SISO channel decoder. The probability distribution pdf1(d) that d bits of the checksum CCV of length n are erroneous, is the binomial distribution B(n, BER):

n  pdf1 (d )    BER d  (1  BER ) n  d , 0  d  n , d 

(6-1)

with the average value of n·BER and the standard deviation σ2 = n·BER·(1  BER). Fig. 6-4 shows the probability distribution function pdf1(d) for different lengths of CCV in the case of BER = 0.01. Note: The probability distribution functions pdf are used for continuous values; it would be more accurate to use the term pmf (probability mass function), since the binomial distribution is discrete.

66

6 Soft Verification of the Message Authentication Codes 0,40 0,35

a) b)

0,30

c) d)

0,25

pdf1 0,20 0,15 0,10 0,05 0,00 0

1

2

3

4

5

6

7

8

9

10

d

Figure 6-4: pdf1(d) at BER = 0.01 for: a) n = 128, b) n = 160, c) n = 192, d) n = 224

In Fig. 6-5, the probability distribution of d for n = 160 and different bit error rates is shown logarithmically in order to emphasize the behaviour even at large values of d. 1E+00 1E-01 1E-02 1E-03 1E-04 1E-05 1E-06

pdf1

1E-07

a)

b)

c)

1E-08 1E-09 1E-10 1E-11 1E-12 1E-13 1E-14 1E-15 0

10

20

30

40

50

60

d

Figure 6-5: pdf1 (d) for n = 160 at: a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

Note: Fig. 6-4 and 6-5 show binomial distributions as continuous functions, although they are discrete. The discrete values are interpolated. In the following, the probability is considered that the checksums of two different messages differ in d bits. The cryptographic checksum calculation behaves like an oracle that assigns a random value to each input value, i.e. the probability of each output bit is 1/2.

6.3 Calculation of the Threshold

67

Assumption 1 a and b are bit sequences of the length n: a1a2a3...an and b1b2b3...bn. Each bit ai and bi is independent of all other bits and has the value of 0 or 1 with the same probability:

P(ai  0)  0.5

P(ai  1)  0.5

P(bi  0)  0.5

(6-2)

P(bi  1)  0.5

(6-3)

Assumption 2 Let Y and N be subsets of the set S = {1,2,...,n}:

Y  i ai  bi , i  S,

N  i ai  bi , i  S

If Y has D elements, then N has n  D elements, and the following applies:

Y S\N

(6-4)

(6-5)

Lemma 1 The Hamming distance between the bit sequences a and b is: d  HD (a, b) 

 a b n

i 1

i

(6-6)

i

and has the Bernoulli probability distribution B(n, 0.5):

n  1 pdf 2 (d )     n , 0  d  n . d  2

(6-7)

Proof The probability that d takes the specific value D is:



 n  Pd  D  P ai  bi  D   i1 

 Pa n

i 1

i

 bi , i  Y  Pai  bi , i  N  (6-8)

whereby all pairs of elements of the subsets Y and N are summed. The number of these inden pendent sums is   .  D

Pd  D 

It is then:

 Pa  1  b  1 Pa  0  b  0

n         D   

D

i 1

i

i

i

i

i 1

i

i

i

i

 Pa  1  b  0 Pa  0  b  1  

nD

D nD  n   1 1 1 1   1 1 1 1    n  1                     n  D   2 2 2 2   2 2 2 2    D  2

(6-9)

68

6 Soft Verification of the Message Authentication Codes

Simply expressed: pdf2(d) is the probability distribution function for the Hamming distance of the checksums of two different messages. Function pdf2(d) is shown in Fig. 6-1 and 6-2 for different parameters n (considered as probability Pd). The essential difference between the functions pdf1(d) and pdf2(d) is that in the case of pdf1(d) the bit of the checksum is disturbed only due to the transmission with the probability BER, which generally lies between 101 and 109; in the case of pdf2(d) each bit of the checksum is modified with a probability of 0.5, due to the modification of the message. The probability distribution function of d takes the value of pdf1(d) or pdf2(d), depending on whether the message has been received unmodified (correct) or modified (wrong):

 pdf1 (d ), if the message is UNMODIFIED pdf (d )    pdf 2 (d ), if the message is MODIFIED

(6-10)

pdf(d) is shown in Fig. 6-6 in the case that n = m = 160 and BER = 0.01. pdf 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95

100

d

Figure 6-6: Regions of d in the case of unmodified (left) and modified (right) messages for n = m =160 and BER = 0.01

The two regions are clearly separated: The left one for the case of a message without errors and the right one for the case of a modified message. Fig. 6-6 shows that the probability distribution of d is very small for a very large range of values between these two regions (shown logarithmically in Fig. 6-7). This means that the threshold dmax will be in the area between the two regions.

6.3 Calculation of the Threshold

69

pdf 1E+00 1E-02 1E-04 1E-06

1E-08 1E-10 1E-12 1E-14 1E-16

1E-18 1E-20

1E-22 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

d

Figure 6-7: Logarithmic presentation of regions of d in the case of unmodified (left) and modified (right) messages for n = m =160 and BER = 0.01

In the following figures, the regions of the unmodified and modified received messages for different lengths of n and m are shown (n + m =320) at constant BER = 0.01. pdf 0.4 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95

100

d

Figure 6-8: Regions of d in the case of unmodified (left) and modified (right) messages for n = 128, m = 192 and BER = 0.01

70

6 Soft Verification of the Message Authentication Codes

pdf 0.3

0.25

0.2

0.15

0.1

0.05

0 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95

100 105 110 115 120

d

Figure 6-9: Regions of d in the case of unmodified (left) and modified (right) messages for n = 192, m = 128 and BER = 0.01 pdf 0.3

0.25

0.2

0.15

0.1

0.05

0 0

5

10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 130 135 140

d

Figure 6-10: Regions of d in the case of unmodified (left) and modified (right) messages for n = 224, m = 96 and BER = 0.01

In the following figures, the regions are shown for the unmodified and modified messages for different BER, whereby n and m are kept constant (n = m = 160).

6.3 Calculation of the Threshold

71

pdf 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95

100

d

Figure 6-11: Regions of d in the case of unmodified (left) and modified (right) messages for n = m = 160 and BER = 0.001 pdf 0.12

0.1

0.08

0.06

0.04

0.02

0 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95

100

d

Figure 6-12: Regions of d in the case of unmodified (left) and modified (right) messages for n = m = 160 and BER = 0.1

6.3.2

Analysis of the Hamming Distance and the Threshold

The verification after the reception of a message (before the iterations are started) and the probability Pdi for the four different cases (i = 1,...,4) of verification are considered in this chapter: 1) Message M′ is unmodified and HD(CCV′, CCV′′) ≤ dmax – this event occurs with the probability Pd1 2) Message M′ is modified and HD(CCV′, CCV′′) > dmax – this event occurs with the probability Pd2

72

6 Soft Verification of the Message Authentication Codes

3) Message M′ is modified and HD(CCV′, CCV′′) ≤ dmax – this event occurs with the probability Pd3. 4) Message M′ is unmodified and HD(CCV′, CCV′′) > dmax – this event occurs with the probability Pd4. Note: The same results are valid for the verifications during the iterations (M′′ instead of M′) [Ziv12]. The probability Pd1 that a message of length m is correct after the transmission and that maximum dmax errors have occurred in the checksum is:

Pd 1  PRIGHT with:

 i BER (1  BER)

d max

n

i

n i

(6-11)

i 0

PRIGHT  (1  BER)m

(6-12)

Therefore, the message is actually correct with this probability, even if the Hamming distance is 0 < HD(CCV′, CCV′′) ≤ dmax. 0.4 d) 0.35 0.3

c)

0.25 b)

Pd1 0.2

a)

0.15 0.1 0.05 0 0

2

4

6

8

10 dmax

12

14

16

18

20

Figure 6-13: Pd1 depending on dmax for BER = 0.01, n + m = 320 and a) n = 128, b) n = 160, c) n = 192, d) n = 224

6.3 Calculation of the Threshold 0,9

73

c)

0,8 0,7 0,6 0,5

Pd1 0,4 0,3 b)

0,2 0,1

a)

0 0

2

4

6

8

10

dmax

Figure 6-14: Pd1 depending on dmax for n = m = 160 and a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

The probability that the received message of length m is erroneous (modified) and HD(CCV′, CCV′′) > dmax, is: Pd 2  PWRONG

with:



 n 1   n i 2 i  d max 1   n

PWRONG  1  (1  BER)m

(6-13)

(6-14)

This is the probability, that the message is modified and the Hamming distance HD(CCV′,CCV′′) > dmax.

74

6 Soft Verification of the Message Authentication Codes 0.9 0.8 0.7 0.6 0.5

a)

Pd2

b)

c)

d)

0.4 0.3

0.2 0.1

0 0

20

40

60

80 dmax

100

120

140

Figure 6-15: Pd2 depending on dmax for BER = 0.01, n + m = 320 and a) n = 128, b) n = 160, c) n = 192 d) n = 224 1

c)

0.9 0.8

b)

0.7 0.6

Pd2 0.5 0.4 0.3 0.2

a)

0.1 0 0

10

20

30

40

50

60

70

80

90

100

dmax

Figure 6-16: Pd2 depending on dmax for n = m = 160 and a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

Cases 3 and 4 are still missing for the calculation and presentation of the total probability of d. The probability that the message is erroneous and that the received and recalculated checksums differ in fewer than dmax positions is:

Pd 3  PWRONG

  i  2 d max i 0

n 1

n

(6-15)

Thus is the probability Pd3 that the algorithm does not detect a modified message, but identifies it as correct. Pd3 is shown in Fig. 6-17 and 6-18 for various checksum lengths and BERs.

