2010 5th International Symposium on Telecommunications (IST'2010)

Adaptive Random Puncturing based Secure Block Turbo Coding

(ARPSBTC)

Mohammad Sadegh Daghighi

Tehran, Iran m.sdaghighi@gmail.com

Ali Payandeh

Department of Electrical Engineering Malek-e-Ashtar University of Technology

Tehran, Iran a -payandeh@yahoo.com

Mohammad Reza Aref

Department of Electrical Engineering Sharif University of Technology

Tehran, Iran aref@sharif.edu

Abstract- Reliability and security are two important subjects in modern digital communications. A secure channel coding scheme provides both of reliability and security in one process to combat problems in an unreliable and insecure channel. In this paper, a secure block turbo coding scheme will be proposed and analyzed. Security and reliability are based on pseudo-random puncturing. Simulation results show that this scheme has superior performance and high security.

Keywords- Block Turbo Code; product code; iterative decoding; pseudo-random puncturing.

I. INTRODUCTION

Merging error correcting coding and security in a single step is an interesting idea to reduce overall cost of system and achieving good performance. This subject is an important aspect in especially a public and unreliable (noisy) channel.

The use of linear error correcting codes over fmite fields in cryptography dates back to 1978 [1], when McEliece introduced a public key cryptosystem using Goppa codes. The security of this scheme is based on the two facts that 1) the decoding problem of a general linear code is an NP-complete problem [2] and 2) there are a huge number of equivalent Goppa codes with given parameters. Compared with other public key cryptosystems, McEliece's scheme has the advantage of high speed encryption and decryption, but despite of this advantage, it is still not widely used. This is because it suffers from two weaknesses: 1) low information rate and 2) large matrices for the secret keys and public key.

The real difficulty on the field of channel is essentially the problem of decoding complexity of powerful codes. A way to tackle this problem is to construct good codes which exhibit reasonable decoding complexity and one possible solution is to use concatenated (turbo) codes. The strategy of turbo coding is to build powerful error correcting codes by associating two or more codes with reasonable decoding complexity.

978-1-4244-8185-9/101$26.00 ©2010 IEEE 216

A lot of papers have been published on turbo codes, but most of the authors have focused on convolutional turbo codes and very few have considered the block turbo code. In fact concatenated coding was frrst introduced for block codes. Unfortunately, the first decoding algorithms had poor performance because they relied on hard-input hard-output.

Payandeh et al. [3] introduced an adaptive secure channel coding scheme based on pseudo-random puncturing of a convolutional turbo code. The advantages of their scheme are achieving good security without requiring a large key and also adaption of puncturing rate with channel noise condition

In this paper, we use block turbo codes instead of convolutional turbo codes. The organization of the paper is as follows: In section2 some background information about block turbo codes are provided. In section3 secure coding scheme is introduced. In section4 the performance of proposed scheme will be investigated. The security of proposed scheme in section5 is analyzed. Simulation results are discussed in section6 and finally we conclude this paper.

II. PRELIMINARIES

From coding theory, it is known that by increasing the codeword length or the encoder memory, greater protection, or coding gain, can be achieved but complexity of decoding increases exponentially with the encoder memory.

In fact concatenated coding was first introduced by Elias [4] for product codes. Unfortunately the first decoding algorithms of product code had poor performance with hard­input hard-output decoders.

Turbo codes were introduced by Berrou [5] and were shown to achieve near Shannon limit performance on the A WGN channel. The basic turbo encoder is composed of two convolutional encoders in parallel while the decoder is based on an iterative processing where two component decoders are

used and exchange information between each other during the decoding process.

Pyndiah [6] introduced binary block turbo codes with a soft-input soft-output iterative decoding algorithm which offers a good trade off between performance and complexity. Pyndiah showed that it is possible to obtain the same performance with block turbo codes as with the convolutional turbo codes.

A. Construction of the product codes After introduction of turbo codes, it was revealed that

product code is a special case of serially concatenated block turbo codes whose interleaver is a block interleaver.

Let us consider two linear block codes C1 , C2 with

parameters (�,kl'dl) , (n2,k2,dz} respectively. The product

code C = C1 ® C2 is obtained by

1) Placing the kl x k2 information symbols in an array of

k2 rows and kl columns.

