Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
262
SOFT VERIFICATION OF MESSAGE AUTHENTICATION CODES
Natasa Zivic
Institute for Data Communications Systems, University of Siegen
Hoelderlinstrasse 3, 57076 Siegen
Germany
ABSTRACT
The subject of the paper is soft verification of message protected by symmetric
cryptographic check values, i.e. Message Authentication Codes. Soft verification is
introduced as an extension of hard or standard verification, which is usual today in
cryptographic applications. Algorithm for iterative correction of messages protected
by Message Authentication Codes is theoretically analyzed, using probability
theory. Results of the analysis are used for defining the most important parameter
for the correct work of the algorithm – a threshold value. Theoretical analysis is also
used for comparison with results of simulations of the threshold value used in the
algorithm for soft verification. Similar results of the comparison confirm the
theoretical analysis. At the end of the paper simulation results and a considerable
coding gain of corrected messages and their Message Authentication Codes is
shown.
1.1 Soft Verification versus Hard Verification
Standard verification accepts cryptographic check values (CCVs) as correct only if
the received CCV’ equals the cryptographic check value CCV” recalculated from
the received message M’ using the cryptographic check function CCF - see Fig. 1.
Therefore standard verification is sometimes called hard verification [1]. CCF will
be observed, which is a symmetric cryptographic function i.e. Message
Authentication Code (MAC) from Standard [2], [3] or [4]. The result of the
verification is a binary: YES or NO.
INTERNATIONAL JOURNAL OF ELECTRONICS AND
COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)
ISSN 0976 – 6464(Print) ISSN 0976 – 6472(Online)
Volume 3, Issue 1, January- June (2012), pp. 262-285
© IAEME: www.iaeme.com/ijecet.html
Journal Impact Factor (2011): 0.8500 (Calculated by GISI)
www.jifactor.com
IJECET
© I A E M E
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
263
Fig. 1 Standard or Hard Verification
The iterative algorithm which corrects messages protected by their MACs was
published in 2006 under the name Soft Input Verification [5]. It uses standard
(hard) verification after each iteration and therefore it will be called “Soft Input
Hard Verification” in this paper.
This paper extends this hard decision of the verification process to a soft decision
which is called “Soft Verification”. Soft verification is not as strength as hard
verification: it accepts messages as correct if the received CCV’ differs from the
cryptographic check value CCV” recalculated from the received message M’ in few
bits, i.e. not more than dmax bits - see Fig. 2. dmax is the threshold value d defined
before the beginning of the algorithm, i.e. it is the maximal Hamming distance dmax
= HD(CCV’,CCV”) which is allowed. The algorithm based on Soft Input Hard
Verification was published in 2011 [6] and it will be called here “Soft Input Soft
Verification”. It is an iterative algorithm which uses soft verification after each
iteration. Another version of this algorithm which also uses soft verification is
published in [7].
Fig. 2 Soft Verification
The expression “soft“ for soft verification is taken from telecommunications: the
output of the line decoder as well as the output of the channel decoder can be “hard”
and “soft”. Soft output are often used in channel decoding, as for example in Soft
Input Soft Output (SISO) channel decoding [8], which is the base for turbo
decoding [9], or in Soft Output Reed Solomon codes [10][11].
The logic, that cryptographic check sums are accepted, as long as they do not differ
much from the given reference, can be compared to the handwritten signatures:
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
264
although the handwritten signature is every time different, it is accepted as long as it
does not differ to much from the reference signature.
1.2 Soft Input Soft Verification
The subject of this and next chapters are messages whose data integrity and
authenticity are ensured with a help of MACs. The algorithm works for symmetric
CCVs, but not for asymmetric cryptographic process, as the sender and the receiver
use different keys.
The algorithm of Soft Input Soft Verification [6] is based on the avalanche effect of
cryptographic functions [12][13]: if only one bit of the message is changed, every
output bit of the CCV changes with the probability of 0.5. That means that
avalanche effect causes the change of 50% of bits of the CCV in average. The same
applies to another number of changed bits of the message, whereby the avalanche
effect is not so obvious anymore.
The probability Pd, that d bits of CCV of the length n change, if the message M
changes and assuming that the probabilities of appearing of 0 and 1 in the message
are 0.5, is equal nd
n
2
1
(Bernoulli distribution). This probability is shown in Fig. 3
for different length n. Fig. 4 presents behavior of the probability Pd logarithmically
in order to show Pd by very small rsp. very high d (0 ≤ d ≤ n).
