Joint Scheme for Physical Layer Error Correction and Security

We present a joint scheme that combines both error correction and security at the physical layer. In conventional communication systems, error correction is carried out at the physical layer while data security is performed at an upper layer. As a result, these steps are done as separate steps. However there has been a lot of interest in providing security at the physical layer. As a result, as opposed to the conventional system, we present a scheme that combines error correction and data security as one unit so that both encryption and encoding could be carried out at the physical layer. Hence, in this paper, we present an Error Correction-Based Cipher (ECBC) that combines error correction and encryption/decryption in a single step. Encrypting and encoding or decoding and decrypting in a single step will lead to a faster and more efficient implementation. One of the challenges of using previous joint schemes in a communications channel is that there is a tradeoff between data reliability and security. However, in ECBC, there is no tradeoff between reliability and security. Errors introduced at the transmitter for randomization are removed at the receiver. Hence ECBC can utilize its full capacity to correct channel errors. We show the result of randomization test on ECBC and its security against conventional attacks. We also present the nonpipelined and pipelined hardware architecture of ECBC, and the result of the FPGA implementation of the ECBC encryption. We also compare these results with non-ECBC schemes.


Introduction
Due to the rapid increase in the applications that can be carried out on portable wireless devices, it becomes necessary to secure data transmitted through these devices.Even though early work from [1] showed the existence of secrecy-achieving codes, error correction and data security schemes are still viewed as two different processes in a contemporary communication system.Error correction is carried out at the physical layer while security is performed at upper layers.Many security protocols today are designed and implemented with the assumptions that physical layer provides an error-free information.However with the emergence of resource constraint wireless devices and ad hoc network, encryption at higher layer become difficult to implement.As a result, there has been a lot interest in implementing encryption at the physical layer.The authors in [2] pointed out that the best and often the only way to secure data in a wireless sensor network is to encrypt the data using a secure encryption algorithm before it is transmitted over the air ways.They pointed out that the cost of software-based encryption procedure could outweigh the risks of the transmission being intercepted because of the constraint nature of resources, memory, and clock speeds on the sensor nodes.
Authors in [3,4] have proposed physical layer encryption.However these encryption modules are visualized as a separate module from the error correction module.Contrary to their models, we propose a joint scheme that combines encryption and error correction in one step for physical layer encryption.In such a case, the secrecy achieving characteristics of channel codes could be exploited.This leads to improved efficiency, speeds and savings in hardware usage because of hardware reuse.This also gives flexibility in terms of design and technology used for fabrication.It is also difficult to build lower layer analyzers in terms of attacks.
The conventional secure communication model with the sender (Alice), legitimate receiver (Bob), and the eavesdropper (Eve) [1] is shown in Figure 1.Alice would like to send a confidential and reliable message u to Bob with whom they share a secret key while making sure that Eve has no knowledge of u.She does this by encrypting u with the secret key k to obtain a ciphertext c.The ciphertext c is encoded by introducing redundancy into c to obtain x so that channel errors could be detected and corrected at the receiver by Bob.Upon receiving y, the legitimate receiver (Bob) decodes it to obtain c and he then decrypts with the aid of k to obtain the message u intended for Bob.It is important to note that eavesdropper (Eve) has a knowledge of the decoder, hence she can obtain an error-free ciphertext as shown in Figure 1.The knowledge of the decoder does not decrease Shannon's entropy of m given c = c which can be expressed as H(u/c) = H(u).
In Figure 2, we show the alternative secure communication model for our scheme.When Alice wants to send a message u to Bob with whom they share a secret key while making sure that Eve has no knowledge of u.She does this by passing the message through the Error Correction-Based Cipher (ECBC) to obtain encoded ciphertext x with the aid of secret key k.Upon receiving y, the legitimate receiver (Bob) decodes and decrypts in a single step using ECBC with the aid of k to obtain the message u intended for Bob.The eavesdropper (Eve) does not have a knowledge of the key to ECBC, hence the ciphertext she receives is not error-free as shown in Figure 2. Shannon's entropy of u for our model is therefore larger than that of the conventional model which can be expressed as (H(u/c)) ecbc > H(u).
This research combines the encryption and channel coding as one process thereby resulting in a potential reduction in hardware usage.This will potentially lead to reduction in hardware usage which in turn leads to an increase in power savings [5] as power consumption reduction and area efficiency are of utmost importance in modern wireless communication [6].Also, there is no tradeoff between data reliability and security in ECBC as opposed to previous schemes [7][8][9].The ECBC scheme, cryptanalysis of ECBC, the result of the randomization test on ECBC, and the hardware implementation of ECBC are presented in this paper.The ECBC carries out both encryption and error correction in a single step as opposed to two separate steps.