2) Coding the k2 rows using code C1 •

3) Coding the kl columns using code C2 •

Fig.l shows the construction of the product code C .The parameters of the resulting product code C( n, k, d) are given

by n = � x n2 , k = kl X k2 , d = d1 X d2 and the code rate is

R=R1xRz = k1xk2. �xn2 B. Decoding of the product codes

(Serially concatenated block turbo codes) The turbo decoding procedure by Chase algorithm was

defmed in [7]. In this algorithm, each decoder performs these tasks:

1- Hard decision of the soft input.( Y ) 2- Searching of p least reliable bits in each column

(row) in column (row) decoders. 3- Defining 2P codewords in each column (row).

Information k,- information

Figure 1. Construction of a Product Code.[8]

a(m) p(m)

[R .] [R'] D day line [R .]

4- Decoding of these 2P codewords and defming the set of these codewords.( Q )

5- Nearest codeword to soft input (R ) is assumed as D . 6- To produce soft output, for every bit we should find

out of Q a codeword that is nearest to R but its j th

bit is different from dj.if this codeword( C ) found

we use this equation

r' = ( IR-cr -IR-DI2]d J 4 J

else we use this equation

r; = fJdj which fJ is an experimental parameter.

(1)

(2)

The decoding procedure described above is then generalized by cascading elementary decoders illustrated in Fig.2.

C. Performance of turbo codes Asymptotic performance of a turbo code (M,K, dtree) is as

follows [9]

!;,(e) = WtreeNtree Q[ 2dtreeR Eb )

K No (3)

K is length of the input sequence, M is length of the output, d free is free distance of turbo code, N free is the number of

codewords of weight d free' R is code rate and Wfree is weight

of input sequence corresponding to the codeword of weight d free •

III. NEW SECURE CODING SCHEME

A. Pseudeo-Random Puncturing Puncturing is elimination of some bits of a codeword before

of sending out it and replacing zero instead of these bits before of decoding. Puncturing is an effective technique to increase the data rate.

A practical structure of a secure block turbo coding scheme based on pseudo-random puncturing is shown in Fig.3. The task of pseudo-random generator is to produce N random integer (length of puncturing input) in range [1, M] .

a(m + 1)

IR 1

The ro,,,:'coiulllu decodC'f of

Ihe BIC

Delay line [R ']

Figure 2, Iterative decoding of serially concatenated block turbo codes.[IO]

217

key

M

Random selection of y

elements array N

Figure 3. a practical structure of secure block turbo coding scheme based on pseudo-random puncturing.

Firstly, given number (N ) bits of turbo coded sequence are randomly selected and then these selected bits are permuted randomly. Therefore, the number of puncturing patterns by concatenating random puncturing and random permutation equals to

(M) _ M! N - (M-N)!

(4)

Pseudo-random puncturing patterns must be secret and be changed randomly for each input sequence.

IV. PERFORMANCE ANALYSIS OF SECURE BLOCK CODING

SCHEME

Some of puncturing patterns are unsuitable and degrade the performance of turbo code. Unsuitable patterns are those patterns which make impossible convergence of iterative decoding and recovering of message because of inordinate elimination of "1" bits of turbo coded sequence but it is verifiable that the probability of error in the received sequence can be small arbitrarily. In this scheme each coded bit is

punctured with probability of A = 1-!!.... independently. If the M

input of the puncturing unit is a codeword of weight d then its output weight will be h with probability of

(�)(1_A)hAd-h (5)

Suppose that interleaver is uniform, then average number of punctured codeword of weight h equals to

A;P = fAd (d)(1_A)h Ad-h (6) d=h h

Ad is average number of unpunctured codeword of

weight d . For a binary linear code of weight distribution Ah ' upper bound of word error probability by using ML decoder is

(7) h=l

r is Bhattacharrya noise parameter. For discrete and continuous alphabet channels this parameter is as follows [7]

rdiscrete = I �P(y I O)P(y 11) (8) yen

rcontinous = f�r-P(-Y-I O-)P-(y- I-1)dy (9)

n is output alphabet and P(y 10) , P(y 11) are channel transition probabilities.

218

From (6) and (7) it is obtained that [11] N N M (d) p"(e)::;�A;p�=�t;Ad

h (1-A )hAd-h� (10 )

For a memoryless channel by r< exp ( -( Ao + log 1 �A) J

it could be shown that lim p"(e) =0

N .... � (11)

V. SECURITY ANALYSIS OF SECURE BLOCK CODING

SCHEME

General assumptions of security analysis are:

1- Coding structure is public.

