A New Cross-Layer FPGA-Based Security Scheme for Wireless Networks

2.1 Multi-level convolutional cryptosystem

The multi-level convolutional cryptosystem constitutes the second stage of implementation at the physical layer. It receives integers from the RNS implemented at the first stage. The multi-level cryptosystem is implemented using subband coding and non-linear convolutional cryptosystem.

2.1.1 Subband coding

The integers from the RNS block are split into different levels of decomposition based on subband coding. Subband coding is implemented using integer wavelet lifting scheme [10, 11]. It is shown in [12] that, a judicious choice of filter banks could result into an integer transform despite the fact that, wavelet transform is an approximation process. A four-tap Daubechies polyphase matrix, which results into integer transforms, is given as follows [12]:

Pnewz=hezgenewzhozgonewzE1

where h and g are filter coefficients with suffix e and o denoting even and odd coefficients. The factorization of the polyphase matrix is as follows [12, 13, 14].

Pz=P˜z=1−3011034+3−24z−111z013+12003−12E2

(Eq. (2)) forms the basis of integer to integer wavelet transform which in effect is progressive transmission. The factored coefficients h1=−3,h2=34,h3=3−24,h4=3+12,h5=3−12 are used to compute the approximate and detail sequences. In such transmission, the original data is split into two portions, namely approximate and detail sequences. The detail sequence is transmitted while the approximate sequence is further split into two halves. The process is repeated until the final data point. Using (Eq. (2)), the approximate, a_n and the detail, d_n sequences could be computed as follows [12, 15]:

anmj=x2lh1mj+x2l‐1mj.h2mj+x2l‐1mjdnmj=x2lh1mj+x2l‐1mj+an‐1mjE3

where a_n and d_n are the approximation and detail sequences of wavelet coefficients of the nth sample. The subsequent transmissions are fed into the non-linear convolutional coding block as depicted in Figure 1 for the first level kth detail and approximation sequences [12, 15]. The processing blocks (PEs) shown in the figure depicts the computations of (Eq. (3)).

The final decomposition level which comprises one data point will give one approximation coefficient and one detail coefficient.

At the destination, the inverse wavelet transform is performed to obtain the successive approximation sequences. (Eq. (3)) is used to perform the inverse transform by reversing the operations for the forward transform and flipping signs [12, 15]. The process starts with the approximation and detail coefficients a₀ and d₀ respectively obtained at the final decomposition level of the forward transform. The first stage of the inverse transform is shown in Figure 2 [12, 15].

The (↑2) symbol represents upsampling by 2, which means that zeros are inserted between samples while H₂ and H₃ are the filter coefficients used in (Eq. (3)).

2.1.2 Nonlinear convolutional cryptosystem

A major advantage of symmetric cryptography is the ability of composing primitives to produce stronger ciphers although on their own the primitives will be weak. Hence, the vulnerable convolutional code block will be cascaded into different stages using the product ciphers obtained from the S-box and P-box to form a non-linear convolutional cryptosystem.

• Key generation: The specifications of the private keys used in the implementation of the cascaded convolutional cryptosystem are as follows [12, 15, 16]:

  1. States of each transducer or convolutional code block in the cascade given by the contents of the sub-matrices in the generator matrix;

  2. The transition functions. These are mappings used to compare the input bits and present state and switches to the appropriate next state;

  3. n-bit S-boxes. They are used to shuffle the output bits.

  4. n-bit P-boxes. They are used for the different permutations per level of decomposition.

For illustrative purposes, an (8, 8, 2) convolutional encoder will be considered to demonstrate the keys generation process.

2.1.2.1 States of convolutional code block or transducer

For an 8 × 8 matrix, there are at least 2¹⁶ ways or keys in which the connections of a register to the modulo-2 adder could be made. A possible key which gives the contents of the 8 × 8 matrix are shown in (Eq. (4))

E4

The generator matrix is used to specify the following set of 8 vectors.

X(7) := A1(7) ⊕ A3(7);                            X(6) := A1(7) ⊕ A1(6) ⊕ A3(6).

X(5) := A1(5) ⊕ A3(5) ⊕ A3(6);            X(4) := A1(4) ⊕ A3(4) ⊕ A3(5).