Related Work
The authors in [3] considered an architecture for physical layer encryption that first converts information sequences to longer channel codewords and then encrypts them using classical stream cipher.They pointed out that even though their architecture requires longer encryption sequences, it could use the natural randomness of the communication channel against known-plaintext.In our scheme, the order of the two processes is not of concern since they are done in one step by one unit.The authors in [2] pointed out how physical layer encryption is taking significant importance in wireless network security.They propose an efficient physical layer encryption that relies on implementation of OFB mode just after error correction.
The use of error correcting code as a public-key cryptosystem was introduced by [8].McEliece scheme is based on algebraic coding theory using t-error correcting Goppa code.However, his scheme requires large block length (n = 1000) in order to correct large number of errors (t = 50 bits).This results in very large computational overhead [9].The author in [10] proposed a private key algebraic-code using McEliece scheme where he suggested that the generator matrix be made private.Their scheme provides better security with simpler error-correcting code thereby making it less computational intensive compared with McEliece.However, the author in [9] showed that it could be easily broken by a chosen-plaintext attack.They introduced a private key cryptosystem that requires simpler error correcting codes with distance ≤ 6 and block length n ≤ 250.If these schemes are used for error-correction based ciphers, there is a tradeoff between reliability and security.The authors in [7] presented the Secret Error Correcting Code (SECC) using nonlinear Preparata code.Their two schemes preserve full error correcting capability while providing data secrecy.However there scheme I does not incorporate the error vector into the process.However, in our scheme, the error vector is added to the plaintext for randomization, thereby increasing the security of our system.The most recent joint scheme for error correction and cryptography was presented in [11] where they used High Diffusion (HD) codes.They built their cipher using the structure of Advanced Encryption Standard (AES) [12] replacing the high diffusion layer of the AES with error correcting code.Though their scheme provides data security and error correction, it is higher in complexity compared to McEliece-based scheme.They [5,11] even confirmed that McEliece-based schemes have advantage of low power consumption by using the same hardware components available for error correction for security.As a result, McEliece-like schemes are desired for a constraint environment.Our Error Correction-based Cipher provides data reliability, integrity, and security.The full error correcting capability of the error correcting code is preserved.