At the same time, it is not important how many bits of the message change. The
probability, that after one change of the message only few bits of the CCV change,
is very low. Therefore it can be claimed with the high probability, that the message
is correct and that only the CCV is disturbed during the transmission, if CCV’ and
CCV” differ in just a few bits. The difference (Hamming distance) between CCV’
and CCV” is then equal to the bit error rate after the transmission (and decoding, if
used).
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
265
Fig. 3 Pd in dependence on d for a) n = 128, b) n = 160, c) n = 192, d) n = 224
Fig. 4 Logarithmical dependence of Pd on d for
a) n = 128, b) n = 160, c) n = 192, d) n = 224
The algorithm of Soft Input Soft Verification works similar to the algorithm of Soft
Input Hard Verification: reliability values (or L-values) of the SISO channel
decoder are used as input to the verification, and the bits with the lowest absolute L-
values are inverted until the correct message is found, or the maximal number of
iterations is reached. But there are two crucial differences between these two
algorithms.
1. difference: the algorithm of Soft Input Hard Verification stops, if the hard
verification is successful, which means that both CCVs are equal (Hard Decision)
and the resulting message is announced correct; the algorithm of Soft Input Soft
Verification stops if both CCVs differ in only few bits, whereby the condition
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
266
HD(CCV’, CCV”) ≤ dmax has to be fulfilled (Soft Decision) and the resulting
message is announced correct.
As the consequence, messages can be accepted by the algorithm of Soft Input Soft
Verification, which would be rejected by the algorithm of Soft Input Hard
Verification.
2. difference: bit inversion within the algorithm of Soft Input Hard Verification is
applied to the bits of the message M’ and the received CCV’; in the algorithm of
Soft Input Soft Verification bit inversion is applied only to the bits of the received
M’ (and not on the bits of CCV’).
As the consequence, lower number of iterations is expected by the algorithm of Soft
Input Soft Verification, as only bits of the received message are inverted.
The algorithm of Soft Input Soft Verification [6] is shown in Fig. 5.
Fig. 5 Algorithm of Soft Input Soft Verification
Following four cases are possible after M‘ and CCV‘ are received and SISO
decoded:
1. Message M’ is not disturbed; CCV’ is not disturbed
2. Message M’ is disturbed, CCV’ is disturbed
3. Message M’ is disturbed, CCV’ is not disturbed
4. Message M’ is not disturbed, CCV’ is disturbed
Case 1: In this case the verification results in d = HD(CCV’,CCV”) = 0.
Case 2: If both M’ and CCV’ are disturbed, the recalculated CCV” differs from the
received CCV’ with the high probability in a high number of bits (plus/minus
erroneous bits of CCV’ caused by noisy transmission, which do not change the
statistics of Hamming distance HD(CCV’, CCV”)).
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
267
Case 3: If M’ is disturbed and CCV’ not, there is a high probability that CCV’ and
CCV” differ in a big number of bits (see Fig. 3).
Case 4: If M’ is not disturbed and CCV’ disturbed, the Hamming distance
d = HD(CCV’,CCV”) corresponds to the number of disturbed bits of CCV’. The
probability that only the bits from CCV’ are disturbed can be easily calculated.
It can be concluded that the Hamming distance d = HD(CCV’,CCV”) equals 0 or it
is very low, if the message is not disturbed. Vice versa, if the message is not the
original one, the Hamming distance is in average n/2 (see Fig. 3).
The algorithm of Soft Input Soft Verification has an advantage over the algorithm
of Soft Input Hard Verification: bit inversion iterations are limited only on
messages (the algorithm of Soft Input Hard Verification iteratively corrects
messages and CCVs). Consequently the correcting rate is higher and the iteration
process is faster.
In the step “Flipping of bits of M’ ” another combination of bits is inverted in every
iteration, depending on the strategy of bit inverting [14], which defines the schedule
of inversion of the bits with lowest |L|-values.
The following text explains the reasons why the algorithm of Soft Input Soft
Verification cannot be applied on digital signatures. If the received CCV is a digital
signature, the hash value of the original message can be extracted using the public
key of the sender, in case that the digital signature has not be disturbed or
manipulated during the transmission. Otherwise, the extracted hash value differs in
average in 50% of bits from the hash value recalculated from the received message.
Therefore is the hash value not suitable as the reference value for soft verification.
Digital signature is disturbed only in bit positions which were exposed to the noise
during the transmission. Therefore digital signatures could be taken as reference and
compared to the signatures, which are recalculated from the messages got after bit
flipping in every iteration. But it would be necessary that the receiver can create
digital signatures! This is unfortunately impossible, as the receiver posses only the
public key and not the private key.