X(3) := A1(3) ⊕ A3(3) ⊕ A3(4);            X(2) := A1(2) ⊕ A3(2) ⊕ A3(3).

X(1) := A1(1) ⊕ A3(1);                           X(0) := A1(0) ⊕ A3(0).

It should be recalled that, for an (n,k,L) convolutional encoder, each vector has Lk dimensions and contains the connections of the encoder to the modulo-2 adder.

The structure of the (8, 8, 2) convolutional encoder is shown in Figure 3 with A2, A3 representing the registers M11,M21 while A1 represents the input data.

2.1.2.2 The transition functions

For an (8,8,2) convolutional code, there are 2⁸ = 256 mappings or keys. There are two sets of transition functions denoted as f₁ for the two possible states.

For example, a transition function that compares input data to state 1 and remains in state 1 is given as follows:

f110000000000000001000000100000001100000100,000001010000011000000111=1E5

In (Eq. (5)), if the input data is any of the sequences {[00000000], [00000001], [00000010], [00000011], [00000100], [00000101], [00000110], [00000111]}, the present state of the transducer which is state 1 is retained.

A transition function that compares input data to state 1 and switches to state 2 is given as follows:

f110000100000001001000010100000101100001100,000011010000111000001111=2,E6

In (Eq. (6)), if the input data is any of the sequences {[00001000], [00001001], [00001010], [00001011], [00001100], [00001101], [00001110], [00001111]}, the present state of the transducer which is state 1 is changed to state 2.

At the destination, the transition functions are similar to those for the encoder at the source but change roles. The transition functions are very critical in the implementation of convolutional cryptosystem since it accounts for its dynamic nature, hence an increase in security level.

2.1.2.3 S-box entries

For an (8,8,2) convolutional code, using 2-bit shuffling boxes, there are 16 S-boxes or keys. For higher n-bit shuffling boxes, the number of keys increases, for example 8-bit shuffling boxes will give 2⁸ keys. The four 2-bit S-boxes used to illustrate the scheme are shown in Table 1. Given an 8-bit data sequence as [A₇, A₆, A₅, A₄, A₃, A₂, A₁, A₀], the look-up S-box, Sub_1,1 is used to shuffle the first pair of bits, [A₇, A₆], Sub_1,2 is used to shuffle the second pair [A₅, A₄], Sub_1,3 is used to shuffle the third pair [A₃, A₂], and Sub_1,4 is used to shuffle the last pair [A₁, A₀].

Table 1.

2-bit shuffle look-up-table.

2.1.2.4 P-box entries

The interconnections between inputs and outputs are implemented using a permutation set look-up table. For an (8,8,2) code, the eight (08) inputs and outputs could be permuted or interconnected in at least 7⁷ = 823,543 ways. A permissible permutation is shown in Table 2 [12, 15].

Table 2.

Input–output interconnect look-up-table for encoder.

After the specification of the keys, the vulnerable convolutional code block will be cascaded into different stages using the product ciphers obtained from the S-box and P-box. Using two (02) stages, a non-linear (8, 8, 2) 2-cascaded is as shown in Figure 4.

In Figure 4, Sub_1,1, Sub_1,2, Sub_1,3 and Sub_1,4 are S-boxes used for pairwise bit shuffling and the input vector to the first transducer, {X₇, X₆, X₅, X₄, X₃, X₂, X₁, X₀} is the output set from the subband encoding block while the output vector {Y₇, Y₆, Y₅, Y₄, Y₃, Y₂, Y₁, Y₀} is the ciphertext from the second transducer stage.

It is worth noting that the security level could be greatly increased by increasing the number of stages to be cascaded.

2.2 Residue number system (RNS)

The residue number system uses the Chinese remainder theorem (CRT) to compute unknown values from the remainders left or residues when unknown values are divided by known numbers.

The modular Chinese remainder theorem states that [17, 18]:

Assume m₁, m₂, …, m_N are positive integers, relatively prime pairs: (m_i, m_k) = 1 if i # k. Let {b₁, b₂, …, b_N} be arbitrary integers, then the system of simultaneous linear congruence

has exactly one solution modulo the product m₁, m₂, …, m_N. The solution to the simultaneous linear congruence is formally given as [15, 17, 18].

where m̂j=MmjandM=∏j=1Nmj.

