Computationally Secure Optical Transmission Systems with Optical Encryption at Line Rate
We propose a novel system for optical encryption based on an optical XOR and optical Linear Feedback Shift Register (oLFSRs). Though we choose LFSR for its ability to process optical signals at line rate, we consider the fact that it offers no cryptographic security. To address the security shortfall, we propose implementation of parallel oLFSRs, whereby the resulting key-stream at line rate is controlled electronically by a nonlinear random number generator at speeds much lower than the optical line rate, which makes the system practically relevant. The analysis of computational security shows that the proposed system is secure against wiretapping and can be engineered with the state of the art optical components.
Making all-optical encryption practical today would require two basic components: an optical encryption component and an optical key generator. For their realization, not only these components need to be developed but also significant system design obstacles need to be overcome, whereby the main challenge is encryption and key generation at the optical channel line rate. It is therefore that in today’s systems, the payload of an OTN container is encrypted in the electronic layer and the so-called Advanced Encryption Standard (AES) does not perform encryption and decryption at line speed .
Currently, two state-of-the-art optical components can help implement all-optical encryption system at line speed: optical XOR and optical Linear Feedback Shift Register (oLFSRs). Optical XOR has been proposed for encryption, as it can easily concatenate plaintext with a key [2, 3, 4, 5]. For optical key generation, no solution currently exist. Our idea to use an oLFSR for key generation at line speed falls short, on the other hand, since the LFSR-based ciphers are known for their weak cryptographic security due to the linear properties . Since LFSR is simple to implement all-optically based on the concatenated optical XORs and a shift register [7, 4], we here address the fundamental security shortfall.
We propose a new and practical solution towards optical encryption and key generation, based on parallel oLFSRs, which are controlled and periodically reseeded by a pseudo random number generator (RNG) at speeds much lower than the rate of optical channel, which makes the system practically relevant. Under these assumptions and presence of guessing wiretapper in optical network, we analyze the computational security of the proposed system and derive important system parameters, including the minimal polynomial degree and the number of different polynomials required for oLFSR implementation, the optimal key length generated by oLFSR, and the implementation overhead. The results show that the proposed optical encryption system provides high level of computational security and thus carries promise for further studies.
Ii System Model
Fig.1 illustrates the optical transmission system envisioned. As the optical network usually encompass both the data plane, and from the data plane a separated control plane, we assume that the control plane is able to monitor information about network topology, assign wavelengths, and control the configuration of the encryption and key generation components. However, the control plane does not distribute the actual session keys, but only the synchronization signal for the Pseudo Random Number Generator (RNG) for random selection of parameters for session key generation and interleaving of original data in end-systems prior to data encryption. The bit interleaving can be defined and configured by control plane for each end-to-end connection and is required to preliminary hide the content of optical data as well as to force an attacker to decrypt a whole wiretap data for content recovery.
In the source, the original optical bit stream is interleaved and virtually split into multiple optical units . Each optical data is encrypted with the key from the Optical Key Generator (OKG). This is done by applying optical XOR. The encrypted is sent to the optical transmission channel provisioned. When any encrypted parts of reaches the destination, it is decrypted with key and converted into electronic signal for following deinterleaving, i.e., recovering of original data. Due to the fact that RNG in source and destination are synchronized, both generate the same pseudo random numbers, i.e., generator polynomials and seeds to define and initialize LFSR, respectively. As a result, OKG generates the same keys for en- und decryption.
We propose to use all-optical XOR gate [5, 8, 9] for encryption. From the security perspective, the XOR operation transforms the original data into encrypted data and, thus, can prevent wiretapping, whereby each incoming plaintext of length in source is mixed, i.e., XOR concatenated, with a session key of length into encrypted data of the length . The encrypted data is decrypted at the destination as . Here, the ultrafast nonlinear interferometers based on semiconductor optical amplifiers (SOAs) can be used to combine two optical streams at line rate up to Gb/s , whereby transverse electric (TE) and transverse magnetic (TM) components of a probe pulse can be split and recombine by setting the relative optical delays between them. The two data modulated pulsed signals to undergo XOR operation, secret and key , are assumed to have equal bit rate up to Gb/s.