For that reason hash values can be used as references only in cases that digital
signatures are non disturbed. Because of the low probability that digital signatures
are non disturbed, the algorithm of Soft Input Soft Verification cannot be applied on
digital signatures.
1.3 Calculation of the maximal Hamming Distance
1.3.1 Probability Distribution Function of Hamming Distance
On threshold dmax depends which CCVs will be accepted and how high is the
probability of miscorrection. To calculate dmax, it is necessary first to know the Bit
Error Rate (BER) before applying the algorithm of Soft Input Soft Verification, i.e.
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
268
after channel decoder. BER, error spreading and error distribution depend on
channel encoder and decoder and therefore the behavior of BER cannot be generally
described. In following, the model will be considered, where each output bit of the
SISO channel decoder is random and independent on other output bits. Then,
occurrence and distribution of bit and word errors can be described using the BER
after SISO channel decoding.
The probability distribution function pdf1(d), that d bits of CCV‘ of the length n are
disturbed, has the binomial or Bernoulli distribution B(n, BER) [6]:
( ) ndBERBERd
ndpdf
dnd≤≤−⋅
=
−0 ,1)(1 (1)
Fig. 6 shows pdf1(d) for different lengths of n.
Fig. 7 shows logarithmically pdf1(d) for different BER, in order to present the
behavior of pdf1(d) also for high values d.
Fig. 6 pdf1 (d) by BER = 0.01 for a) n = 128, b) n = 160, c) n = 192, d) n = 224
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
269
Fig. 7 pdf1 (d) for n = 160 by a) BER = 0.001, b) BER = 0.01, c) BER = 0.1
Here will be considered the probability that two CCVs differ in d bits. The
calculation of the cryptographic checksumm behaves as an oracle, which assigns a
random value to each input value, i.e. the probabilty of each output bit is 1/2. The
Hamming distrance has in that case a probabilty distribution function pdf1(d) which
is the binary or Bernoulli distribution with BER = 0.5, i.e. B(n, 0.5):
ndd
ndpdf
n≤≤⋅
= 0 ,
2
1)(2 . (2)
Simply explained, pdf2(d) is the probability distribution function of the Hamming
distance between two CCVs of two different messages. pdf1(d) is presented in Fig. 3
and Fig. 4 for different parameters of n and BER (observed as the probability Pd).
pdf1(d) and pdf2(d) differ mostly in the fact, that in case of pdf1(d) when the
message is not disturbed, every bit of CCV after transmission is changed „only‘‘
with the probability of BER which is between 10-1
and 10-9
, and in case of pdf2(d)
(when the message is disturbed), every bit value in CCV has the probability of 0.5,
i.e. it is randomly disturbed.
The total probability of d is given by equation (3) and shown in Fig. 8 for n = m =
160 and BER = 0.01.
)()()( 21_ dpdfPdpdfPdpdf DISTURBEDDISTURBEDNOT ⋅+⋅=
(3)
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
270
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100
Fig. 8 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = m =160 and BER = 0.01
Two regions are clearly separated: the left one, for case of not disturbed messages,
and the right one, for case of disturbed messages. It can be seen in fig. 8 that pdf2(d)
is very low for a wide range of values of d between these two regions (like in Fig. 9
logarithmically shown). That means, that the threshold value dmax can be found in
the area between.
Fig. 9 Logarithmic presentation of regions of d in case of not disturbed (left) and
disturbed (right) message M’ for n = m =160 and BER = 0.01
Following figures show regions of disturbed and not disturbed messages for
different lengths of n and m (n + m = 320) for BER = 0.01.
1E-22
1E-20
1E-18
1E-16
1E-14
1E-12
1E-10
1E-8
1E-6
1E-4
1E-2
1E+0
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
271
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100
Fig. 10 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = 128, m = 192 and BER = 0.01
Fig. 11 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = 192, m = 128 and BER = 0.01
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
272
Fig. 12 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = 224, m = 96 and BER = 0.01
Following figures show regions of disturbed and not disturbed messages for
different BER and n = 160.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100
Fig. 13 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = 160 and BER = 0.001
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
273
0
0.02
0.04
0.06
0.08
0.1
0.12
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100
Fig. 14 Regions of d in case of not disturbed (left) and disturbed (right) message M’
for n = 160 and BER = 0.1
1.3.2 Analysis of Hamming Distance and Threshold
This chapter analyzes the verification after receiving the message M’ (before the
iterations start) and the probability Pdi for four different cases (i = 1,...,4) of soft
verification.