6.3 Calculation of the Threshold

75

0.9 0.8 a) 0.7 b) 0.6

c)

0.5

d)

Pd3 0.4 0.3 0.2 0.1 0 40

60

80

100

120

140

160

180

200

220

dmax

Figure 6-17: Pd3 depending on dmax for BER = 0.01, n + m = 320 and a) n = 128, b) n = 160, c) n = 192, d) n = 224 1

c)

0.9 b)

0.8 0.7 0.6

Pd3 0.5 0.4 0.3 0.2

a)

0.1 0 50

70

90

110

130

150

dmax

Figure 6-18: Pd3 depending on dmax for n = m = 160 and a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

The last case considers the probability that a message is error free and that more errors occurred in the checksum than dmax: Pd 4  PRIGHT



n   BER i (1  BER) n  i i i  d max 1   n

(6-16)

76

6 Soft Verification of the Message Authentication Codes 0.35

0.3 d) 0.25 c)

0.2

Pd4 0.15

b)

0.1

a)

0.05

0 0

1

2

3

4

5

6

7

8

9

10

dmax

Figure 6-19: Pd4 depending on dmax for BER = 0.01, n + m = 320 and a) n = 128, b) n = 160, c) n = 192, d) n = 224 0.18

0.16 0.14

0.12 0.1 Pd4

b)

0.08 0.06 a)

0.04 0.02 c) 0 0

1

2

3

4

5

6

7

dmax

Figure 6-20: Pd4 depending on dmax for n = m = 160 and a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

Pd4 is thus the probability that the received message is unmodified, but not recognised as unmodified, because of too many errors in the checksum due to the noise. The sum of all individual probabilities is equal to 1, since all four cases form a complete event:

6.3 Calculation of the Threshold

77

Pd 1  Pd 2  Pd 3  Pd 4 

 PRIGHT

 d max

 PWRONG

i 0



n n n 1   BER i (1  BER ) ni  PWRONG   n  i i  i d max 1   2

  i  2 d max

n 1

i 0

n

 PRIGHT



(6-17)

n   BER i (1  BER ) ni  1 i i d max 1   n

Consideration of Pd3 and Pd4 are important for the selection of the threshold dmax. If a high level of security is required, i.e. as less as possible wrong decisions, it may happen that correct messages are not accepted, because of the much distorted checksum. In a contrary case of the lower security level, the probability increases that wrong messages will be classified as correct. The system user sets its strategy with the selection of dmax. The selection of system parameters will be discussed in Chap. 8. dmax can be selected according to different criteria (the impact on the security of the Message Authentication Codes will be discussed in Chap. 7): Alternative 1 Determine the intersection of Pd3 and Pd4 and define dmax as: dmax = d with Pd3(d) = Pd4(d)

(6-18)

As Fig. 6-21 shows, the intersection of the two probability curves lies at dmax = 22.8, which means that the optimal dmax is 23 bits. 0.01 1E-05

1E-08 1E-11 1E-14 1E-17 1E-20 1E-23 1E-26

Pd4

Pd3

1E-29 1E-32 1E-35 1E-38 1E-41 1E-44 1E-47 0

20

40

60

80

100

120

140

160

dmax

Figure 6-21: Intersection of probabilities of Pd3 and Pd4 for n = m = 160 and BER = 0.01

78

6 Soft Verification of the Message Authentication Codes

Alternative 2 Determine the minimum of Pd3 + Pd4 and define dmax as: dmax = arg min (Pd3(d) + Pd4(d))

(6-19)

As the Equation (6-19) shows, another alternative is to select dmax as the minimum of the sum of both probabilities Pd3 and Pd4. Fig. 6-22 shows the sum function. The minimum is 23.1, which means that the optimal dmax in this case is again 23 bits. 1E-19

1E-20

Pd3 Pd4 Pd3+Pd4

1E-21 20

20.5

21

21.5

22

22.5

23

23.5

24

24.5

25

dmax

Figure 6-22: Pd3 + Pd4 for n = m = 160 and BER = 0.01

Alternative 3

Select an upper limit for Pd4 < 10k1 (for a selected k1) and calculate: dmax_low = max (d | Pd4 ≤ 10k1)

whereby Pd4 is given in (6-16), and a lower limit for Pd3 < 10 late:

k2

dmax_high = min (d | Pd3 ≤ 10k2)

(6-20) (for a selected k2) and calcu(6-21)

whereby Pd3 is given in (6-15), so that dmax can be selected as: dmax є [dmax_low, dmax_high]. Note: k1 and k2 must be selected so that dmax_low < dmax_high.

For dmax = dmax_low, the condition Pd3 ≤ 10k2 remains fulfilled. Note: A revised method for the specification of dmax, which is based on the results of the security analysis, will be given in Chap. 7.4.

6.3 Calculation of the Threshold

79

Meaning of dmax_low It is assumed that the system user knows the BER after the channel decoder and calculates the probability that 1, 2 … n bits of the checksum are erroneous, using Equation (2-6) for the word error probability. The upper limit is specified by k1 in Equation (6-20) determining how many “wrong bits” of the received checksum can be accepted. Meaning of dmax_high The selection of k2 specifies the lower limit of the number of different bits between CCV′ and CCV′′ above which the MAC will be viewed as wrong. In the case that the parameters of k1 = k2 = 6 are used for the specification of dmax_low and dmax_high in Fig. 6-6, it can be seen in Fig. 6-23, in what range dmax can be selected.

pdf 1E+0

1E-1 1E-2 1E-3 1E-4 1E-5

dmax_high

dmax_low 1E-6 0

5

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

d

Figure 6-23: dmax_low and dmax_high for BER = 0.01, n = m = 160 and k1 = k2 = 6

In the following, dmax_low is calculated for different Eb/N0. The BER values refer to the output of the channel decoder. The BER values are calculated by simulations using the following parameters: – – – – – –

Length of the soft input block (the total length of M and CCV): 320 bits Convolutional encoder 1/2 (see Chap. 2.3.2, Fig. 2-12) BPSK modulation with soft decision AWGN channel MAP decoding algorithm 50,000 simulations for each BER value

The values of dmax_low for k1 = 4 according to Equation (6-20) are shown in Table 6-1 for various lengths of the message M and CCV. For Eb/N0 = 3 dB and n = 128 bits for example, Table 6-1 shows, that dmax_low should be ≤ 5, so that Pd4 is lower than 104.

80

6 Soft Verification of the Message Authentication Codes

Table 6-1: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

dmax_low for various Eb/N0 and n (n + m = 320) and k1 = 4 BER

dmax_low (n=128)

dmax_low (n=160)

dmax_low (n=192)

dmax_low (n=224)

8 8 8 6 5 4 3 3 3

10 10 9 7 6 4 3 3 3

14 12 10 8 6 5 3 3 3

16 14 11 8 7 5 3 3 3

0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

Table 6-2 shows dmax_low at various Eb/N0 and for different k1, whereby the length of the message and the cryptographic checksum is 160 bits each. Table 6-2:

dmax_low for various k1 and Eb/N0 and n = m = 160

Eb/N0 [dB]

BER

dmax_low (k1=3)

dmax_low (k1=4)

dmax_low (k1=5)

dmax_low (k1=6)

dmax_low (k1=7)

dmax_low (k1=8)

dmax_low (k1=9)

dmax_low (k1=10)

1 1.5 2 2.5 3 3.5 4 4.5 5

0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

9 8 7 6 5 4 3 2 2

10 10 9 7 6 4 3 3 3

13 12 11 8 7 4 4 3 3

16 14 12 9 8 5 4 4 4

18 16 13 10 9 6 5 4 4

20 17 15 11 9 7 5 5 4

21 18 16 12 10 7 6 5 5

23 20 17 13 11 8 6 6 5

If Pd4 is supposed to be lower, k1 must be increased. This increases dmax_low as well. The values for d max_ high,, according to (6-21) in the case of k2 = 4, are presented in Table 6-3 for the same lengths of the message M and the cryptographic checksum CCV, as in Table 6-1. Table 6-3: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

dmax_high for various Eb/N0 and n (n + m = 320) and k2 = 4 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax_high (n=128)

dmax_high (n=160)

dmax_high (n=192)

dmax_high (n=224)

43 43 43 44 44 45 48 49 50

57 57 57 58 58 60 63 64 65

71 71 71 72 73 75 78 79 81

82 82 82 83 84 86 89 91 93

6.3 Calculation of the Threshold

81

The following Table 6-4 shows how dmax_high depends on k2 for the case that the length of the message and the cryptographic checksum is 160 bit each. Table 6-4: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

dmax_high for various k2 and Eb/N0 and n = m = 160 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax_high (k2=3)

dmax_high (k2=4)

dmax_high (k2=5)

dmax_high (k2=6)

dmax_high (k2=7)

dmax_high (k2=8)

dmax_high (k2=9)

dmax_high (k2=10)

61 61 62 62 63 65 69 71 76

57 57 57 58 58 60 63 64 65

53 53 53 54 54 56 58 59 60

50 50 50 51 51 52 54 55 56

47 47 47 48 48 49 51 51 52

45 45 45 45 45 46 48 48 49

42 42 42 43 43 44 45 46 46

40 40 40 41 41 42 43 43 44

Obviously, the value dmax_high decreases when k2 increases: with stricter security conditions, the limit of the Hamming distance must also decrease since fewer wrong checksums may be accepted. Tables from 6-1 to 6-4 show the large distance between dmax_low and dmax_high. It can be seen here that dmax influences the complexity and security of the process. For that reason, dmax = dmax_low is chosen in the following. A precise specification of dmax considering the security requirements will be given in Chap. 7.3.

6.3.3

Simulative Specification of the Threshold

The theoretical values of dmax_low and dmax_high that are shown in Tables from 6-1 to 6-4 have been determined using probability formulas. In this chapter, they will be compared with values generated by simulations. The simulation parameters are the same as in Chap. 4.1, and the BER is gained in the same way as in Chap. 6.3.2 (Tables from 6-1 to 6-4), whereby n = m =160. The Soft Input Soft Verification algorithm (see Fig. 6-3) was modified for the simulations, so that the receiver knows the original message M with the correct checksum CCV. Thus, the receiver can decide, whether the message may have been incorrectly positively verified, or the correct message was not recognised. The Hamming distance d = HD(CCV′, CCV′′) is calculated after every iteration of bit inversions (using static strategy) and saved for later evaluation. The iterative process was continued until the corrected message was the same as the sent message or until the maximum number of 216 iterations was reached. For each simulation result (each point on the curve) 50,000 simulations were performed.

82

6 Soft Verification of the Message Authentication Codes

DEMODULATOR Soft Input Soft Verification SISO CHANNEL DECODER

CCV ’’ =CCF (M’’)

L(M ’ ), L(CCV ’) M’’

CCV ’’ = CCF (M’) M’’ = M ’

INVERSION OF BITS OF M ’ d= HD (CCV’,CCV’’) L(M ’ ) NO NO

M’’= M

YES

MAX NUMBER OF ITERATIONS i max EXCEEDED

YES STORING OF d IN D1

STORING OF d IN D2

SOURCE DECODER

Figure 6-24: Simulations of Soft Input Soft Verification for the calculation of dmax_low and dmax_high

After each iteration and calculation of the Hamming distance, d is assigned to the set D1 (message unmodified (correct)) or to the set D2 (message modified (wrong)).

D1   d d  HD(CCV ' , CCV"), (M '  M  M "  M )

D2   d d  HD(CCV ' , CCV"), (M '  M  M "  M )

(6-23)

dmax_low (i)  maxd | Eb / N0  i

(6-24)

(6-22)

The following values are selected as dmax_low and dmax_high:

d max_ high (i)  mind | Eb / N0  i D1

D2

(6-25)

for i = 1,…,5 dB. dmax_low(i) is for i dB the greatest Hamming distance of the checksums occurred after 50,000 runs, whereby the message was correct or was corrected. dmax_low thus corresponds to the maximum number of erroneous bits of the checksum, whereby the message is correct or corrected. dmax_high(i) is for i dB the lowest Hamming distance between the checksums of the original and modified message, which occurred after 50,000 runs. Fig. 6-25 shows dmax_low and dmax_high at Eb/N0 = i, i = 1,…,5 [dB].