Ii-a Key generation with oLFSR
LFSR has been traditionally used for random number generation [10, 6] and not for key generation, due to the known weak cryptographic security. In its basic configuration, as illustrated in Fig. 2a based on , the shift register has a fixed size of bits, whereby the seed of bits presents the initial sequence. From this register, a set of fixed bits denoted as and , corresponding to the generator polynomial , are XOR concatenated and the resulting bit is fed to the shift register at the last position (). After that, the sequence in the register is 1-bit shifted. To address the issue of weak security, we use a nonlinear pseudo RNG at comparably lower line rate in combination with parallel LFSRs, and deploy reseeding of LFSR during key generation. With a proper choice of system parameters, we later show that we are able to implement a secure key generation.
Fig. 2b illustrates the key generation. To generate a session key , OKG uses a generator polynomial of degree and seed , both randomly selected by RNG. Since RNGs in source and destination are synchronized, i.e., able to generate the same polynomials and seeds , the key generated can be infinitely long. We propose to utilize generator polynomials to assign the same number of corresponding parallel oLFSR, whereby each polynomial corresponds to one oLFSR configuration. In our system, a randomly selected seed is forwarded towards its corresponding oLFSR as selected by an optical switch. The resulting optical signal from that oLFSR is finally forwarded as an encryption key to the optical XOR. It should be noted that the RNG provides a true secret key stream at lower line rates, i.e., electronic bit streams at rate Gbit/s [11, 12] to define generator polynomial (oLFSR) and seeds. The oLFSR allows us to extend this secret to a comparably longer optical encryption key , namely at line rates of Gbit/s . Thus, oLFSR makes it possible to adapt the length and bit rate of true secret key at the optical line rate, which is the system salient feature.
In summary, the system proposed addresses the issue of weak cryptographic security of the LFSR through the following simple system modifications, including use of: (1) different generator polynomials of any degrees , and (2) randomly selected seeds to start off the LFSR; (3) reseeding, i.e., periodical selecting of new seeds during generation of certain key with defined polynomial, and (4) implementation of reconfigurable OKG with parallelized LFSRs. The reseeding can help us to increase the amount and randomness of bit sequence generated by RNG, whereby RNG can generate new seed continuously or periodically, depending on configuration; for instance, the triggering can be configured by the control plane to occur periodically. It should be noted that using different polynomials with optical components is a challenge. As already studied elsewhere, in a system with different polynomials implemented in electronics, each polynomial would have to be implemented as a separate LFSR  or by extending of logic gates , which does not scale. The idea of parallel oLFSR and optical switching thus replaces the need for periodical polynomial reconfiguration, which can today only be implemented in electronics. While the chosen oLFSR generates a part of an infinite long session key, RNG can then define the next random seed for its initialization, to be cyclically reseeded, etc.
Ii-B Attacker Model
We analyze the wiretapping attack, whereby the attacker is always able to access the fiber link and, thus, any encrypted part . Due to bit interleaving of data before optical encryption, the secret content can be only revealed, if a whole optical data is decrypted and deinterleaved. Thus, the attacker must guess any secret keys first. In case an attacker can access the end system and analyze the generation technique of session key, the probability for breaking the LFSR at the first try is : an attacker is able to break LFSR based on generator polynomial of degree with a time complexity defined as and memory complexity , if receiving bits generated by LFSR. Considering this weakness, we assume that the attacker already knows the structure of OKG based on LFSRs. All that is left then to guess a correct generator polynomials and correct sequence of seeds.
Iii System analysis
This section focuses on computational security, i.e., complexity to find out the right generator polynomial and the right sequence of seeds utilized to generate . We analyze the required number of parallel LFSRs and number of required reseeds to make the system computationally secure. We also discuss bounds of the parameters required for OKG implementation.