1. Message M’ is not disturbed and HD(CCV’, CCV’’) ≤ dmax – the probabilty
of this event is Pd1
2. Message M’ is disturbed and HD(CCV’, CCV’’) > dmax – the probabilty of
this event is Pd2
3. Message M’ is disturbed and HD(CCV’, CCV’’) ≤ dmax – the probability of
this event is Pd3
4. Message M’ is not disturbed and HD(CCV’, CCV’’) > dmax – the probability
of this event is Pd4.
The same analysis applies to the case with iterations (M’’ instead M’) [15].
The probabilty Pd1, that the message M’ of the length of m bits is not disturbed after
transmission, and that CCV (with length of n bits) has not more than dmax errors,
equals to:
inid
i
DISTURBEDNOTd BERBERi
nPP
−
=
−
= ∑ )1(
max
0
_1 (4)
and:
( )m
DISTURBEDNOT BERP −= 1_ (5)
This is the probabilty that the message is actualy correct, also if the Hamming
Distance is non-zero: 0 < HD(CCV’, CCV’’) ≤ dmax .
The probabilty Pd2, that the message M’ is disturbed after transmission and
HD(CCV’, CCV’’) > dmax, equals:
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
274
∑+=
=
n
dinDISTURBEDd
i
nPP
1
2
max2
1
(6)
where:
( )m
DISTURBED BERP −−= 11
(7)
The probability Pd3, that the message is disturbed and that CCV’ and CCV” differ in
less than dmax bits equals:
n
d
i
DISTURBEDdi
nPP
2
1max
03
= ∑
=
(8)
Pd3 is the probability, that the disturbed message is not recognized by the algorithm
of Soft Input Soft Verification, rather it will be announced correct. Therefore this
probability is called the probability of miscorrection.
The last case applies to the probability Pd4, that the message is not disturbed and
CCV’ has more than dmax errors:
inin
di
DISTURBEDNOTd BERBERi
nPP −
+=
−
= ∑ )1(
1
_4
max
(9)
Pd4 is the probability that the message is not disturbed, but it is not recognized from
the algorithm of Soft Input Soft Verification as correct, because the CCV’ is much
damaged. Therefore this probability is called the probability of non detection.
The total probability is the sum of all probabilities Pdi (i = 1, …,4) and equals 1.
The system designer can decide how secure the system should be, i.e. how high the
probability of false decision should be. If high security is wanted, i.e. as low level
of miscorrections as possible, it has to be taken into account that successful
correction also won’t be accepted if CCV’ is strong disturbed. If no high security is
needed, the probability increases, that the disturbed message is accepted as a correct
one. In such a way the system designer chooses and fixes his strategy depending on
dmax. There are several criteria how to choose dmax:
1. dmax is the cross point of curves of miscorrection probability Pd3 and non detection
probability Pd4.
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
275
Fig. 15 Cross point of probabilities of miscorrection Pd3 and non detection Pd4
for n = 160 and BER = 0.01
2. dmax is the minimal value of the sum of probabilities of miscorrection and non
detection:
Fig. 16 Minimum of the sum of probabilities of miscorrection Pd3 and non
detection Pd4 for n = 160 and BER = 0.01
3. dmax is any value dmax є [dmax_low, dmax_high], whereby dmax_low and dmax_high are
calculated depending on the probabilities of miscorrection and non detection.
The upper bound for the probability of non detection has to be defined as Pd4 < 110
k− (for the chosen integer k1) and dmax_low is defined as:
dmax_low = max (d | Pd4 < 110k− ) (10)
The lower bound for the probability of miscorrection has to be defined as Pd3 < 210
k− (for the chosen integer k2) and dmax_high is defined as:
dmax_high = min (d | Pd3 < 210k− ) (11)
Note: k1 and k2 have to be chosen so that: dmax_low < dmax_high.
For dmax = dmax_low, is the condition Pd3 < 210k− fulfilled.
Meaning of dmax_low
The system designer knows the channel behavior and the expectation of the number
of erroneous bits of CCV. Value of k1 defines the upper bound, and the upper bound
defines how many „erroneous bits“ can be accepted.
Meaning of dmax_high
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
276
With the choice of k2 the lower bound of the number of different bits is defined,
above which CCVs are announced as incorrect.