6.3 Calculation of the Threshold

83

70

WRONG 60 b)

50

40 d

30

20 a)

10

CORRECT 0 1

1.5

2

2.5

3 Eb / N0 [dB]

3.5

4

4.5

5

Figure 6-25: Simulation results for determination of a) dmax_low and b) dmax_high

The results of the simulations have shown that the Hamming distance d = HD (CCV′, CCV′′) after 50,000 runs was always greater than dmax_high, if the message was incorrectly received or was not corrected, and was always lower than dmax_low, if the message was correctly received or was corrected. The Hamming distance was never in the zone between dmax_high and dmax_low.. These values are calculated in 50,000 runs each. If the number of simulations further increases, dmax_high and dmax_low will approach each other, meet and even overlap. Finally, the simulation results for dmax_low from Fig. 6-25 are compared with the results from Table 6-1 for m = n = 160. This comparison shows that the simulation results after 50,000 attempts match the equations of the probability theory very well (Chap. 6.3.2). 12

10

8 a) d

6

b)

4

CORRECT 2

0 1

1.5

2

2.5

3 Eb / N0 [dB]

3.5

4

4.5

5

Figure 6-26: dmax_low for n = m = 160 a) after 50,000 simulations and b) from Table 6-1 for k1 = 4

84

6 Soft Verification of the Message Authentication Codes

63

62

WRONG

61

a)

60 d

59 b)

58

57

58 1

1.5

2

2.5

3 Eb / N0 [dB]

3.5

4

4.5

5

Figure 6-27: dmax_high for n = m = 160 a) after 50,000 simulations and b) from Table 6-3 for k2 = 4

Fig. 6-26 shows that the difference between the theoretical and simulated results is at most 1 bit and in Fig. 6-27 at most 2 bits.

6.4

Verification Gain

For the following simulation results, various lengths of the message and the checksum are used, whereby their total length equals 320 bits. The checksum is calculated using the hash function RIPEMD-160, initialised with a key K of the length 160 bits. In each simulation, a new message is randomly generated. The same simulation parameters as in Chap. 6.3.3 are used, with the difference, that the message and CCV are not known at the receiver. The simulated algorithm of Soft Input Soft Verification is shown in Fig. 6-3. 50,000 simulations were performed for every point on the curves presented in Fig. 6-28 to 631. The maximum number of bit inversions per simulation was 2 16, i.e. up to 16 bits with the lowest absolute reliability values were inverted.

6.4 Verification Gain

85

1

a)

0.1

CCER

b)

0.01 c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 6-28: Cryptographic Check Error Rate for m = 128, n = 192 and dmax = dk1 with k1 = 4 a) Hard Input Hard Verification b) Soft Input Hard Verification c) Soft Input Soft Verification

The simulation results in Fig. 6-28 show a coding gain of Soft Input Hard Verification of a maximum of 1.8 dB compared to Hard Input Hard Verification (see [Ziv08]) and a coding gain of Soft Input Soft Verification of a maximum of 2.5 dB compared to Hard Input Hard Verification. The additional coding gain of Soft Input Soft Verification of a maximum of 0.7 dB compared to Soft Input Hard Verification is a result of the fact that only bits of the message are inverted and not the bits of the CCV at the same maximum number of iterations. Additionally, the soft verification allows additional recognition of correct messages. The coding gain is the lowest at low Eb/N0, since the number of erroneous bits is too high for the limited maximum number of iterations. For this reason, only few messages can be corrected. The simulation results in Fig. 6-29 show the same coding gain for Soft Input Hard Verification compared to Hard Input Hard Verification, since the total length of the message and the cryptographic checksum remains unchanged (320 bit). The coding gain for Soft Input Soft Verification compared to Soft Input Hard Verification reaches up to 0.55 dB. This additional coding gain in Fig. 6-29 is admittedly smaller than in the previous case (Fig. 6-28), in which the message was shorter and could be better corrected by bit inversions.

86

6 Soft Verification of the Message Authentication Codes 1

a)

CCER

0.1

b)

0.01 c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 6-29: Cryptographic Check Error Rate for m = 160, n = 160 and dmax = dk1 at k1 = 4 a) Hard Input Hard Verification b) Soft Input Hard Verification c) Soft Input Soft Verification

1

a)

CCER

0.1

b)

0.01 c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 6-30: Cryptographic Check Error Rate for m = 192, n = 128 and dmax = dk1 at k1 = 4 a) Hard Input Hard Verification b) Soft Input Hard Verification c) Soft Input Soft Verification

The simulation results in Fig. 6-30 show once again the same coding gain of Soft Input Hard Verification compared to Hard Input Hard Verification as in the previous cases, as the total length of the message and of the CCVs remains unchanged (320 bits). The coding gain of Soft Input Soft Verification compared to Soft Input Hard Verification achieves a maximum of

6.4 Verification Gain

87

0.5 dB. This additional coding gain shown in Fig. 6-30 is even smaller than in the previous cases (Fig. 6-28 and 6-29), because of the longer message in Fig. 6-30. 1

a)

0,1

CCER

b) 0,01 c)

0,001

0,0001 1

1,5

2

2,5

3

3,5

4

4,5

5

Eb/No [dB]

Figure 6-31: Cryptographic Check Error Rate for m = 224, n = 96 and dmax = dk1 at k1 = 4 a) Hard Input Hard Verification b) Soft Input Hard Verification c) Soft Input Soft Verification

The simulation results of Soft Input Hard Verification compared to Hard Input Hard Verification in Fig. 6-31 are also the same as in the previous cases. The coding gain of Soft Input Soft Verification compared to Soft Input Hard Verification is here only up to 0.4 dB, as the message has the greatest length.

7

Security Aspects of Soft Input Soft Verification

7.1

Forgery Attacks

7.1.1

Birthday Paradox for Near Collisions

Chap 2.2.4 has shown that a security analysis of Message Authentication Codes must take two facts into account essentially: 1) The security of the algorithm for MAC calculation If the MAC function is designed corresponding to Chap. 2.2.2 or Chap.2.2.3, the equation: Security/Entropy = min (k, 2·j) (7-1) applies, whereby k is the key length and j is the length of the feedback variables. This security level is not changed by the Soft Input Soft Verification algorithm, since the MAC function remains unchanged. 2) Forgery Attacks The second essential security aspect of MAC functions is the complexity of a forgery attack, which can generate a collision with a certain probability. This is described by the so-called Birthday Paradox: How many input values must be generated so that two input values result in the same output value with the probability p? In the case of a hard verification, in which both of the input values should result in the same output value of length n, the number of input values, i.e. messages needed to generate a collision with a probability greater than 0.5 is (see Chap. 2.2.4): K  1.17  2n

(7-2)

K expresses the complexity of a forgery attack. In the Soft Input Soft Verification algorithm however, collisions can occur, as well as near collisions. A near collision occurs if the output values differ only by a few bits. The Soft Input Soft Verification algorithm accepts all messages whose transmitted and recalculated checksum differ in not more than dmax bits. Near collisions are therefore admitted, in which the output values /checksums differ by 1, 2, 3, .... dmax bits. For this reason, the complexity of a forgery attack must be calculated taking near collisions into account. In the following, the characteristics of near collisions are investigated as asymptotic characteristics of the Birthday Paradox. The problem of a forgery attack can be formulated as follows:

90

7 Security Aspects of Soft Input Soft Verification

For two sets L1 and L2, whose elements are distributed uniformly and independently over {0,1}n, chose x1 Є L1 and x2 Є L2, so that the Hamming weight of x1x2 equals d, d ≤ n Definition 1: A pair of messages M and M′, whereby M ≠ M′, is called a ε-near collision, if their checksums h(M) and h(M′) differ in a maximum of ε bits [Pre93]:

HD ( h ( M ), h ( M ' ))  

(7-3)

Definition 2: A pair of messages M and M′, whereby M ≠ M′, is called a ε-strict near collision, if their checksums h(M) and h(M′) differ in exactly ε bits:

HD ( h ( M ), h ( M ' ))  

(7-4)

Lemma 1 In order to generate a ε – strict near collision with a probability P, K input values are needed, where: K   2 ln(1  P ) 

2n n    

(7-5)

In the case of P = 0.5 this results in: K  1.17

2n n    

(7-6)

This means, that for max HD(h(M),h(M′)) = dmax: K  1.17

n

22

(7-7)

n     d max 

With Lemma 1 the number of messages in the case of ε – near collisions can be easily found: Lemma 2 In the case of the Soft Input Soft Verification algorithm with a specified threshold dmax, the complexity of a forgery attack is: 2n K   2 ln(1  P )  d max n   i i0  



In the case of P = 0.5:

(7-8)

7.1 Forgery Attacks

K  1.17

91 n

22

 d max i 0

(7-9)

 n   i 

Fig. 7-1 shows the reduction of the complexity of a (verifiable) forgery attack by allowing near collisions: In a Message Authentication Code of the length 160 bits, which normally requires a complexity of around 280 messages/MAC-pairs, only around 255 pairs are still needed with dmax = 10, so that a near collision with a probability greater than 0.5 occurs. 2120 120

n=128

2110 110

n=160 n=192

100 2100

n=224

90 290 80 280 270 K 70

60 260 50 250 40 40 2 30 30 2 20 2 20

0

5

10

15

20

25

dmax

Figure 7-1: Complexity K depending on dmax for n = 128, 160, 192 and 224

Table 7-1 contains data similar to that given in Fig. 7-1. dmax is chosen depending on Eb/N0 using the relation between Eb/N0, BER and dmax for k1 = 4, as presented in Chap. 6 (see Table 6-1). Table 7-1: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

Reduction of the complexity of a forgery attack to K by Soft Input Soft Verification BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax (n=128) 8 8 8 6 5 4 3 3 3

K 244 244 244 248 250 253 255 255 255

dmax (n=160) 10 10 9 7 6 4 3 3 3

K 255 255 257 261 263 268 271 271 271

dmax (n=192) 14 12 10 8 6 5 3 3 3

K 262 265 269 274 278 281 286 286 286

dmax (n=224) 16 14 11 8 7 5 3 3 3

K 272 276 282 289 291 296 2102 2102 2102

92

7 Security Aspects of Soft Input Soft Verification

An attacker can also perform a forgery attack that he cannot verify: he sends a message with a (random) Message Authentication Code and hopes that a collision or a near collision occurs during the iterative verification process. It was already demonstrated how this probability of forgery increases by iterations in Chap. 4. It increases additionally because of near collisions. The probability of a successful forgery attack is identical to the risk of a wrong decision of the verification and correction process, which can occur in every received message protected by a Message Authentication Code. Since a positive verification can in fact be obtained with the probability of a wrong decision, an attacker could influence the message: Through targeted disturbances of the transmission, he can influence the L-values. The L-values in turn determine which bits of the message are inverted. The probability of a successful forgery attack will be calculated as the probability of a wrong decision in Chap. 7.2.

7.1.2

Compensation of the Reduced Complexity of a Forgery Attack

Should the original security level of Equation (7-2) be achieved, the length n of the Message Authentication Codes must be increased to n1. The complexity given by Equation (7-9), whereby n is replaced by n1, must be greater than or equal to the complexity of Equation (72) with n. The new n1 and the selected dmax must satisfy the following, in order to reach at least the same complexity of a forgery attack as in the original “hard verification” (dmax = 0): 1.17  2  1.17 n 2

n1

22



(7-10)

 n1    d d 0 

d max

Therefore, for n1:



 d max  n   n1  n  extra bits  n  log2   1     d   d 0 

or:



 d max  n   n1  n  log 2   1     d   d 0 

(7-11)

(7-12)

n1 is presented depending on dmax in Fig. 7-2. It can be seen that for dmax= 10, the length of CCV must increase from 160 bits by 46 bits to around 206 bits, in order to provide the same forgery complexity for an attacker, as with 160 bits with hard verification.