Error Correction-Based Cipher (ECBC)
We present a private key algebraic-based system for physical layer encryption called Error Correction-Based Cipher (ECBC) that combines encryption and error correction into a single step.The scheme is based on the block chaining technique.In ECBC, a k-bit plaintext block M is enciphered into n-bit ciphertext block C. A detailed explanation of ECBC is presented in this section.
(ii) Plaintext M i is XORed with a randomization vector to obtain d i .The first plaintext block M 1 at time 1 is randomized by XORing it with a k-bit initialization vector (Q * 0 = initialization vector (IV)).(iii) A nonlinear function f transforms d i into X i .The reason for the use of nonlinear function will be explained in the cryptanalysis section of this paper.
(iv) The output of the nonlinear function X i is encoded with the aid of the generator matrix G to obtain b i .X i is also stored in a register for obtaining a delay version which is then used to produce randomly generated vector Z i with the aid of an expansion function (g).
(v) The encoded data b i is permuted with the aid of permutation matrix P to produce Q i .The first k-bit of Q i is denoted as Q * i and is delayed with the aid of a register to produce Q * i−1 which will be XORed with the next block M i+1 .
(vi) The randomly generated error vector Z i is then added to Q i to form ciphertext C i which is then sent through the channel.
A ciphertext C i is expressed mathematically as The block diagram representing the encryption process of ECBC is shown in Figure 3. Ciphertexts C i for i = 1, 2, 3, and so forth, are shown as where where , and where . The block chaining effect of this scheme allows the same plaintext block to be enciphered into different ciphertexts.Block chaining is a mechanism where each block of plaintext is XORed with the previous ciphertext block being encrypted.Similarly, the decryption of a block of ciphertext depend on all the preceding ciphertext block.From the encryption algorithm, the cryptanalysis would be difficult.The cryptanalyst cannot construct a combinatorially equivalent generator matrix of the code from the ciphertexts because the ciphertexts are not codewords.Hence, the cryptanalyst cannot correct errors systematically.The cipher also employs double randomization since the plaintext is XORed with Q * i−1 and the permuted codeword is XORed with Z i .This also prevents construction of the generator matrix from the ciphertext.
For decryption, we assume that the receiver has to agree with the transmitter.This means that they have to agree on the initial Q 0 and X 0 vector (initialization vectors).For this section, we also assume that the decoding is done correctly in order to decrypt.The decoding process is outlined below.
(i) The initialization vector is fed into the expansion function g to produce error vector Z i .
(ii) The vector (Z i ) is XORed with the ciphertext C i to produce Q i .
(iii) Q i is multiplied by the transpose of the permutation matrix P to produce b i .
(iv) b i is decoded into X i .
(v) The inverse of the nonlinear function f −1 is applied to X i to produce d i . (vi ISRN Communications and Networking The decryption process is shown mathematically in ( 6), ( 7), ( 8), ( 9), (10), and (11).The block diagram representing the decryption process is shown in Figure 4.
To show the decryption process in a noiseless channel, let the received ciphertext be C i (assuming no error due to the channel), Applying the decryption process to (5) we get Multiplying with the transpose of the permutation matrix, we have Applying the decoding algorithm to b i depending on the code employed, then Applying the inverse of the nonlinear function f −1 , then Adding the error vector Q * i−1 to d i , we get where M i is the message block i.
For the case of noisy channel with error vector Z c due to the channel, we assume that Z c is within the error correcting capability of the code.The received ciphertext with the channel error is From ( 12), we know that Applying the decryption process (we use Q i because of the effect of the channel error), we have Multiplying with the transpose of the permutation matrix, we get ( Note that P T does not change the weight of Z e .Let W H represent the hamming weight, hence Applying the decoding algorithm to b i , then Applying the inverse of the nonlinear function f −1 , then Adding the error vector Q * i−1 to d i , we have From the above proof, the error-correction ability of the code is fully preserved for possible channel errors because error introduced intentionally at the sender can be removed because of synchronization of the initialization vector.Hence error due to the channel can be removed.In summary, the decryption process is shown in Figure 4 and expressed mathematically: where Z i = g (X i−1 ), In this scheme, errors due to intruders tampering which cannot be removed by the error-correcting code will propagate to the later blocks due to the block-chaining technique.Hence, this scheme could be used as a checksum to detect illegal tampering or modification [13].However, the transmitter will have to resend the data if the errorcorrecting code cannot correct the modification.Based on this features, ECBC does not only provide error detection and correction, but also data integrity.

Cryptanalysis
Cryptanalysis will be more difficult because the same plaintext block will be encrypted to different ciphertext.The cryptanalyst cannot construct an equivalent generator matrix combinatorially [7], since the ciphertexts are not codewords, as a result, errors cannot be corrected systematically.We analyze the security that this scheme provides in this section.
In a case where X i is fed forward and Q i−1 is not fed back, then the encryption process can be expressed as A chosen plaintext attack will break GP if the expansion function g is a linear function that has a left inverse based on the equations.To see this, let M i = M i+1 , and M i+2 = M i+3 , then If g is linear, From (24), GP can be derived if the cryptanalyst could obtain k such distinct pairs.However, GP is a permutated version of G which increases the work factor of deriving G.This is one of that features that differentiate previous schemes.Also, if g is a secret nonlinear function, then this attack will not work at all and ECBC uses g as a nonlinear function.
We analyze the case where Q i is fed back and X i is not fed forward.The encryption sequence is shown below: The cryptanalyst would have to search for equivalent ciphertexts where As a result f GP can be figured out by a known plaintext attack.However if f is a nonlinear transformation, the line of attack will not work.The cryptanalyst can collect k linearly independent equivalent codewords to construct G = f GP which is combinatorially equivalent to G. It will be computationally infeasible to estimate the matrix G if k is large enough.
The ECBC scheme withstands chosen-plaintext attacks [14] because of the nonlinear function f that transforms the plaintext.As a result, the cryptanalyst cannot construct unit vectors from chosen plaintext to construct the G.