For example, if k1 = k2 = 6, it can be seen (Fig. 17) in which area dmax has to be
chosen.
d
Fig. 17 dmax_low and dmax_high for BER = 0.01, n = m = 160 and k1 = k2 = 6
Table 1 shows dmax_low for different BER after SISO channel decoding, which are
result of simulation using following parameters: 1/2 channel encoder (7, 5), Eb/N0
calculated from S/N of the AWGN channel after BPSK line modulation and a SISO
channel decoder using MAP decoding algorithm [16]. dmax_low is calculated using
equation (10) for k1 = 4 and presented for different lengths of a message M and
CCV, whereby the total length of M and CCV is fixed to 320 bits.
Table 2 shows dmax_low for different Eb/N0 and different k1, whereby the length of the
message and of the CCV are equal 160 bits.
Table 3 shows dmax_hgih which is calculated using equation (11) for k2 = 4 and
presented for different lengths of a message M and CCV, whereby the total length
of M and CCV is fixed to 320 bits.
Table 4 shows dmax_hgih for different Eb/N0 and different k2, whereby the length of
the message and of the CCV are equal 160 bits.
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
277
Table 1 dmax_low for different Eb/N0 and n (n + m = 320) and k1 = 4
Eb/N0
[dB] BER
dmax_low
(n = 128)
dmax_low
(n = 160)
dmax_low
(n= 192)
dmax_low
(n= 224)
1 0.036 8 10 14 16
1.5 0.0234 8 10 12 14
2 0.0149 8 9 10 11
2.5 0.00681 6 7 8 8
3 0.00376 5 6 6 7
3.5 0.00142 4 4 5 5
4 0.00037 3 3 3 3
4.5 0.00024 3 3 3 3
5 0.00012 3 3 3 3
Table 2 dmax_low for different k1 and Eb/N0 , and n = m = 160
Eb/N0
[dB] BER
dmax_low
(k1= 3)
dmax_low
(k1 = 4)
dmax_low
(k1 = 5)
dmax_low
(k1=6)
dmax_low
(k1 = 7)
dmax_low
(k1 = 8)
dmax_low
(k1 = 9)
dmax_low
(k1 = 10)
1 0.036 9 10 13 16 18 20 21 23
1.5 0.0234 8 10 12 14 16 17 18 20
2 0.0149 7 9 11 12 13 15 16 17
2.5 0.00681 6 7 8 9 10 11 12 13
3 0.00376 5 6 7 8 9 9 10 11
3.5 0.00142 4 4 4 5 6 7 7 8
4 0.00037 3 3 4 4 5 5 6 6
4.5 0.00024 2 3 3 4 4 5 5 6
5 0.00012 2 3 3 4 4 4 5 5
Table 3 dmax_high for different Eb/N0 and n (n + m = 320) and k2 = 4
Eb/N0
[dB] BER
dmax_high
(n = 128)
dmax_high
(n = 160)
dmax_high
(n= 192)
dmax_high
(n= 224)
1 0.036 43 57 71 82
1.5 0.0234 43 57 71 82
2 0.0149 43 57 71 82
2.5 0.00681 44 58 72 83
3 0.00376 44 58 73 84
3.5 0.00142 45 60 75 86
4 0.00037 48 63 78 89
4.5 0.00024 49 64 79 91
5 0.00012 50 65 81 93
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
278
Table 4 dmax_high for different k2 and Eb/N0 and n = m = 160
Eb/N0
[dB] BER
dmax_high
(k2 = 3)
dmax_high
(k2 = 4)
dmax_high
(k2 = 5)
dmax_high
(k2 = 6)
dmax_high
(k2 = 7)
dmax_high
(k2 = 8)
dmax_high
(k2 = 9)
dmax_high
(k2 = 10)
1 0.036 61 57 53 50 47 45 42 40
1.5 0.0234 61 57 53 50 47 45 42 40
2 0.0149 62 57 53 50 47 45 42 40
2.5 0.00681 62 58 54 51 48 45 43 41
3 0.00376 63 58 54 51 48 45 43 41
3.5 0.00142 65 60 56 52 49 46 44 42
4 0.00037 69 63 58 54 51 48 45 43
4.5 0.00024 71 64 59 55 51 48 46 43
5 0.00012 76 65 60 56 52 49 46 44
Tables 1–4 show the huge distance between dmax_low and dmax_high.
1.3.3 Simulations for estimating the threshold value
The theoretical values of dmax_low and dmax_high, from Tables 1–4, which were
calculated on the basis of probability, will be compared with results of simulations
in this chapter. The same simulation parameter are used, as explained in chapter
1.3.2 for finding of BER for Tables 1-4. The case of equal lengths of M and CCV
will be simulated: n = m = 160.