7.1 Forgery Attacks

93

400 350 300 250

n1 200 150 n=128

100

n=160 n=192

50

n=224

0

0

5

10

15

20

25

dmax

Figure 7-2: n1 depending on dmax for n = 128, 160, 192 and 224

Tables 6-1 and 6-2 of Chap. 6.3.2 are expanded by the columns “n1” in Tables 7-2, 7-3 and 74. Here dmax_low is used as dmax. Table 7-2: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

New length n1 for dmax at various Eb/N0 and various n (n + m = 320) BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax (n=128) 8 8 8 6 5 4 3 3 3

n1 172 172 172 163 158 153 148 148 148

dmax (n=160) 10 10 9 7 6 4 3 3 3

n1 216 216 211 202 197 186 180 180 180

dmax (n=192) 14 12 10 8 6 5 3 3 3

n1 269 260 250 240 230 225 213 213 213

dmax (n=224) 16 14 11 8 7 5 3 3 3

n1 312 303 289 274 269 258 246 246 246

94

7 Security Aspects of Soft Input Soft Verification

Table 7-3: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

Table 7-4: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

New length n1 for dmax for k1 = 3,…,6 at various Eb/N0 and n = m = 160 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax (k1=3) 9 8 7 6 5 4 3 2 2

n1 211 207 202 197 191 186 180 174 174

dmax (k1=4) 10 10 9 7 6 4 3 3 3

n1 216 216 211 202 197 186 180 180 180

dmax (k1=5) 13 12 11 8 7 4 4 3 3

n1 229 225 221 207 202 186 186 180 180

dmax (k1=6) 16 14 12 9 8 5 4 4 4

n1 242 234 225 211 207 191 186 186 186

New lengths n1 for dmax for k1 = 7,…,10 at various Eb/N0 and n = m = 160 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax (k1=7) 18 16 13 10 9 6 5 4 4

n1 251 242 229 216 211 197 191 186 186

dmax (k1=8) 20 17 15 11 9 7 5 5 4

n1 259 246 238 221 211 202 191 191 186

7.2

Wrong Decisions

7.2.1

Probability of a Wrong Decision

dmax (k1=9) 21 18 16 12 10 7 6 5 5

n1 263 251 242 225 216 202 197 191 191

dmax (k1=10) 23 20 17 13 11 8 6 6 5

n1 271 259 246 229 221 207 197 197 191

The probability that the message is erroneous and that the received and recalculated checksums differ in fewer than dmax positions was indicated as Pd3 in Chap. 6.3.2. This probability is the probability of a wrong decision. A wrong decision can occur at the first verification and after each iteration of the Soft Input Soft Verification algorithm. A wrong decision in one round leads to a wrong decision of the algorithm. Since there are i ≤ imax iterations performed by the algorithm of Soft Input Soft Verification, the number of iterations must be taken into account in the calculation of the probability of wrong decisions, indicated as Pwd. The iterations are performed corresponding to the reliability of the received bits (L-values), in order to find the correct message as quickly as possible, i.e. a message, which it is assumed to be the correct one. Therefore, the number of iterations should be minimised – not just due to the high complexity of calculations, but also in order to avoid unnecessarily increasing probability of wrong decisions.

7.2 Wrong Decisions

95

It must be assumed that an attacker can influence the S/N of the received signal and thus Lvalues, e.g. through man-in-the-middle attacks or disturbances. By this way, an attacker can cause the performance of a large number of iterations, in which a wrong decision can be made. If a maximum of imax message/MAC-pairs are verified, the attacker can influence by the L-values which messages are chosen as candidates. This situation is a non-verifiable forgery attack. In the following, the increase of the probability of a wrong decision depending on the maximum number of iterations and the threshold value dmax is considered. The probability of a wrong decision of the algorithm should be considered for the “worst case”: that a solution was found in the last possible round and with the maximum allowed Hamming distance. The probability, that the result of the verification of a modified message is YES, equals

1 . 2n

In the case of the standard verification, this comparison is performed exactly once. In soft verification, not only several rounds are performed, but a difference between the checksums is allowed up to dmax bits. The first verification which compares the received MAC with the recalculated MAC and the verifications performed during the iterative correction process are considered separately (see Fig. 6-3). The goal of the following derivation is to estimate the maximum extension of the MAC that must be done in order to compensate the reduction of the security level caused by the iterative process. 1st verification: A wrong decision can only occur if the message M was changed to message M′ and d = HD(CCV′, CCV′′) ≤ dmax. The probability of a wrong decision equals (see Equation (4-5) for the case dmax = 0):

Pwd  (1  (1  BER) m )

 dmax d 0

n  n    dmax   d   d  n n 2 d 0 2



(7-13)

2nd and each following verification i (2,… imax), (iterations 1, …,imax  1): A wrong decision can occur if the message M′ was changed to message M′′ and d = HD(CCV′, CCV′′) ≤ dmax: Pwd 

1 2n

  d  d max

n 

(7-14)

d 0

After imax verifications, the probability of a wrong decision is, after the addition of Equations (7-13) and (7-14), since no wrong decision occurred in (imax – 1) verifications: Pwd  a 

with:

 (1  a)

i max 1 i 0

i

(7-15)

96

7 Security Aspects of Soft Input Soft Verification

n    d  a 2n d 0



d max

(7-16)

After the series expansion, it is: Pwd  1  (1  a ) imax

(7-17)

Equation (4-8) in Chap. 4 which describes a Soft Input Hard Verification, is therefore the special case of inequality (7-17), whereby Equation (7-16) results in Equation (4-7) for dmax = 0. If the binomial expansion formula is applied in Equation (7-15) and the terms approaching 0 are neglected, the following approximation for Pwd is given:

  d 

d max

Pwd (n, d max , imax )  imax  a  imax 

d 0

n 

2n

(7-18)

In the following, the upper limit of Equation (7-18) is used for the calculation of the wrong decision probability and referred to as Pwd. In Fig. 7-3 it can be seen how the probability of a wrong decision, i.e. a forgery attack, increases at imax = 28, depending on dmax. For example, for n = 160, Pwd is increased from 2152 at dmax = 0 (note: through the iterations, the probability is no longer 2160, see Fig. 7-2), to 2101 at dmax = 10. Thus, by the iterative Soft Input Soft Verification algorithm, the entropy/security level is lost by around 60 bits. Fig. 7-4 shows the results for imax = 216. Hereby, the entropy of the upper example is reduced by even around 68 bits.

7.2 Wrong Decisions

97

2-20

2-60

2-100

Pwd 2-140

n=128 n=160 n=192

2-180

n=224

2-220

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dmax

Figure 7-3: Increase of the probability of wrong decision at imax = 28 2 -20 -20

2-60 -60

2-100 -100

Pwd 2-140 -140

n=128 n=160

2 -180 -180

n=192 n=224

2-220 -220

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dmax

Figure 7-4: Increase of the probability of wrong decision at imax = 216

98

7 Security Aspects of Soft Input Soft Verification

7.2.2

Compensation of the Increased Probability of Wrong Decision

Chap. 7.2.1 has shown that the probability of wrong decision is considerably higher when the soft verification algorithm is used. In that case, the following applies: Pwd 

1 2n

(7-19)

In order to compensate the increased probability of wrong decision, the length n of the CCV should be increased to n2, so that the new probability of wrong decision is less than or equal to the probability of wrong decision of standard verification: Pwd 

i.e.:

1 2n

(7-20)

1 1   2n Pwd Pwd (n2 , d max , imax )

(7-21)

n2 is given in Fig. 7-5 for imax = 28. It can be seen that, for example, the length of the checksum must be increased for compensation in case of n = 160 and dmax = 10 to n2 = 224, thus even more than to n1 in case of compensation of the complexity of a forgery attack (see Fig. 7-2). Fig. 7-6 shows the results for imax = 216. Here, n2 for n = 160 and dmax = 10 must be increased to even around 232 bits.

360 340 320 300 280

n2

260 240 220 200 180

n=128 n=160 n=192 n=224

160 140 120

0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dmax

Figure 7-5: n2 depending on dmax at imax = 28 for n = 128, 160, 192 and 224

7.2 Wrong Decisions

99

360 340 320 300 280

n2

260 240 220 200 180

n=128 n=160 n=192 n=224

160 140 120

0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dmax

Figure 7-6: n2 depending on dmax at imax = 216 for n = 128, 160, 192 and 224

The Tables 6-1 and 6-2 from Chap. 6.3.2 are expanded with the column “n2” to Tables 7-5, 76 and 7-7, whereby dmax_low is used as dmax. Table 7-5: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

New lengths n2 at imax = 216 and for dmax for various Eb/N0, various n (n + m = 320) and k1 = 4 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax (n=128) 8 8 8 6 5 4 3 3 3

n2 189 189 189 179 174 169 163 163 163

dmax (n=160) 10 10 9 7 6 4 3 3 3

n2 232 232 227 217 212 202 196 196 196

dmax (n=192) 14 12 10 8 6 5 3 3 3

n2 285 276 266 256 246 240 228 228 228

dmax (n=224) 16 14 11 8 7 5 3 3 3

n2 329 319 305 290 284 273 261 261 261

100

7 Security Aspects of Soft Input Soft Verification New lengths n2 at imax = 216 for dmax for various Eb/N0, n = m = 160 and k1 = 3,…,6

Table 7-6: Eb/N0 [dB]

dmax (k1=3)

BER

1 1.5 2 2.5 3 3.5 4 4.5 5

0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

9 8 7 6 5 4 3 2 2

n2

dmax (k1=4)

227 222 217 212 207 202 196 190 190

10 10 9 7 6 4 3 3 3

n2 232 232 227 217 212 202 196 196 196

dmax (k1=5) 13 12 11 8 7 4 4 3 3

dmax (k1=6)

n2 246 241 237 222 217 202 202 196 196

16 14 12 9 8 5 4 4 4

n2 259 250 241 227 222 207 202 202 202

New lengths n2 at imax = 216 for dmax for various Eb/N0, n = m =160 and k1 = 7,…,10

Table 7-7: Eb/N0 [dB]

dmax (k1=7)

BER

1 1.5 2 2.5 3 3.5 4 4.5 5

0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

7.3

18 16 13 10 9 6 5 4 4

n2

dmax (k1=8)

267 259 246 232 227 212 207 202 202

20 17 15 11 9 7 5 5 4

n2 276 263 255 237 227 217 207 207 202

dmax (k1=9) 21 18 16 12 10 7 6 5 5

n2 280 267 259 241 232 217 212 207 207

dmax (k1=10) 23 20 17 13 11 8 6 6 5

n2 288 276 263 246 237 222 212 212 207

Total Compensation

The length of the cryptographic checksum must be therefore increased for two reasons: 1) Compensation of the reduced complexity of a forgery attack (Chap. 7.1) by expansion of n to n1: 2 n1  22 d max  n1    d  d 0 

 i.e.:

  d  d max d 0

 n1 

2

n1

n



1 2n

(7-22)

(7-23)

2) Compensation of the increased probability of a successful forgery attack, i.e. a wrong decision by expanding n to n2.