(Eq. (8)) establishes the uniqueness of the solution. In this research, the integers Tj=∣xjm̂j∣ often referred to as the multiplicative inverses of m̂j are computed a priori by solving the linear congruence in (Eq. (7)). In other words, if M_j = M/m_j, then the multiplicative inverses, T_j are computed by solving the congruence T_jM_j = 1 (mod m_j).

2.3 RSA public-key cryptography

• Key creation

  1. Choose secrete primes p and q and compute m = p.q

  2. Choose encryption exponent, e

  3. Compute d satisfying e.d ≡ 1 mod ((p – 1). (q – 1)).

  4. Public key: (m, e) and Private key: d

• Security services achieved using RSA cryptography are authentication and non-repudiation based on digital signatures and confidentiality based on encryption. Implementation of these services are summarized in Table 3

3.1 Illustrative example

Consider an arbitrary array of integers for plaintext as follows {398, 453, 876, 200, 356, 165, 265, 897}.

• Source

  1. Application layer: Traditional RSA encryption

     1. Primes, p = 13; q = 37 ⇒ n = p. q = 481

     2. Encryption key, e = 5

     3. Decryption key: e. d ≡ 1 mod (432) ⇒ d = 173

  Array due to RSA encryption is given as {151, 293, 252, 135, 304, 315, 265, 182}

  1. Physical layer:

     1. Step 1: Moduli set of {107, 109, 113} is used to convert the RSA ciphertext into 8-bit data point arrays. The residue set, r₁ for m₁ = 107 is as follows:

        r₁ = {44, 79, 38, 28, 90, 101, 51, 75}

     2. Step 2: Subband coding is performed to split residues obtained using moduli set into three levels of decomposition since m = 8 = 2³ data points are used. Subband coding is basically down sampling by 2 using (Eq. (3)). The corresponding arrays for the first level of decomposition are as follows:

        r₁₁ = {−9, −48, −79, −27}; − r12 = {−9, −42, −75, −21}; − r13 = {−9, −30, −67, −9}

        Note that r₁₁ refers to first level of decomposition array for modulus, m₁ = 107 and the first element is obtained using (Eq. (3)) with integer lifting filter coefficients set, h = {2, 0, 0} as follows: r₁(1) – 2 × r₁(0) = 79–2 × 44 = −9.

        The same procedure is performed for the second and third levels of decomposition.

     3. Step 3: Table 4 summarizes the manual computation of the encryption and decryption process of the convolutional cryptosystem for the data r₁₁(0) = −9 from the subband encoding stage based on the entries of the product cipher and combinational logic of the non-linear (8,8,2) 2-cascaded convolutional transducer in Figure 4.

• Destination

  1. Physical layer:

     The entire process is reversed starting with convolutional decoding at the physical layer which was illustrated in Table 4.

     1. Subband decoding: It involves upsampling and the use of quadrature mirror filter (QMF) bank as depicted in Figure 5 [12, 13]

Table 4.

Manual computation for the first sample of first level of decomposition for modulus 107.

The (↑2) symbol represents upsampling by 2, which means that zeros are inserted between samples. The QMF bank are the coefficients derived from the 4-tap Daubechies filter bank [12, 13, 19]. Hence, using upsampling and the QMF bank coefficients the residue sets r₁, r₂ and r₃ are retrieved.

Figure 5 will be used to perform a numerical illustration of subband decoding for the first level of decomposition of the array of modulus m₁ = 107 to obtain approximation coefficients a₁.

The moduli sets obtained from subband encoding for the three levels of decomposition for m₁ = 107 are as follows:

- Level 3: r₃₁ = {2, 44}; − Level 2: r₂₁ = {−50, −20}; − Level 1: r₁₁ = {−9, −48, −79, −27}.

For subband decoding, the entire process is reversed with level 3 of encoding becoming level 1 for decoding.

r₃₁ from subband encoding namely a₀ = 2 and d₀ = 44 is used. From Figure 5, upsampling performed on the approximation, a₀ and detail, d₀ data points gives the sets y_1 = {2, 0} and z_1 = {44, 0} respectively. Using 4-tap Daubechies integer lifting filter coefficients set, h = {2, 0, 0} we have.

w_1(0) = z_1(0) – h(2)*y_1(0) – h(3)*y_1(1) = 44–0 – 0 = 44

w_1(1) = z_1(1) – h(2)*y_1(0) – h(3)*y_1(1) = 0–0 – 0 = 0

a_1(0) = y_1(0) – h(1)*w_1(0) = 2–2*44 = −86

a_1(1) = y_1(1) – h(1)*w_1(1) = 0–2*0 = 0

Hence the first level approximation data points, a₁ are obtained as follows.

a₁(0) = w_1(0) = 44 and a₁(1) = w_1(1) + z_1(0) = 0–86 = −86

⇒ a₁ = {44, −86}.