Iii-a Security analysis
For the analysis, we assume that all primitive irreducible polynomials of any degree are known and can be utilized for initialization of oLFSR. We assume that RNG can randomly select one out of generator polynomials of any degree , , where is Euler function. Generally, the minimal degree should be defined so that the key length generated by LFSR is larger than the length of secret data encrypted by this key , i.e., and , to avoid the cyclic repeat of a key. However, due to the fact that the length of optical data can be very large, i.e., multiples of , , we can relax the condition for minimal polynomial degree as follows , where describes the number of reseeds.
When utilizing polynomials of any degree , the parameters and of length are chosen randomly, and kept secret. Thus, the entropy of true secret key can be defined as , while one out of existing generator polynomials of degree and a seed out of can be selected for generation of encryption key . From the attacker’s perspective, the session key can be an arbitrary bit sequence out of possible ones, i.e., the entropy can be defined as bits. Generally, an attacker can follow the algorithm for generation of key and, thus, either guess any and , or directly guess a bit sequence of length . In the former case, the equivocation is defined as . In the latter case, . It is faster however to guess the parameters and , if . Thus, the equivocation must be equal to or larger than entropy for a perfect secrecy . The resulting condition for a perfect secrecy can be defined as
Eq. (1) also defines the maximal size of optical data encrypted before the new cycle of oLFSR reseeding. For a strong practical security, the system must be unbreakable also in case of a brute force attacks (BFA), whereby the key computation complexity, i.e., time overhead, must be high. Since an attacker must check all combinations of polynomials and seeds, the time required to break the proposed system is
where is a time required for decryption with one key guessed by the attacker, while key guessing time (generation of one binary sequence with known LFSR) is assumed as zero, and is a number of reseeds. Since secret optical data flow is, generally, larger than the optimal key length defined by Eg. (1), i.e., , the oLFSR must be either reseeded every time bits of optical data are encrypted. Thus, the number of key reseeds depends on optimal key length and data flow length and can be defined as
When generator polynomials utilized in our system are predefined and oLFSR could be generated on the fly (which would only be possible in electronics), they also need to be stored. The buffer size required is a function of degree :
Iii-B Discussion on implementation
The utilization of all polynomials of given degree , are very hard to implement in practice and especially all-optically. Thus, we propose to bound primitive irreducible polynomials of the same degree to correspond to all-optical LFSRs and use them in parallel, whereby only one oLFSR is selected and periodically reinitialized by seed to generate a part of a session key. Since there is a need for erasing of shift register (initialization) and for skipping the first output bits related to random seed, oLFSR initialization can lead to key generation interruptions and decrease in bit rate of OKG. Thus, there is a need for optical buffer and controlled signal clocking. However, we envision, that the oLFSR initialization will be most efficient, when another oLFSR based on the same generator polynomial is generating a key, whereby the duration of key generation period must be at least the same as duration of oLFSR initialization. To this end, we propose to relax the condition for optimal key length defined by Eq. (1), as , , and analyze next the practical security of proposed reseeding method.
Let us now reverse engineer the number of oLFSRs and its length required given the time needed for a possible BFA, where is set to a very large number of years and the time for one decoding try is defined by the state of the art technology and known. When the OKG consists only of oLFSRs (each implementing one polynomial of degree ), the Eq. (2) can be modified as , where the number of required reconfigurations is defined by Eq.(3) and with modified as . As a result, boundary condition for strong practical security is defined as
where the number of parallel oLFSRs is limited as and .
Iv Numerical Results
In this section, we show the numerical results for the previous analysis. First, we consider all possible generator polynomials of degrees from to , i.e., . To define a range of required generator polynomials, i.e., , we focus on two case studies: C1) is fixed and is variable; C2) is fixed and is variable. We assumed that optical bit flow has a size Gbits (e.g., an OTN transmission unit) and decryption time = sec based on data from Aurora  at Petaflops.