7.3 Total Compensation

  d  dmax

imax 

d 0

 n2 

2n2



1 2n

101

(7-24)

Each number n2 that fulfils inequality (7-24) also fulfils inequality (7-23), if n1 is replaced by n2. For this reason the smallest number n2 that fulfils inequality (7-24) is selected for the total compensation. The results for n2 were shown in Chap. 7.2. Note: The new value of n does not need to be increased to n2 in every case, but rather a value between n and n2 can be selected. In this case, the complexity of a forgery attack and probability of wrong decision can be calculated according to the equations (7-9) and (7-17). In the following Fig. 7-8 and 7-9, n1 and n2 are compared for various imax (compare Fig. 7-3 with Figures 7-5 and 7-6). The relationship between n1 and n2 can be also seen in equation (7-24). The difference is in the factor imax. Fig. 7-7 shows the case of imax = 1, whereby n1 = n2, as expected. Fig. 7-8 considers imax = 28; n1 and n2 run parallel at a short distance. Fig. 7-9 considers imax = 216; the distance between n1 and n2 is larger. Thus, the influence of the maximum number of iterations on the magnitude of the compensation can be recognized. The risk of a forgery attack based on the Birthday Paradox is otherwise (imax = 1) equal to the risk of a wrong decision.

Figure 7-7: Comparison of n1 and n2 for imax = 1 and various n

102

7 Security Aspects of Soft Input Soft Verification

Figure 7-8: Comparison of n1 and n2 for imax = 28 and various n

Figure 7-9: Comparison of n1 and n2 for imax = 216 and various n

The coding gain for Soft Input Soft Verification was shown in Chap. 6. Thereby, however, the increased security risks were not taken into account. Therefore, in order to be able to objectively evaluate the results of Soft Input Soft Verification, the coding gain should be

7.3 Total Compensation

103

considered for the case in which the security level is preserved, that is with a CCV of the length n2. The following graphics show the Cryptographic Check Error Rate (CCER), i.e. the rate of the Message Authentication Codes that are not successfully verified for the cases of: SISO channel coding without additional correction mechanism, i.e. Hard Input Hard Verification according to ISO-Standard (curve a)), Soft Input Hard Verification corresponding to Chap. 4.1 (curve b)), Soft Input Soft Verification corresponding to Chap. 6.4 (curve c)) and Soft Input Soft Verification with the compensated security level (curve d)) by the expansion of the CCV. The same simulation parameters apply as in the previous chapters, also the curves a), b) and c) were taken from Chap. 6.4; only the curve d) was additionally included. By calculation of the values of the curve d), it has been taken into account that for every Eb/N0 a different dmax applies corresponding to the Table 7-5. In the case of low Eb/N0, a large dmax is needed for the correction, and this results in turn in a large increase of the CCV length, which reduces the coding gain. The coding gain becomes larger with the increase of Eb/N0. In spite of the reduction of the coding gain by the extension of the CCV, a considerable coding gain remains there as a result of the Soft Input Soft Verification. For all illustrations applies: a) Hard Input Hard Verification b) Soft Input Hard Verification c) Soft Input Soft Verification d) Soft Input Soft Verification with the compensation from Table 7-5 1 a)

0.1

CCER

b)

0.01 d)

c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 7-10: Cryptographic Check Error Rate for m = 128, n = 192 and dmax = dk1 for k1 = 4

104

7 Security Aspects of Soft Input Soft Verification 1

a)

CCER

0.1

b)

0.01 d)

c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 7-11: Cryptographic Check Error Rate for m = 160, n = 160 and dmax = dk1 for k1 = 4

1

a)

CCER

0.1

b)

0.01 d)

c)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 7-12: Cryptographic Check Error Rate for m = 192, n = 128 and dmax = dk1 for k1 = 4

7.4 Selection of the Algorithmic Parameters

105

1

a)

CCER

0.1

b)

0.01 c)

d)

0.001

0.0001 1

1.5

2

2.5

3

3.5

4

4.5

5

Eb/No [dB]

Figure 7-13: Cryptographic Check Error Rate for m = 224, n = 106 and dmax = dk1 at k1 = 4

7.4

Selection of the Algorithmic Parameters

Precondition It is assumed that the BER behind the channel decoder is known. This BER was obtained for various Eb/N0 by simulations in Chap. 6 (see Tables 6-1 to 6-4). Additionally, it can be specified how many iterations (imax – 1) should be invested in the correction of a message. Objective The system parameters dmax and n as the length of the cryptographic checksum should be specified in such a way, that: a) The complexity K of a forgery attack does not exceed a specific value (see Chap. 7.1.1) b) The probability of wrong decision and probability of a successful forgery attack Pwd does not exceed a specific value (see Chap. 7.2.1) c) The probability that the message is correct and that more than dmax errors occur in the CCV due to noisy transmission is less than or equal to 10k1 (k1 is given). This is the probability Pd4, that the message is correct, but that it is not recognised, because the checksum contains too many errors and therefore the result of the verification is negative (see Chap. 6.3.2). Problem of the intuitive method for the selection of the system parameters Step 1: Determine dmax_low according to Equations (6-16) and (6-20). Step 2: Select dmax := dmax_low

106

7 Security Aspects of Soft Input Soft Verification

Step 3: Due to the reduction of the protection against forgery and increase of the probability of wrong decision, n is replaced by nnew, nnew ≤ max (n1, n2) = n2 (see Chap.7.3). Step 4: The length of the cryptographic checksum is increased. The probability that more than dmax errors occur in the CCV according to Equations (6-16) and (6-20), will not be less or equal to 10k1 any longer. Go to Step 1 with n := nnew. Obviously, this method is not successful, but leads to an endless loop. Method for the selection of the system parameters The new method follows the principle of nested intervals: dmax is chosen in such a way that the objective c) is fulfilled for a given n. In the next step a value nnew is selected, which satisfies the objectives a) and b) and “over-satisfies” objective c). The method reduces gradually nnew, whereby the objectives a) and b) remain satisfied and objective c) is approached from above step-by-step. If objective c) is underrun, the parameters nnew and dmax of the previous round are chosen, as they satisfy all objectives. Description of the method for the selection of system parameters Default: i = 2 Step 1: Set knew = i · k1 and determine dmax using Equations (6-16) and (6-20): Pd 4  PRIGHT



n   BER i (1  BER ) n  i  10  k new i i  d max 1   n

(7-25)

The upper bound of the probability Pd4 that a correct message is not recognised is drastically reduced, i.e. Pd4 is oversatisfied. Step 2: Due to the reduction of the protection level against forgery attacks and increase of the probability of wrong decision Pwd, n is replaced by nnew, nnew ≤ n2 (see Chap. 7.17.3) so that objectives a) and b) are satisfied. Flag for nested intervals := 0 Step 3: Decrement nnew := nnew  1 Step 4: Calculate a new dmax using Equation (6-16) with n := nnew. Check whether: Pd 4  PRIGHT



n   BER i (1  BER ) n  i  10  k1 i i  d max 1   n

(7-26)

If YES, set Flag for nested intervals: = 1, go to Step 3. If NO and Flag for nested intervals = 1, then suitable system parameters are found: n:= nnew + 1 (7-27)

7.4 Selection of the Algorithmic Parameters

107

The solution of the previous round was the best. END. If NO and Flag for nested intervals = 0, then increment i := i + 1 and go to Step 1. In this case, the upper start limit of the nesting intervals was not adequately selected. Example m = n = 160 The probability that correct messages are not recognised, because there are too many errors in the checksum, should be less than 10k1 (k1 = 4). dmax is determined based on Equation (724). n is increased to n2, i.e. the security level remains as in the standard algorithm of Hard Input Hard Verification (complexity of a forgery attack K ≈ 1.17·280, Pwd ≤ 2160). Table 7-8 presents the solutions that meet the requirements for various Eb/N0, i.e. different BER. Table 7-8: Eb/N0 [dB] 1 1.5 2 2.5 3 3.5 4 4.5 5

dmax and nnew for n = m = 160 and k1 = 4 in case of imax=28 and imax=216 BER 0.036 0.0234 0.0149 0.00681 0.00376 0.00142 0.00037 0.00024 0.00012

dmax

nnew (imax=28)

nnew (imax=28)

9 9 7 5 4 2 1 1 1

224 224 214 204 199 188 182 182 182

232 232 222 212 207 196 190 190 190

For the completeness of the security aspects, the results of the work by Wiener should be mentioned, which describe methods for finding collisions and near-collisions. These methods can also be applied to the schemes of MAC calculation considered in this book. The general idea originated from Oorschot and Wiener [OoWi99] concerns a parallel search method for collisions. The algorithms allow parallel execution and lead to a reduction of the required memory. If a hash function is considered that issues checksums of the length n, the number of attempts, before a collision with a probability higher than 0.5 occurs, is O(2n/2) due to the Birthday Paradox. The memory required for this is O(2n/4 n log 2). If the parallel search method is applied, and O(2 n/3 (2n o(1))/(nlog2)1/3) processors are used, then the total memory required is only O(22n/3 (n log2)4/3) according to [Wie03]. This method can also be applied to near collisions. In Equation (7-9) the number of attempts that are required for a successful forgery attack, if ε – near collisions with ε = dmax are allowed, was estimated with:

108

7 Security Aspects of Soft Input Soft Verification

   O    

   2  d max n     i  i 0    n 2



(7-28)

If the parallel method is used, the total memory required is:    2n 4  2 3  (n  log 2) 3 O 2  3 dmax      n      i        i 0



         

(7-29)

Here O(2n/3 (2no(1))/(n log2)1/3) processors are needed to operate in parallel. The formulas can be expanded even more in order to take the iterations into account as well. In spite of all attempts to reduce the practical effort for generating a collision, the real effort is always greater than the theoretical, i.e. the increase of the cryptographic checksum length n to n2 makes Soft Input Soft Verification resistant to all known forgery methods.