Architecture of Error Correction-Based Cipher
The architecture of the ECBC scheme for encryption is shown in Figure 5.The shift register contains received stream data.Each block of data is shifted into the k-bit buffer.The output of the buffer (message block) is randomized with the output of the multiplexer MuxA through an XOR gate.
The inputs to the multiplexer is a random Initial Vector (IV) and a delayed version of the permutated encoded data.The control unit outputs the selector (selA) for the multiplexer as shown in Figure 5.
The output from the XOR gate is fed into the SBOX unit.The SBOX [12] represents the nonlinear function f.This is a function that computes the multiplicative inverse of each input byte of the state in GF(2 8 ) followed by affine transformation.It is a nonlinear byte substitution and it is composed of two transformations: (i) multiplicative inverse in GF (2 8 ): this is the mapping of x → x −1 , where x −1 is the multiplicative inverse; (ii) affine transformation over GF(2): x → Ax + b, where A and b are constants.
We implement the S-box with a multiplexer and lookup tables.In our implementation, given an n-bit input into the f function, n/8 S-boxes are applied to the n/8 bytes of data that make up the input.Each of the n/8 bytes from the different S-boxes are substituted by the corresponding element in the S-boxes.Each of the byte output from each S-boxes are then concatenated together to form a vector.The & sign is used to represent the concatenation unit.The architecture of the SBOX is shown in Figure 6.
The concatenated output from the SBOX is encoded using the generator matrix (G) of Low Density Parity Check Code (LDPC).LDPC codes are linear block codes.They are codes that have received major attention in recent years because of their excellent performance and error correction capability.We used LDPC code because it has good diffusion property.It has good linearity relationship between code length and the minimum weight/code distance.The random LDPC code has higher security than QC LDPC codes [15].An (n, k) LDPC code has k information bits and n codeword bits with code rate r = k/n.The parity check matrix H has a dimension of (n − k) × n.LDPC encoding is based on the property where u is the n-bit codeword bits and H is the parity check matrix.The parity check matrix H can be expressed as where The information bit could be expressed as where s is the k-bit information bits and p is the n − k parity bits.Based on (27), since operation is in GF (2), The architecture of the LDPC encoder is shown in Figure 7.Each parity bit is obtained by matrix-vector multiplication of matrix H 2 with the output of the SBOX unit.Since matrix-vector multiplication operation is carried out in GF(2), Each row of matrix H 2 is ANDed with the vector output (s) from the SBOX.The outputs from the (n − k) AND gate are then XORed together to produce the parity bit.Multiplication by H −1 1 is not necessary if the H matrix is systematic.The codeword is reconstructed by concatenating the parity with the k × 1 SBOX output with the aid of Codeword Construction Unit.
The architecture of the permutation unit is shown in Figure 8.The unit permutates the codeword output from the encoder unit.We attempt to explain the permutation unit in Figure 8 in this section.Assuming we have a permutation matrix P shown as follows: (32) The column numbers where 1s are located in the permutation matrix are stored instead of storing the 0s and the 1s.The row number (index) is used for referencing the column.For example, from Figure 8, for row 1 (index), 1 is located in column 2, in row 2, 1 is located in column 1, and row 3, 1 is located in column 3. The column numbers are used as selectors for the multiplexer which in turn determines the output of the permutation unit.Each of the multiplexer is an n to 1 multiplexer.The control unit for the ECBC is modeled as a Finite State Machine (FSM) as shown in Figure 9.The control unit has six states: Initial, Fetch, random, substitute, encode, and permutation.The initial state is the first state after reset where zeros are written to all the registers.If start is asserted at the initial state, the present state becomes the fetch state.At the fetch state, a block of data is read into the buffer from the stream shift register.Control is transferred to the randomization state after the fetch state where the input block is randomized.The control unit also outputs the selector for MUXA at the random state.At the substitute state, control signal is sent to the concat (&) unit in order to concatenate all the output blocks coming from the SBOX.In the encode state, codeword is generated by the encoder.The next state is the perm state where the codeword from the encoder is permutated.After perm state, an encrypted data is produced and the present state becomes the fetch state where another block is fetched.The 5-staged pipelined architecture of the ECBC is shown in Figure 10.The figure includes the 5 pipeline registers.This architecture helps to increase the throughput of ECBC.