The process is repeated to obtain the second and third levels approximation data points. The third level approximation data points, a₃ should be equal to residue set, r₁ obtained from the RNS-based RSA ciphertext using the modulus, m₁ = 107.

1. RNS-based Chinese Remainder Theorem (CRT): It is applied to the residue sets r₁, r₂ and r₃.

(Eq. (8))will be used to retrieve the RSA ciphertext from the residue sets. Using (Eq. (8)) and moduli set, m = {107, 109, 113} to compute the first data point of the ciphertext set we have.

The same process is repeated to obtain all the other data points of the RSA ciphertext set. The RSA ciphertext set is fed to the RSA decryption block at the application layer.

1. Application layer: RSA decryption

Decryption of the first data point is given as M = 151^d mod n = 151¹⁷³ mod 481 = 398 which represents the original data which was sent at the source.

The same process is repeated to obtain all the other data points of the plaintext set.

4.1 FPGA implementation of new scheme applied to CDMA

Code division multiple access (CDMA) enables several users to transmit messages simultaneously over the same channel bandwidth in such a way that each transmitter/ receiver user pair has its own distinct signature code for transmitting over the common channel bandwidth. This distinct signature is ensured by using spread spectrum techniques whereby the message from each user is transmitted using orthogonal waveforms. In orthogonal signaling, the residues are mapped to orthogonal waveforms which constitute the CDMA signal [20]. The orthogonal waveforms used in this research are Walsh functions.

Considering an (8, 8, 2) multi-level cryptosystem for illustrative purposes, the mapping process will involve M = 2⁸ = 256 orthogonal waveforms. Using the dynamic range of (−128, 126), a set of M = 2⁸ = 256 orthogonal waveforms is required to completely represent all the integers or symbols. Based on this, the corresponding Hadamard matrix obtained from the procedure elaborated in [21] is as follows:

The H₂₅₆ matrix is a large matrix comprising of 256 rows and 256 columns. The Hadamard matrix results into a multi–dimensional array. Multi–dimensional arrays are arrays with more than one index. Multi–dimensional arrays are not allowed for hardware synthesis. One way around this is to declare two one–dimensional array types. This approach is easier to use and more representative of actual hardware. The VHDL code used to declare the two one–dimensional array types is shown in Figure 6 [22].

The other operations in the hardware Walsh function generator implementation are trivial since they involve modulo–2 addition with built–in operators in VHDL code to handle such operations.

4.2 New VHDL code package

In this research, a new algorithm is presented which implements modular exponentiation without the use of the Montgomery algorithm. A package is developed in the VHDL code to extract residues similarly to the X mod N operation for any randomly generated data. Meanwhile, the large operand lengths which resulted from the modular exponentiation are reduced using binary exponentiation and the RNS.

The principle used to develop the package is as follows:

To perform the x = X mod N calculation where X has a large operand length of b bits say b = 1024 bits and N is modulus of small operand length of b₁ bits say b₁ = 8 bits, the following steps are used:

1. 1. X is converted to binary equivalent;

2. 2. The b₁ least significant bits of the b bits of X are chosen;

3. 3. The integer equivalent, x₁ of the chosen b₁ bits is determined;

4. 4. The residue, x = X mod N is obtained from the following equation;

1. 5. If the residue, x is greater than the modulus, N the process is iterated until the residue is less than the modulus.

(Eq. (9)) forms the basis for the x = X mod N calculation.

Based on this new algorithm which implements modular exponentiation without the use of the Montgomery algorithm, the entire physical layer security scheme could fit into a single FPGA chip.