Fig. 3 shows optimal key length defined by Eq.(1) and the required number of key reseeds as a function of polynomial degree . For C2, is constant (around bits) for any . For C1, the optimal key length increases with increasing . However, the key length directly defines the number of reseeds. In contrast to C2, where is minimal and constant, the number of reseeds, in case of C1, decreases with increasing .
Fig. 4 shows the time (in years) required to decode a wiretapped optical data of size in case of Brute Force Attack (BFA) calculated with Eq. (2) as well as the storage required in the node. As it can be seen, a prohibitively long time of over years can be measured in case of for . In this case, around GByte additional storage is required to store the generator polynomials. In C2, an attacker requires more than years to decrypt a whole data flow, whereby this time is constant for all . On the other hand, it requires prohibitively large storage of Gbyte. In general, larger the polynomial degree better the security.
Fig. 5 shows the boundary conditions for practical realization of all-optical key generator based on a few generator polynomials. It shows the minimal required polynomial degree as a function of amount of parallel oLFSRs and the key length generated prior to the reseed. Here, we assumed the duration of BFA as years, as in case of BFA on AES key of length bits (calculated under assumptions made). The increasing length of key generated with the same seed increases the required polynomial degree . However, the increasing number of parallel oLFSRs utilized decreases the polynomial degree required. For example, OKG based on only oLFSR (g=106) can provide the same time complexity for BFA as OKG based on oLFSRs of the same length, if the maximal key length generated between reseeds is bounded as and , respectively.
We proposed for the first time to utilize all-optical XOR technique for encryption in the optical layer at line rate, with a technique based on parallel all-optical LFSRs for generation of infinite long key. We showed that using different generator polynomials of defined degree, which are periodically reseeded, can provide a high practical security of optical data transmitted. The main results of this study is that the all-optical implementation of the key generator which is based on only optical LFSRs of an optimized length of bits provides high computational security (BFA takes years), whereby bits of the key can be generated without reseeding.
- “Fsp 3000,” 2014. [Online]. Available: http://www.advaoptical.com/home/products/scalable-optical-transport/fsp-3000
- X. Y. et al., “Simple 40 gbit/s all-optical xor gate,” Electronics Letters, vol. 46, no. 3, pp. 229–230, 2010.
- X. Z. et al., “High-speed all-optical encryption and decryption based on two-photon absorption in semiconductor optical amplifiers,” IEEE/OSA Journal of Optical Communications and Networking, vol. 7, no. 4, pp. 276–285, 2015.
- M. S. et al., “Optical linear feedback shift register,” in CLEO EUROPE/EQEC, 2011, pp. 1–1.
- E. D. et al., “All-optical xor gate using single quantum-dot soa and optical filter,” Journal of Lightwave Technology, vol. 31, no. 23, pp. 3813–3821, 2013.
- K. Z. et al., “Pseudorandom bit generators in stream-cipher cryptography,” Computer, vol. 24, no. 2, pp. 8–17, 1991.
- Y. M. J. et al., “All-optical circular shift register using semiconductor optical amplifiers,” in International Conference on Photonics in Switching, 2006, pp. 1–2.
- Y. T. et al., “Simulation and demonstration of directed xor/xnor logic gates using two cascaded microring resonators,” IEEE Photonics Journal, vol. 8, no. 2, pp. 1–11, 2016.
- X. T. et al., “Experimental demonstration of high-speed logic gates of or, and, xor and nor in optical domain based on a single i/q modulator and direct detection,” in COMCAS, 2015, pp. 1–3.
- J. M.-S. et al., “Multiple-polynomial lfsr based pseudorandom number generator for epc gen2 rfid tags,” in IECON 2011, 2011, pp. 3820–3825.
- M. A. et al., “Design of a pseudo-chaotic number generator as a random number generator,” in COMM, 2016, pp. 401–404.
- A. M. et al., “High speed and secure variable probability pseudo/true random number generator using fpga,” in SIITME, 2015, pp. 323–328.
- C. E. Shannon, “Communication theory of secrecy systems,” The Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, 1949.
- “Aurora,” 2016. [Online]. Available: http://aurora.alcf.anl.gov/