2- Structure of pseudo-random generator is public and has a very large period.

3- Input sequence and output sequence are public.

4- Only unknown (private) parameter is the key (pattern) of pseudo-random puncturing.

Security of this cryptosystem is based on two computationally hard problems, which are an exhaustive search on the key space and the turbo decoding of a random punctured sequence.

Two types of main attacks could be introduced for this cryptosystem 1) decoding attacks, 2) trapdoor attacks.

A. Decoding attack This type of attacks is based on examination of all patterns

of random puncturing. Cryptanalyst attempts to recover the plaintext directly from the ciphertext. If this attack succeeds then plaintext is recovered but cryptosystem is still secure because private keys have not been revealed.

Construction of a M bit vector depends on the input weight. If weight of input binary sequence is h then its total number equals to

(M ) M! h - h!(M - h)!

(12 ) By assumption that probability of varying weight of input

sequences is uniform, average number of states equals to

-I and then work factor of this attack is as follows 1 N (M ) N h=l h

WF=CD(L,I)x-I 1 N (M ) N h=l h

(13 ) CD(L,I) is complexity of turbo decoding which depends

on the length of interleaver ( L) and the iteration number of decoding ( I ). If the length of turbo coded sequence ( M ) is as large as possible then this attack will be unsuccessful.

B. Trapdoor attacks These attacks are based on revealing of private keys from

ciphertext or from pair of plaintext and related ciphertext. Trapdoor attacks are divided to four groups 1) Ciphertext Only

Attack(COA) , 2) Known Plaintext Attack(KPA) , 3) Chosen Plaintext Attack(CPA) and 4) Chosen Ciphertext Attack(CCA).

COA: Cryptanalyst should fulfill decoding operations for all possible keys. In general, if length of the key is k bits then the number of possible keys for a linear pseudo-random number generator equals to 2k .

By assumption that occurrence probability distribution of different patterns is uniform, average work factor of this attack equals to

(14)

KP A: Since structure of the encoder is known, cryptanalyst by use of message sequence X can obtain related sequence Z (Fig.3). Then he/she obtains suitable choices of puncturing patterns for each pair of (Z, Y). If Z sequence consists of Mo "0" and M\ "1" and also Y sequence consists of No "0" and

N\ "1" then overall cases for construction of Y from Z equals to

(15)

Minimum cases for construction of Y from Z occurs when Z consists of exactly N "0" or N "1" and same bits are selected for construction of Y . In this situation, overall cases equals to N! . Therefore

N!�(Mo)NOX(M\)NI �(M)N ,Mo+M\ =M (16)

If M and N are large ( M, N > 100 ) then required memory for storation and computational complexity of analysis of all suitable choices are very high.

CPA: Lower weight of input to a random puncturing unit, results in smaller cases for fmding out some bits of output of random number generator.

Minimum weight of input sequence to the puncturing unit is not lower than free distance of turbo code ( d free ). Therefore

DPN Mdfr<'d \ iterations are required to obtain DpN bits

N(M -1) flw-

of pseudo-random number generator. Therefore by a non-linear random number generator equivalent to a large (within period) linear number generator or by increasing d free , sufficient

security will be assured.

CCA: This attack is similar to the previous attack but because of higher complexity of iterative decoding, computational complexity is higher. This attack enforces using of a non -linear pseudo-random number generator for security.

It is remarkable that these cryptosystems are secure against Berson [12] attack since because of variation of patterns, comparison between ciphertexts is ineffective.

For better realization of the proposed scheme advantages, we can compare size of its private key for example with Rao-Nam [13] private key cryptosystem. This comparison is included in Tablel. Assume that k is length of the message and

219

n is length of the codeword. It is obvious that if coding rate tends to 1 then Rao _ Nam key size will be approximately four times of ARPSBTC key size.

VI. SIMULATIONS

The proposed scheme was simulated in Matlab 7.4. BTC inner and outer encoder is of type BCH(31,16),in other words , the product code is BCH(31,16i . BPSK modulation was used and channel is A WON. For BTC decoder p=4.

Fig.4 shows that by using pseudo-random puncturing based

cryptosystem even by a high puncturing rate, e.g. % ' we can

achieve an arbitrary BER.