8

Soft Output of Soft Input Soft Verification

If n, dmax and imax meet all security requirements, the complexity of forgery is not reduced by Soft Input Soft Verification, and the probability of wrong decision is not higher than by hard or standard verification. In these cases, the L-values of ± ∞ (for 0 and 1) could be issued as soft output for all bits of the message, if the soft verification is successful. If the message cannot be successfully verified, the L-value 0 could be assigned to all bits of the received message. Alternatively, the source decoder receives the L-values, which the soft verification received from the channel decoder. In the future, source decoders could also be expanded in such a way that they can adopt and process both the L-values of the results of the cryptographic verification as well as those of the channel decoders. The value of n can be increased to n2, whereby the probability of wrong decision will always remain under the standard limit of 1/2n, and the complexity of a forgery attack will remain over 1.172n/2; however, a value for n that lies between the old value of n and n2 can be also selected. In this case, it has to be accepted that the security risks may be eventually increased, but that the probability of falsification of each message can be calculated. This probability of wrong decision is then the basis for the soft output value. The maximum probability of wrong decision is: Pwd  1  (1  a ) imax

(8-1)

n    d  1. with a  n d 0 2



d max

The lowest probability of wrong decision probability is

1 . 2n

Therefore, it is:

1  Pwd 2n

(8-2)

lim Pwd = 1 for imax → ∞

(8-3)

and: If Soft Input Soft Verification is successfully performed, it is known in which verification round the correct message was found. The ordinal number assigned to that verification is referred to as ihit. Additionally, it is known how large is the Hamming distance between the received cryptographic checksum and the cryptographic checksum recalculated from the message, which is recognised as correct. This Hamming distance is referred to as dhit. For the corrected message, the probability of wrong decision probability can be expressed as:

110

8 Soft Output of Soft Input Soft Verification Pwd hit  1  (1  a)ihit

with:

a

 dhit

d 0

n    d  2n

(8-4)

(8-5)

Each bit of the message is wrong or forged with this probability, i.e. every bit of the message is correct with the probability of 1 – Pwdhit. The opposite of the probability of wrong decision is interpreted as the reliability of the message i.e. of the bits of the message: every bit of the message is reliable with 1 – Pwdhit. Every bit u of the message M obtains a trust value T(u). If the probability of the wrong decision has the minimal value, namely enjoys the highest trust, i.e. it should obtain the highest trust value.

1 , then the message 2n

1 , the 2n trust value should decrease. As long as the verification is successful, Pwd < 1 applies, even if the Pwd depending on imax can very nearly approach the limit of “1”. For that reason, the trust value should obtain (in case of positive verification), an absolute value that is larger than 0. If no verification can be achieved because all attempts fail, the message is not trustworthy and the bits of the message receive the trust value 0. Additionally, it should be obvious from the trust value T(u), which value the bit u has. In order to apply a trust value T(u) as an soft value in the usual sense, it still needs to be normalized such that the following applies for every bit u of the message M: T(u) = 0 for Pwdhit = 1 or if all attempts fail If the probability of wrong decision depending on dhit and ihit becomes greater than

1 (maximum reliability of hard verification) and u = 1 2n 1 T(u) =  ∞, if Pwdhit = n (maximum reliability of hard verification) and u = 0 2

T(u) = + ∞, if Pwdhit =

The following equation for T(u) as a trust value for the bit u meets these requirements: 1  Pwd hit  n  2 sign (0.5  u )  ln T (u )   1 1 n  2  0 if all atempts fail 

(8-6)

These trust values T(u) behave like L-values. The Soft Input Soft Verification algorithm provides them as soft output to the source decoder for every bit of the message M. If the source decoder generates the L-values and wants to feed them back, these L-values will be sent to the module of Soft Input Soft Verification and forwarded from it to the channel decoder as feedback values.

8 Soft Output of Soft Input Soft Verification

111

In this way, the architecture model is realized, in which the verification of cryptographic checksums is transparently integrated into the Joint Source and Channel model and expanded to the model of joint source and channel coding with cryptography, as shown in Fig. 1-2. The trust values are shown for some examples in the following figures. They demonstrate the dependence of |T(u)| on dhit, ihit and n – the three parameters, which describe the trustworthiness of a message after its verification. Values of 288 and 10,000 for ihit are taken as examples in Fig. 8-1 and 8-2 rsp. Fig. 8-3 shows the dependence of |T(u)| on ihit for various dhit in the case of n = 163 (the extended value of n = 128 at 4 dB, see Table 7-5). 160 n=128 n=160

140

n=192 n=224

120 100 |T| 80 60 40 20 0

0

1

2 3

4

5

6 7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dhit

Figure 8-1: Trust values at ihit = 288 for various n depending on dhit 160 n=128 n=160

140

n=192 n=224

120 100 |T| 80 60 40 20 0

0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

dhit

Figure 8-2: Trust values at ihit = 10,000 for various n depending on dhit

112

8 Soft Output of Soft Input Soft Verification

90 80 70 60 50

|T| 40 30 d_max=0

20

d_max=5 d_max=10

10

d_max=15 d_max=20

0

d_max=25

0

10000

20000

30000

40000

50000

60000

70000

ihit

Figure 8-3: Trust values at n = 163 for different dhit depending on ihit

Note: Trust or trust values are subject of information security, whereby the trustworthiness of the received messages or reported events should be measured quantitatively or at least qualitatively. The definition of trust values used in this chapter is based on a probability calculus, by which the trustworthiness of the message is determined quantitatively (8-6). Along with the probability-based methods for determining trust, there are also other methods, e.g. reputation-based methods [Reetalt00].

9

Applications of Soft Input Soft Verification

Cryptographic checksums are not only used to guarantee data integrity of financial transactions, but more and more in industrial applications for the exchange of messages between sensors, robots, measurement equipments and control units. Each of these messages is very short and consists of only a few octets (often also called bytes), whereby each message is protected by a cryptographic checksum. A message, which for example is sent in vehicles over a CAN bus, has fewer than 20 octets. Messages in the area of metrology have only a few octets that typically consist of a destination address, sender address, time stamp or sequence number, type, field length and measured value. Such applications are very suitable for the use of Soft Input Verification algorithms. Message repetition in the case of an unsuccessful verification of the cryptographic checksum is often not possible in many industrial applications, because the transmission mode is connectionless or real-time oriented. The connectionless mode does not provide any sequence numbers that would allow a repetition to be requested, and the requirement of real-time does not allow any delay that would arise until a repetition has been successfully completed. Even the repetition can cause an unsuccessful verification, and therefore the repetition does not support any deterministic process. Soft Input Verification algorithms also need time, but this can be limited by restricting the number of iterations. Therefore, Soft Input Verification algorithms are an appropriate solution for connectionless and real-time applications. In the case of broadcast communication from a source to many receivers, no repetition of the messages is possible either, if the verification fails. This applies to all one-waycommunication applications, in which messages are distributed without a back channel. This type of communications is currently increasing, since there are services that distribute messages over long waves similar to the time service DCF 77 or via TPEG (digital traffic broadcast). These messages are usually encrypted and secured with Message Authentication Codes. Soft Input Verification algorithms can be also here very well applied. Other applications suitable for the use of Soft Input Verification algorithms are space and deep space missions, whereby there is no possibility for repetition because of the long transmission times, or because the sender does not exist anymore to be able to resend messages. It is irrelevant in these cases how long the reconstruction of a message secured by a cryptographic checksum takes; the main point is that the message can be reconstructed. The cryptographic redundancy can contribute to this reconstruction significantly using Soft Input Verification algorithms. Messages are very often transmitted in electrically and magnetically noisy environments, sometimes wireless. For this reason, they are influenced by a strong disturbance, which causes a low signal-to-noise ratio S/N. The channel code can correct some transmission errors, but there is always a residual error rate behind the channel decoder. If the channel is very noisy, the repeated message will also be disturbed and every other repetition will also be disturbed, i.e. a repetition is not efficient. In this case, the poor quality of the transmission

114

9 Applications of Soft Input Soft Verification

channel can be compensated by investment in computing complexity of the Soft Input Verification algorithms. It can be concluded that Soft Input Verification is always efficient, if ARQ procedures are not admitted, possible or efficient.

10

Summary and Future Work

The background of this book is the aim to make the communications over noisy channels more robust. This also applies to the case that the messages are protected by cryptographic mechanisms against manipulations, whereby the messages become more sensitive to modifications since any change leads to the rejection of the message. The basis of the new algorithms for achieving the goal of robustness are SISO channel decoders and the knowledge that better results, expressed as coding gain, can be achieved using soft techniques, which work with probability values in place of binary values. For that reason, the steps from standard hard verification, in which the received cryptographic checksum must be identical to the recalculated cryptographic checksum, via Soft Input Hard Verification, in which the soft values for the channel decoder are used for correction, to Soft Input Soft Verification, in which the cryptographic checksum at the receiver only needs to be almost correct, are performed. A complete security analysis describing the calculation of the cryptographic checksum as a random oracle was performed, and the Birthday Paradox was expanded for near collisions. The security analysis leads to calculations of compensation of the reduction of the complexity of a forgery attack and the increase of the probability of the wrong decision, by extension of the length of CCVs. At the end, considerable coding gains remain there, in spite of compensation. This is expressed in the fact that many messages, which would have to be rejected by conventional procedures, can be corrected and verified while retaining the original level of security. The CCVs are not only used for the verification of the message but also, in combination with the soft output of the channel decoder, for the correction of the message. If the security level cannot be compensated in all cases, a soft value after the verification is assigned to every message that is sent to the source decoder; this soft value presents a measure for the trustworthiness of the message. In this way, the architecture model remains preserved on the receiver side, whereby every decoding step (line-, channel-, source-decoder) forwards soft values and returns feedback values, even if there is a component between the channel and the source decoder that verifies and corrects (if necessary) the cryptographic checksums. Additionally, other applications of the iterative bit inversion strategy using soft values in communications protocols without security aspects are explained: the error correction rate of Reed-Solomon decoders can be reduced, the repetition rate of WiMAX can be diminished and the correction rate can be improved using the combination of copies of received message packets. The described applications are examples for the effective employment of the used technique. There are still other numerous applications of the communication technology which can profit from it. For that reason, there is a need for further research in this field. Other solutions approaches for the realisation of error-tolerant Message Authentication Codes are presented in the Chap. 3, whereby messages, if partially erroneous, result in the same CCV; otherwise, non-authentic parts of messages can be localised.

116

10 Summary and Future Work

Although numerous viewpoints of hard and soft verification were taken into account, there is the need for further research. However, no research has been done till now on how to find the correct message as quickly as possible. The soft output of soft verification expresses the trustworthiness of the message. A formula was presented that quantifies the trustworthiness of a message, also referred to as trust. Additional analyses need to be performed and experiences collected to determine whether this formula is suitable in practice. It would be very interesting to build up a “Trust Theory” in which a “trust value” will be assigned to every message. Since messages are processed, e.g. combined with each other, it is necessary to assign a trust value even to processed messages. Therefore, trust algebra is needed, which defines the calculation rules for trust values. A trust value would be added to every message, which expresses how much one can trust this message. This would open new theoretical and research studies in the field of trust theory. While “trust” today is not determinedly defined, a quantifiable value of “trust” would then become a measurement unit.

Epilogue This book is the English version of the post-doctoral (“Habilitation”) work which was submitted under the name “Soft Input Verification” in German language at the University of Siegen. The methods and algorithms described and analyzed in the book are the summary of my research at the Institute for Data Communications Systems of the University of Siegen since the end of 2004. They are the results of the cooperation with my supervisor and manager of the Chair for Data Communications Systems, Christoph Ruland, and my colleagues, Obaid ur Rehman and Amir Tabatabaei. I would like to express my gratitude to my family for the support and understanding of the importance of the time invested in this work, to my friends who encouraged me, as well as for the support which I got from the University of Siegen and the company Secutanta. Special thanks to the Oldenbourg Verlag for their engagement and support in the preparation of this book.