4.3 Behavioral simulation and synthesis report

In order to verify the performance of the proposed architecture, a VHDL programme was written and implemented on a Xilinx Virtex-4 FPGA chip (device: xc4vlx 200, package: ff 1513, speed grade − 11) [22]. Sixteen (16) randomly generated integers were fed into the FPGA. For this value, the number of bonded IOBs is 760 out of 960 resulting to 79% resource used. The behavioral simulation results for array {39,870, 45,378, 87,654, 20,087, 35,689, 16,592, 564, 276,509, 89,732, 56,287, 4527, 89,065, 4321, 7654, 5489, 512} using moduli set {111, 115, 119} are displayed in [15].

In [15], the complete synthesis report showing device utilization summary is presented. Due to the additional implementation of orthogonal signaling compared to the implementation in [15], the following parameters are different compared to results displayed in [15]:

The device utilization summary is as follows:

• Number of slices: 5411 out of 89,088 6%

• Number of slice flip flops: 60 out of 178,176 0%

• Number of four input LUTs: 7452 out of 178,176 4%

• Total REAL time to Router completion: 24 min 7 s.

• Total REAL time to place and route (PAR) completion: 24 min 41 s.

• Pin delays less than 1.00 ns: 21928 out of 30,651 71.5%.

5.1 Cryptanalysis at the application layer

The RSA public key cryptography is implemented at the application layer. The most successful method to break the RSA cryptosystem is the Number Field Sieve (NFS) method used for partial key exposure attacks. The NFS is based on a method known as “Fermat Factorization”: one tries to find integers x, y, such that x² ≡ y² mod n but x ≠ ± y mod n [12]. We assume that the two primes p and q should be close and approximately equal to the square root of n, where n = p.q. If one of the integers could be written as x = (p + q)/2 then number of steps, S₁ required to determine the other integer, y could be computed as follows [23].

It is partial key exposure attack since the number of steps, S₁ required for the attack depends on one of the primes.

Table 5 gives a summary of the number of steps required to break the traditional RSA cryptography implemented at the application layer using Fermat Factorization.

5.2 Cryptanalysis at the physical layer

Security at the physical layer is ensured by the multi-level convolutional cryptosystem which encrypts already encrypted data emanating from the RNS-based RSA. The cryptanalysis of the multi-level convolutional cryptosystem will be based on the ciphertext-only attack whereby, it is assumed that the attacker knows ciphertext of several messages encrypted with the same key and/or several keys. The keys used in the encryption are those mentioned in Section 2.1.2 for the non-linear (8, 8, 2) 2-cascaded convolutional cryptosystem.

It is shown in [12] that, for an (n, k, L) convolutional code, each generator matrix reveals at most p – k – 1 values of a private parameter, using Gaussian elimination for p blocks of input data. Hence, if q is the number of states, then to completely break the (k, k, L) N-cascaded cryptosystem, the minimum number of plaintext-ciphertext pairs (u, v) required is [12].

For an (8, 8, 2) 2-cascaded cryptosystem, k = 8 and the least number of plaintext-ciphertext blocks required is p = 10 due to the number of rows and columns in the generator matrix. Assuming q = 2 states, S₂ could be as

Table 6 gives a summary of the number of steps required to break the (8, 8, 2) 2-cascaded cryptosystem using ciphertext-only attack.

5.3 Cryptanalysis of the new cross-layer security scheme

At the upper layer, huge key lengths such as 1024 bits and 2048 bits are used to implement the RSA. Such implementations will greatly compromise throughput at the physical layer due to modular exponentiation. Hence, the main objective of the new cross-layer security scheme is to increase security level at the physical layer despite the small valued data points transmitted derived from the RNS-based RSA in order to enhance throughput. Cryptanalysis is performed on the small residue RSA encrypted values. The analysis will be based on partial key exposure and ciphertext-only attacks at the physical layer for eavesdropper who could wiretap the transmitted data. The number of steps, S required to break the new cross-layer security scheme should be a product of S₁ and S₂ given as [12].

Table 7 gives a summary of the number of steps required to break the new cross-layer security scheme by using partial key exposure attack and ciphertext-only attacks for different cascaded stages.

Comparing Tables 5–7, it can be seen that high security levels comparable to the traditional 1024-bit RSA implemented at the upper layer could be attained using short operand key lengths of 128 bits and 256 bits for cross-layer security implemented at the physical layer. It is worth noting that, the security level could be much higher compared to the values displayed in Table 7 if the S-boxes were implemented using 4-bit and 8-bit shuffling instead of the aforementioned 2-bit shuffling.