TABLE I. COMPARISON OF ARPSBTC WITH RAO-NAM

ARPSBTC Rao-Nam total size of the keys , (k +n)' n

total size of the keys (n > > k ) , , n n

total size of the keys ( n � k ) , 4n' n

Comparison in Iteration4 10

° F"""'T''''''''''''''''''''''''''''''''''''''''''�''''''''''"'T:'""'F======q"j

'" w w

Comparison in Iteration5 10

° F"'f''''''TT�7''''''''''''''''T''iP======�

10" p.Jt. :1:;: .• ".; .•.• ,., ..• ",., .,.,-.•.• ,.,.""',., ...• ,-.'1;-.:.',.+ .•.• ,·.,·,�·· .. ,·,I

2 3 5 6 7 Eb/No (dB)

(b)

9 10 11

Figure 4. Effect of varying puncturing rate on the performance of TPC BCH(31,16)2 in a) iteration4 b) iterationS.

Fig.5 shows a practical implementation of random puncturing based cryptosystem. As can be seen, in iteration 4 or 5 we can recover original picture.

CONCLUSION

In this paper, a secure coding scheme was proposed and its security and performance were analyzed extendedly. By using random puncturing superior security and performance are achieved. Moreover, data rate could be varied continuously. In other words, by using random puncturing whose rate is adapted by channel estimation, capability of turbo coding system is used completely. In this method, even at high puncturing rate good performance could be achieved.

REFERENCES

[1] McEliece, RJ, "A public-key cryptosystem based on algebraic coding theory", Deep Space Network Progress Report, Nos.42-44, Jet Propulsion Labs, Pasadena, pp. 114-116, CA, Jenuary & February 1978.

[2] Berlekamp, E.R. , McEliece, R.I., H.C.A. Van Tilburg, "On the inherent intractability of certain coding problems", IEEE Trans. Inform. Theory, vo1.24, No.5, pp.384-386, 1978.

[3] Payandeh, A, Abmadian, M., Aref, M. R, "Adaptive secure channel coding based on punctured turbo codes", lEE Proc. Commun., vol. 153, No. 2, pp. 313-316, April 2006.

[4] Elias, P., "Error-free coding", IRE Trans. Inf. Theory, Vol.IT -4, pp.29-37, September 1954.

[5] C. Berrou, A Glavieux, P.Thitimajshima" "Near Shannon limit error­correction coding and decoding turbo codes", In Proc. Int. Conf. Commun., pp. 1064-1070, 1993.

[6] Pyndiah, RM., "Near-optimum decoding of product codes: block turbo codes", IEEE Trans. Commun., Vol. 46, August 1998.

[7] Chase, O. , "A class of algorithms for decoding block codes with channel measurement information", IEEE Trans. Info. Theory, vol. IT-11, pp. 170-182, January 1972.

[8] Kim, S., Ryoo, S., Abn, O.S., "Evaluation of rate compatible block turbo codes for multimedia application in satellite communication network", Int. J. Satell. Commun. Network, 24:419-435,2006.

[9] Perez, L.C., Seghers, J., Costello, OJ., "A distance spectrum interpretation of turbo codes", IEEE Trans. Info. Theory, vol. IT-42, no.2, pp. 1698-1709, 1996.

[10] Breiling, M., "A logarithmic upper bound on the minimum distance of turbo codes", IEEE Trans. Info. Theory, vol. IT-50, no.8, pp. 1692-1710, August 2004.

[11] JianGue, Y., Ze, J., YouJu, M., Wenwei, Y., Wei, Y., "The novel super­fec coding scheme based on the block turbo code for long-haul optical transmission systems", WICOM,pp.I-4,2006.

[12] Berson, T., "Failure of the McEliece public-key cryptosystem under message-resend and related-message attack ", In Proc.of CRYPTO 97, LNCS 1294, pp.213-220, Springer Verlag 1997.

[13] Rao, T.RN. , Nam, K.H., "Private-key algebraic-coded cryptosystems", Advances in Cryptology-CRYPTO'86, Lect. Notes in Computer Science, Springer-Verlag, vo1.263, pp.35-48, 1986.

220

(e) (0

Figure 5. Performance of secure block turbo coding based on pseudo-random puncturing (puncturing rate=4/9). a) channel output

b )iteration 1 c) iteration2 d) iteration3 e )iteration4 f)iteration5