Works Cited [Adetalt02] Adrat, M., Picard, J.-M., Vary, P.: Analysis of extrinsic Information from soft bit-source decoding applicable to iterative source-channel decoding, Proc. of 4th ITG Conference 2002 – Source and Channel Coding, January 2002, Berlin. [AdVa04] M. Adrat, P. Vary: Turbo Error Concealment of mutually independent Source Codec parameters, 5th Int. ITG Conference on Source and Channel Coding (SCC), January 2004, Erlangen, Germany. [Baetalt74] L. Bahl, J. Cocke, F. Jelinek, J. Raviv: Optimal decoding of linear codes for minimizing symbol error rate, IEEE Transactions on Information Theory, IT-20, pp. 284287, March 1974. [Bar02] S. A. Barbulescu: What a wonderful turbo world, Adelaide, 2002. [Beetalt09] H. Behroozi, F. Alajaji, T. Linder: Hybrid Digital-Analogue Joint Source-Channel Coding for Broadcasting Correlated Gaussian Sources, IEEE Int. Symposium on Information Theory (ISIT 2009), Jun 2009, Seoul, Korea. [Beetalt93] C. Berrou, A. Glavieux, P. Thitimajshima: Near Shannon Limit Error Correcting Coding and Decoding: Turbo Codes, Proc. IEEE International Conference on Communication, vol. 2/3, pp.10641070, 1993, Geneva, Switzerland. [Ber68] E. R. Berlekamp: Algebraic Coding Theory, New York: McGraw-Hill, 1968. [Bhu05] C. T. Bhunia: Modified packet combining using error forecasting decoding to control error, Third International Conference on Information Technology and Applications (ICITA 2005), Sydney, Australia, 2005. [Bla03] R. E. Blahut: Algebraic Codes for Data Transmission, Cambridge University press, 2003. [Bon06] C. G. Boncelet, Jr.: The NTMAC for Authentication of Noisy Messages, IEEE Trans. On Information Forensics and Security, vol.1, no.1, March 2006. [Bos98] Bossert, M.: Channel coding , B. G. Teubner, Stuttgart, 1998. [Bri99] ten Brink, S.: Convergence of Iterative Decoding, Electronic Letters, vol. 35, no. 10, May 1999. [Cha72] D. Chase: A Class of Algorithms for Decoding Block Codes with Channel Measurement Information, IEEE Trans. Inform. Theory, vol. 18, pp. 170182, January 1972. [Cha85] D. Chase: Code combining – a maximum likelihood decoding approach for combining an arbitrary number of noisy packets, IEEE Trans. On Comm. vol. 33, no. 5, pp. 385393, May 1985. [Chetalt98] S. S. Chakraborty, E. Yli-Juuti, M. Liinaharja: An ARQ Scheme with packet combining, IEEE Communication Letters, vol.2, pp. 200202, July 1998. [Chi64] R. T. Chien: Cyclic Decoding Procedures for the Bose-Chaundri-Hocquenghem Codes, IEEE Transactions on Information Theory, vol. 10, no. 4, pp. 357363, 1964. [Chu00] S.-Y. Chung: On Construction of some Capacity – Approaching Coding Schemes, Doctoral Dissertation, 2000, MIT, Boston, USA. [ChZa00] G. Cheung, A. Zakhor: Bit allocation for joint source/channel coding of scalable video, IEEE Trans. Image Processing, vol. 9, pp. 340356, March 2000.

120

Works Cited

[CoGo90] J. T. Coffey, R. Goodman.: The complexity of information set decoding, IEEE Trans. Inform. Theory, vol. 36, pp. 10311037, 1990. [Dor74] B. Dorsch: A decoding algorithm for binary block codes and J-ary output channels, IEEE Trans. Inform. Theory, vol. 20, no. 3, pp. 391394, 1974. [DuKi09] P. Duhamel, M. Kieffer: Joint Source – Channel Coding, A Cross-Layer Perspective with Applications in Video Broadcasting, Academic Press, 2009. [DVB09] Digital Video Broadcasting (DVB): Second generation framing structure, channel coding and modulation systems for Broadcasting, Interactive Services, News Gathering and other broadband satellite applications (DVB-S2), ETSI EN 302 307, April 2009. [DVB97] Digital Video Broadcasting (DVB); Framing structure, channel coding and modulation for 11/12 GHz satellite services, ETSI EN 300 421, August 1997. [Faetalt03] K. Farrell, L. Rudolph, C. Hartmann, L. Nielsen: Decoding by local optimization, IEEE Trans. Inform. Theory, vol. 29, no. 5, pp. 740743, January 2003. [Feetalt00] S. Fernandez-Gomez, J. J. Rodriguez-Andina, E. Mandado: Concurrent error detection in block ciphers, IEEE Int. Test Conference, 2000, Atlantic City, USA. [Foetalt98] M. P. C. Fossorier, S. Lin, J. Snyders: Reliability-based syndrome decoding of linear block codes, IEEE Trans. Inform. Theory, vol. 44, no. 1, January 1998. [FoLi95] M. P. C. Fossorier, S. Lin: Soft-Decision encoding of Linear Block Codes Based on Ordered Statistics, IEEE Trans. Inform. Theory, vol. 41, no. 5, September 1995. [For65-1] G. Jr. Forney: On Decoding BCH Codes, IEEE Transactions on Information Theory, vol. 11, no. 4, pp. 549557, 1965. [For65-2] G.D.Jr. Forney: Concatenated Codes, Technical Report 440, Research Laboratory MIT, Cambridge, 1965. [For66-1] G.D.Jr. Forney: Concatenated Codes, WITH Press, Cambridge, 1966. [For66-2] G.D.Jr. Forney: Generalized Minimum Distance Decoding, IEEE Trans. Inform. Theory, vol. 12, April 1966. [For90] R. Forre: The Strict Avalanche Criterion: Spectral Properties of Boolean Functions and an Extended Definition, Advances in Cryptology, Crypto ’88, Lecture Notes in Computer Science, vol. 403, pp.450468, Springer Verlag Berlin Heidelberg, 1990. [Gal62] R. G. Gallager: Low-Density Parity-Check Codes, IRE Transactions on Information Theory, 1962. [Gietalt03] A. Giuiletti, B. Bougard, L.v.d. Perre: Turbo Codes: Desirable and Designable, Kluwer Academic Publishers, 2003. [GrFu99] R. F. Graveman, K. E. Fu: Approximate message authentication codes, in Proc. 3rd Annual Fedlab Symp. Advanced Telecommunications/Information Distribution, vol.1, College Park, MD, Feb.1999. [Hag04] J. Hagenauer: The EXIT Chart: Introduction to extrinsic information transfer in iterative processing, European Signal Processing Conference (EUSIPCO-2004), September 2004, Vienna, Austria. [Hag94] J. Hagenauer: Soft is Better than Hard, Communications, Coding and Cryptology, January 1994, Leiden, Kluwer-Verlag. [HaHö89] J. Hagenauer, P. Höher: A Viterbi algorithm with soft-decision outputs and its applications, Proc. IEEE GLOBECOM ’89, Dallas, Texas, USA, vol. 3, pp. 16801686, November 1989. [HaTa95] H. M. Hays, S. E. Tavares: Avalanche characteristics of Substitution – Permutation Encryption Networks, IEEE Trans. On Computers, Vol. 44, Nr. 9, September 1995.

Works Cited

121

[IEEE Standard 802.16-2004], October 2004. [ISO/IEC 7498-2]: Information technology – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture, 1989. [ISO/IEC 9796-1]: Information technology – Security techniques – Digital signatures giving message recovery – Mechanisms using redundancy, 1999 (withdrawn). [ISO/IEC 9796-2]: Information technology – Security techniques – Digital signatures giving message recovery – Part 2: Integer factorization based mechanisms, 2002. [ISO/IEC 9796-3]: Information technology – Security techniques – Digital signatures giving message recovery – Part 3: Discrete logarithm based mechanisms, 2006. [ISO/IEC 9797-1]: Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher, 2011. [ISO/IEC 9797-2]: Information technology – Security techniques – Message Authentication Codes (MACs) – Part 2: Mechanisms using a dedicated hash-function, 2002. [ISO/IEC 9797-3]: Information technology – Security techniques – Message Authentication Codes (MACs) – Part 3: Mechanisms using a universal hash-function, 2011. [ISO/IEC 10116]: Information technology – Security techniques – Modes of operation for an n bit block cipher, 2006. [ISO/IEC 14888-1]: Information technology – Security techniques – Digital signatures with appendix – Part 1: General, 1998. [ISO/IEC 14888-2]: Information technology – Security techniques – Digital signatures with appendix – Part 2: Identity based mechanisms, 1999. [ISO/IEC 14888-3]: Information technology – Security techniques – Digital signatures with appendix – Part 3: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm, 2006/Amd 1: 2010. [ISO/IEC 15946-2]: Information technology – Security techniques – Cryptographic Techniques based on elliptic curves – Part 2: Digital signatures, 2002. [ITU-T X.25]: Interface between Data Terminal Equipment (DTE) and Data Circuit Terminating Equipment (DCE) for terminals operating in the packet mode and connected to public data networks by dedicated circuit. [JoZi99] R. Johannesson, K. S. Zigangirov: Fundamentals of Convolutional Coding, 1999, IEEE Press, New York. [Kaetalt05] G. Kabatiansky, E. Krouk, S. Semenov.: Error Correcting Coding and Security for Data Networks, Analysis of the Superchannel Concept, John Wily and Sons, Ltd 2005. [KnPr98] L. Knudsen, B. Preneel: MacDES: MAC algorithm based on DES, Electronics Letters, Vol. 34, No. 9, pp. 871873, 1998. [Knu97] L. Knudsen: Chosen-text attack on CBC-MAC, Electronics Letters, Vol. 33, No. 1, pp. 4849, 1997. [KöVa02] R. Kötter, A. Vardy: Soft Decoding of Reed Solomon Codes and Optimal Weight Assignments, 4-th International ITG Conference on Source and Channel Coding, Berlin, Germany, January 2002. [Laetalt09] L. Lai, H. El Gamal, H. V. Poor: Authentication over Noisy Channels, IEEE Trans. Information Theory, vol. 55, no. 2, February 2009.