6.1 Coded orthogonal signaling

It is shown in [16, 25] that, for coded orthogonal signaling, the bit error probability to transmit k-bit symbols is as follows:

where a_d denotes the number of paths of distance d from the all-zero path which merge with the all-zero path for the first time and d_free = 3 in this case, is the minimum distance of the code. d_free is also equal to the diversity, L. γ¯b is the average signal-to-noise ratio (SNR) per bit [25]. For each convolutional code, the transfer function is obtained and the sum of the coefficients {a_d} calculated.

For illustrative purposes, the transfer function, T(D) of smaller convolutional codes such as (2, 2, 2) and (4, 4, 2) will be used.

The transfer function T(D) for the (2, 2, 2) code is given as follows [16]:

The transfer function for the (4, 4, 2) code is given as follows [16]:

For both the (2, 2, 2) code and the (4, 4, 2) code, d_free = L = 3. Using the values of L and {a_d}, the probability of a binary digit error, P_b as a function of the SNR per bit, γ¯b is shown in Figure 7 for k = 2 and 4 [16].

The curves illustrate that, the error probability increases with an increase in k for the same value of SNR. Hence, better performance for wireless transmission should involve lower order codes and many independent parallel channels rather than higher order codes with fewer independent parallel channels. Hence, high data throughput could be attained by using small number of bits in the block length, N.

6.2 Forward error correction (FEC) code

The Viterbi algorithm [25] is the most extensively decoding algorithm for Convolutional codes and has been widely deployed for forward error correction in wireless communication systems. In this sub-section Viterbi algorithm will be applied to the non-linear convolutional code. The constraint length, L for a (n,k,m) convolutional code is given as L = k(m-1). The constraint length is very essential in convolutional encoding since a Trellis diagram which gives the best encoding representation populates after L bits. Hence to encode blocks of n bits, each block has to be terminated by L zeros (0 s) before encoding.

For illustrative purposes, a non-linear (4,2,3) convolutional code will be used to demonstrate encoding and Viterbi decoding. A possible non-linear (4,2,3) convolutional code showing mod-2 connections and the product cipher is shown in Figure 8.

6.2.1 Example: encode/decode the message M = 10,011

• Encoding process

The constraint length, L = k(m-1) = 2(3–1) = 4.

Hence 4 zeros will be appended to message M before encoding. The modified message becomes M’ = 10110000. Transition tables in appendix are used to encode the modified message.

1. Using transition tables in appendix, the transmitted sequence from the 1st stage is given as T_in = 10 01 01 11

2. S-box output is given as S = 00 11 11 01

3. P-box output is given as P = 00 11 11 10

4. Transmitted sequence into the 2nd stage is given as P = 00 11 11 10

5. Using transition tables in appendix, the final transmitted sequence which is the output bits from the 2nd stage is given as T_out = 0000 1111 0101 1001

• Viterbi decoding process

In performing the Viterbi algorithm, a bit in the sequence T_out will be altered. Let the received sequence be T_R = 1000 1111 0101 1001 instead of T_out = 0000 1111 0101 1001. The Viterbi algorithm applied to the 2nd stage is summarized in Table 8.

Table 8.

Viterbi algorithm applied to 2nd stage of (4,2,3) code.

The bits above the arrows will constitute the retrieved sequence from the 2nd stage. Hence, the retrieved sequence is given as, R₁ = 00 11 11 10. This sequence is fed to the P-box.

• P-box output is given as P1 = 00 11 11 01. Sequence, P1 is fed to the S-box

• S-box output is given as S1 = 10 01 01 11

Sequence, S1 is fed into the 1st stage to retrieve the final correct message. The Viterbi algorithm applied to the 1st stage is summarized in Table 9.

Table 9.

Viterbi algorithm applied to 1st stage of (4,2,3) code.

For a good trellis, the final state is the all-zero state as seen in the winning path in Table 9. The final received sequence is identical to the original transmitted message of M’ = R_final = 10110000 despite the first bit error. Hence, using the non-linear convolutional code, the error bit was identified and corrected. The forward error correction capability will therefore enhance throughput, since the bit error rate, P_e is reduced.