Implementation and Result
The ECBC scheme was implemented in software for the purpose of verification and randomization test.The nonlinear function f was implemented using S-box [12].We used the generator matrix (G) of Low-Density Parity Check (LDPC) code for error correction.We used LDPC code because it has good diffusion property.It has good linearity relationship between code length and the minimum weight/code distance.The random LDPC code has higher security than QC LDPC codes [15].The permuted output of the ECBC is XORed with the output of a pseudorandom number.The key is the seed to a pseudorandom generator that generate a random sequence of bits that is XORed with permutated codeword.In our case, KISS99 was used as a generator.We heuristically tested the ECBC by testing for randomness in the output.The ECBC was used as a pseudorandom number generator in counter mode.The TestU01 [16] was used to test the randomness of the output of ECBC in counter mode.We tested for P-values within the boundary [10 −4 , 1 − 10 −4 ].
Any P-values lying outside this range is considered as failure, while the ones within the range is considered as pass.Table 1 lists the test suites, the number of tests in each suite, and the results.A total of 319 tests were carried out and the ECBC passed all of them.It is important to point out that because the scheme passes the test of randomization, it is not a guarantee that such a scheme is secure.However, it is important that a cryptographic scheme's output should be random.
We also plotted the graph of Bit Error Rate (BER) against Signal-to-Noise Ratio (SNR) in Figure 11 to see the effect of ECBC system on the performance.The green curve (x) is for the case where ECBC is not used while the blue curve (o) is for the case where ECBC is part of the communication system.The graph shows that the performance is the same in both cases.

ISRN Communications and Networking
We implemented the ECBC on Field Programmable Gate Array (FPGA) on Xilinx Spartan 3E xc3s1200e-4ft256 using ISE Foundation 11.2.The result of implementation is shown in Table 2.For the nonpipelined architecture, 23% of the slices were used and has a maximum frequency of 130.924 MHz.For the pipelined architecture, 26% of the slices were used and has a maximum frequency of 105 MHz.Even though maximum frequency reduced, the throughput for the pipelined architecture is 8 Gb/S.The non-ECBC method combines AES and LDPC as separate unit.These results show significant reduction in hardware usage.

Conclusion
In this paper we have presented a physical layer encryption scheme that is capable of providing data reliability, secrecy, and integrity.The scheme is able to provide error correction and security.We also presented the architecture and the implementation of the Joint scheme.The error correcting capability of the code is fully preserved because the error deliberately introduced at the sender end can be removed at receiver because of synchronization.In the joint scheme presented, there is no tradeoff between reliability and security because errors introduced at the transmitter are removed at the receiver.Hence ECBC can utilize its full capacity to correct channel errors.The scheme is also secure against some conventional attacks.The result of implementation is also presented.This joint scheme could easily be adapted to existing protocols such as in CC2420-Single-Chip 2.4 GHz IEEE 802.15.4 Compliant and ZigBee Ready RF Transceiver where AES is already implemented.

Figure 1 :Figure 2 :
Figure 1: Block diagram of a conventional secure communication system model.

Figure 3 :
Figure 3: Block diagram of the proposed ECBC encryption scheme.

Figure 4 :
Figure 4: Block diagram of the proposed ECBC decryption scheme.

Figure 5 :
Figure 5: Architecture of proposed Error Correction-Based Cipher.

Figure 9 :
Figure 9: Control unit as a Finite State Machine (FSM).

Table 1 :
Result of test suites on ECBC.

Table 2 :
Result of FPGA implementation.