122

Works Cited

[LiBo05] Y. Liu, C. G. Boncelet, Jr.: The CRC-NTMAC for Noisy Message Authentication, IEEE Military Communication Conference, MILCOM 2005. [LiCo04] S. Lin, D. J. Costello: Error Control Coding, Pearson Prentice Hall, USA, 2004. [Lietalt07] Z. Li, Q. Sun, Y.Lian, C. Wen Chen: Joint Source – Channel-Authentication Resource Allocation and Unequal Authenticity Protection for Multimedia over Wireless Networks, IEEE Trans. On multimedia, vol. 9, no. 4, Jun 2007. [LuTa02] R. Ludwig, J. Taylor: Voyager Telecommunications Manual, JPL DESCANSO (Design and Performance Summary Series), March 2002. [Mac64] F. J. MacWilliams: Permutation decoding of systematic codes, Bell Syst. Tech. J., vol. 43, 1964. [Man84] M. D. Mandelbaum: An adaptive feedback-coding scheme using incremental redundancy, IEEE Trans. On Inf. Theory, IT-20, pp. 388389, May 1984. [Mas69] J. L.Massey: Shift-register synthesis and BCH decoding, IEEE Transactions on Information Theory, IT-15, pp. 122127, 1969. [Mas78] J. L.Massey: Joint source and channel coding, Communications and Random Process Theory, J. K. Skwirzynski, ed., The Netherlands, pp. 279293, 1978. [McSw93] R. J. McEliece, L. Swanson: Reed-Solomon Codes and the exploration of the Solar system, California Institute of Technology’s Jet Propulsion Laboratory, http://trs-new.jpl.nasa.gov/dspace/ bitstream/ 2014/34531/1/94-0881.pdf, 1993. [Ngetalt09] T. M. N. Ngatched, M. Bossert, A. Fahrner, F. Takawira: Two Bit-Flipping Decoding Algorithms for Low-Density Parity-Check Codes, IEEE Trans. On Communications, vol. 57, no. 3, pp.591596, March 2009. [Ode70] J. P. Odenwalder: Optimal decoding of convolutional codes, Doctor Thesis, UCLA, 1970. [OoWi99] P.C. van Oorschot, M.J. Wiener: Parallel Collision Search with Cryptanalytic Applications, Journal of Cryptology, vol. 12, no.1, pp. 128, 1999. [PoVu99] V. Ponnampalam, B. Vučetić, B.: Soft decision decoding of Reed-Solomon codes, Proc. 13th Symp. Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, Honolulu, USA, November 1999. [Pra62] E. Prange: The use of information sets in decoding cyclic codes, IRE Trans. Information Theory, vol. 8, no. 5, January 1962. [Pre93] B. Preneel: Cryptographic hash functions, Proc. On State and Progress of Research in Cryptography, 1993. [PrOo96] B. Preneel, P.C. van Oorschot: A key recovery attack on the ANSI X9.19 retail MAC, Electronics Letters, Vol. 32, No. 17, pp. 15681569, 1996. [PrOo99] B. Preneel, P.C. van Oorschot: On the security of iterated Message Authentication Codes, IEEE Transactions on Information Theory, Vol. 45, No. 1, pp. 188199, 1999. [Pro02] J. Proakis: Digital communications, 4th ed., 2002, McGraw Hill, New York. [Reetalt00] P. Resnick, R. Zeckhauser, E. Friedman, K. Kuwabara: Reputation Systems, Communications of the ACM, vol. 43, no. 12, pp. 4548, 2000. [Reetalt11-1] O.U. Rehman, N. Zivic, S. Amir Hossein A. E. Tabatabaei: Iterative Enhanced Packet Combining over Hybrid-ARQ, the 8th International Symposium on Wireless Communication Systems 2011 / IEEE, Aachen, Germany, November 2011.

Works Cited

123

[Reetalt11-2] O. ur Rehman, N. Zivic, S. Amir Hossein A. E. Tabatabaei, C. Ruland: Error Correcting and Weighted Noise Tolerant Message Authentication Codes, 5th Int. Conference on Signal Processing and Communication Systems, Hawaii, USA, December 2011. [ReSo60] I. S. Reed, G. Solomon: Polynomial codes over certain finite fields, Journal of the Society for Industrial and Applied Mathematics. [SIAM J.], vol. 8, pp. 300–304, 1960. [ReZi10] O.U. Rehman, N. Zivic: Soft Input Decoding of Reed Solomon Codes with Miscorrection Detection and Avoidance, Int. Conference on Signal Processing and Communication Systems, Gold Coast, Australia, December 2010. [ReZi11-1] O. U. Rehman, N. Zivic: Iterative Bit-Flip Type-II Hybrid-ARQ Scheme for Wireless Networks, European Wireless, Vienna, Austria, 2729 April, 2011. [ReZi11-2] O. U. Rehman, N. Zivic: N-channel stop-and-wait protocol for WiMAX, IEEE Int. Symposium on Computers and Communications 2011, Corfu, Greece, July 2011. [Rul93] C. Ruland: Informationssicherheit in Datennetzen, datacom Verlag, Bergheim 1993. [RuZi06] C. Ruland, N. Zivic: Soft Input Decryption, 4th Turbo-code Conference, 6th Source and Channel Code Conference, VDE/IEEE, April 37, 2006, Munich, Germany. [RuZi08] C. Ruland, N. Zivic: Feedback in Joint Coding and Cryptography, 7th International ITG / IEEE-Conference on Source and Channel Coding, Ulm, Germany, January 2008. [Sha48] C. Shannon: A Mathematical Theory of Communications, Bell System Technical Journal, vol. 27, pp. 379423 and 623656, July and October, 1948. [Sti95] D. R. Stinson: Cryptography theory and practice, CRC Press, 1995. [Sugetalt75] Y. Sugiyama, M. Kasahara, S. Hirasawa, T. Namekawa: A Method for Solving Key Equation for Decoding Goppa Codes, Information and Control, vol. 27, no. 1, pp. 8799, 1975. [Taetalt08] Z. Tao, A. Li, J. Zhang, T. Kuze: Performance Improvement for Multichannel HARQ Protocol in Next Generation WiMAX System, WCNC, Las Vegas, USA, March 2008. [Vuetalt05] H. G. Vu, H. H. Nguyen, D. E. Dodds: Iterative ordered-statistic decoding for LDPC coded modulation systems, Canadian Conf. on Electrical and Computer Engineering, Saskatchewan, Canada, May 2005. [VuYu00] B. Vucetic, J. Yuan: Turbo codes: Principles and Applications, Springer Verlag, 2000. [Waetalt05] X. Wang, Y.L.Yin, H. Yu: Finding Collisions in the Full SHA-1 CRYPTO 2005: Advances in Cryptology, LNCS, vol. 3621, 17–36, Springer Verlag, 2005.

[WeTa86] A. F. Webster, S. E. Tavares: On the design of S-boxes, Advances in Cryptology  Crypto ’85. Lecture Notes in Computer Science, vol. 219, pp. 523–534, Springer Verlag Berlin Heidelberg New York, 1986. [Wic91] S. B. Wicker: Error Control Systems for Digital Communication and Storage, Englewood Cliffs, NJ: Prentice Hall, 1991. [Wie03] M.J. Wiener: The Full Cost of Cryptanalytic Attacks, Journal of Cryptology, vol 17, no.2, pp.105124, 2003. [Wietalt10] M. P. Wilson, K. Narayanan, G. Caire: IEEE Trans. On Inform. Theory, vol. 56, pp. 4922– 4940, September 2010. [Xietalt01] L. Xie, G. R. Arce, R. F. Graveman: “Approximate Image Message Authentication Codes”, IEEE Trans. On Multimedia, vol.3, no.2, Jun 2001. [Xu05] W. Xu: Verfahren zum Fehlerschutz eines Datenbitstromes, Patent WO 2001/008340, 2005.

124

Works Cited

[Yaetalt03] H. Yagi, M. Kobayashi, S.Hirasawa: An Improved Method of Maximum Likelihood Decoding Algorithms using the Most Reliable Basis based on a Order Relation among Binary Vectors, IEIC Technical Report (Institute of Electronics, Information and Communication Engineers), vol. 103, no. 99, 2003. [Zaetalt96] S. Zahir Azami, P. Duhamel, O.Rioul: Joint Source-Channel Coding: Panorama of Methods, CNES Workshop on Data Compression, Toulouse, France, November 1996. [Zietalt10] N. Zivic, C. Ruland, S. Tcaciuc: Verfahren zum Senden and Empfangen eines Datenblocks, Patent Nr. 10 2008 055 139, Germany, 2010. [ZiRu10] N. Zivic, C. Ruland: Verfahren zum Empfangen eines Datenblocks, Patent Nr. 10 2008 040 797, Germany, 2010. [ZiTc08] N. Zivic, S. Tcaciuc: Feedback using dummy bits, Applied Computing Conference (ACC08), Istanbul, Turkey, 2008. [Ziv08] N. Zivic: Joint Channel Coding and Cryptography, Shaker Verlag, Aachen, 2008. [Ziv11] N. Zivic: Soft correction and verification of the messages protected by cryptographic check values, Conference on Information Sciences and Systems (CISS 2011) / IEEE, Baltimore, USA, March 2011. [Ziv12] N. Zivic: Iterative Method for Correction of Messages protected by symmetric Cryptographic Check Values, International Conference on Information Networking (ICOIN 2012)/IEEE, Denpasar, Indonesia, February 2012.

List of Abbreviations 3DES AES ACK AMAC ARQ AWGN BER BPSK BCJR CBC_MAC CCF CCV CCER CRC CRC NTMAC DES EARQ EC-NTMAC EC-WNTMAC ED FEC GMD HARQ HARQ IBF HARQ IR HARQ CC HD HAD H_MAC IEEE IEPC IMAC ITU ISO ISO/IEC LDPC LLR LRB

Triple Data Encryption Standard Advanced Encryption Standard ACKnowledgement Approximate Message Authentication Code Automatic Repeat reQuest Additive White Gaussian Noise Bit Error Rate Binary Phase Shift Keying Bahl, Cocke, Jelinek, Raviv Cipher Block Chaining Message Authentication Code Cryptographic Check Function Cryptographic Check Value Cryptographic Check Error Rate Cyclic Redundancy Check Cyclic Redundancy Check Noise Tolerant Message Authentication Code Data Encryption Standard Enhanced Automatic Repeat reQuest Error Correction Noise Tolerant Message Authentication Code Error Correction Weighted Noise Tolerant Message Authentication Code Error Detection Forward Error Correction Generalized Minimum Distance Hybrid Automatic Repeat reQuest Hybrid Automatic Repeat Request Iterative Bit Flipping Hybrid Automatic Repeat Request Incremental Redundancy Hybrid Automatic Repeat Request Chase Combining Hamming Distance Hybrid Analog-Digital Hash function based Message Authentication Code Institute of Electrical and Electronics Engineers Iterative Enhanced Packet Combining (Approximate) Image Message Authentication Code International Telecommunication Union International Organization for Standardization International Standard Organization/International Electrotechnical Commission Low Density Parity Check Log-Likelihood Ratio Least Reliable Basis

126 LRP LSB MAP MDS MID MIT MMSE MRB MRIP NTMAC OSD PD PER pdf pmf PRNG PRPC RS RSC RIPEMD SAC SDF SER SHA SID SISO SNR SOVA UMTS WiMAX

List of Abbreviations Least Reliable Position Least Significant Bit Maximum A Posteriori Maximum Distance Separable Message IDentifier Massachusetts Institute of Technology Minimum Mean Square Error Most Reliable Basis Most Reliable Independent Position Noise Tolerant Message Authentication Code Ordered Statistics Decoding Permutation Decoding Packet Error Rate probability distribution function probability mass function Pseudo Random Number Generator Packet Reversed Packet Combining Reed-Solomon Recursive Systematic Convolutional RACE Integrity Primitives Evaluation Message Digest Strict Avalanche Criterion Spectral Density Function Symbol Error Rate Secure Hash Algorithm Soft Input Decryption Soft Input Soft Output Signal Noise Ratio (S/N) Soft Output Viterbi Algorithm Universal Mobile Telecommunications System Worldwide Interoperability for Microwave Access