The algorithm of Soft Input Soft Verification is modified for simulations in such a
way that the receiver knows the original message M with the correct CCV. In this
way the receiver can check eventually if the received or corrected message is
wrongly verified (miscorrection) or perhaps the correct message is not accepted
(non detection). The Hamming Distance d = HD(CCV’, CCV”) is calculated after
each iteration and saved for statistic purposes. The iterative process is continued
until the corrected message equals to the sent one, or until the maximal number of
216
iterations is reached.
After every iteration and calculation of the Hamming Distance d, the calculated
value is added to set D1 (when M is equal to the original one) or to set D2 (when M
is not equal to the original one):
)}"'(),",'(|{1 MMMMCCVCCVHDddD =∨=== (12)
)}"'(),",'(|{2 MMMMCCVCCVHDddD ≠∧≠== (13)
As dmax_low and dmax_high the following values are chosen for i = 1,…,5 dB:
}/|{max)( 0max_1
iNEdid bD
low == (14)
}/|{min)( 0max_2
iNEdid bD
high == (15)
dmax_low(i) is for i dB after 50 000 simulations for each value of Eb/N0 the highest
Hamming Distance, in case that the message was correct received or corrected
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
279
during iterations. dmax_low corresponds to the maximal number of erroneous bits of
CCV for the case of a correct message.
dmax_high(i) is, after 50 000 simulations for each value of Eb/N0, the lowest Hamming
Distance, in case of an incorrect message.
Fig. 18 Simulations of Soft Input Soft Verification for calculation of
dmax_low and dmax_high
Fig. 19 shows dmax_low and dmax_high for Eb/N0 = i, i = 1,…,5 [dB].
Fig. 19 Results of simulations for a) dmax_low and b) dmax_high
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
280
Results of simulations show, that Hamming Distance d = HD (CCV’, CCV”) after
50 000 simulations per Eb/N0 was always higher than dmax_high, in case of disturbed
received or non corrected message, as well as it was always lower than dmax_low, in
case of not disturbed or corrected message. The Hamming Distance has never been
in the aera between dmax_high and dmax_low. The left and the right region are again
clearly separated from each other.
These values are results of 50 000 simulations per Eb/N0. If the number of
simulations increases even more , dmax_high and dmax_low could, depending on
probabilties functions for dmax , come close to each other and even overlap.
At the and of this chapter, simulation results will be compared with the theoretical
results from Table 1 for m = n = 160. This comparison shows that results of
simulations fit very well the results of equations of the probabilty theory. In Fig. 20
it can be seen that theoretical and simulation results differ in maximal 1 bit and in
Fig. 21 that they differ in maximal 2 bits.
Fig. 20 dmax_low for n = m = 160: a) after simulations and b) using Table 1 for k1 = 4
Fig. 21 dmax_high for n = m = 160: a) after simulations and b) using Table 3 for k2 = 4
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
281
6.4 Verification Gain
Simulations are performed for different lengths of the message and CCV, whereby
their total length is fixed on 320 bits. The CCV was calculated using the hash
function RIPEMD-160, initialized with the key K of the length of 160 bits. A new
message is randomly generated in every simulation. The same simulation
parameters as in previous chapters are used. The algorithm of Soft Input Soft
Verification was simulated, as presented in Fig. 5.
For each point of the curves presented in figures 22–26, a total of 50 000
simulations is performed. Maximal number of iterations was 216
, i.e. maximal 16
bits with the lowest absolute L-values are flipped. The Cryptographic Check Error
Rate (CCER) is defined as:
CCVssentofnumber
CCVserroniousofnumberCCER
=
(16)
Fig. 22 CCER for n = 128, m = 192 and dmax = 1kd for k1 = 4
a) Hard Input Hard Verification
b) Soft Input Hard Verification
c) Soft Input Soft Verification
Simulation results in Fig. 22 show coding gain of Soft Input Hard Verification of
maximal 1.8 dB compared to Hard Input Hard Verification (see results from [6])
and coding gain of Soft Input Soft Verification of maximal 2.5 dB compared to
Hard Input Hard Verification. The additional coding gain of Soft Input Soft
Verification of maximal 0.7 dB compared to Soft Input Hard Verification is caused
by different steps of bit flipping: for the same number of iterations only bits of the
message are flipped using the algorithm of Soft Input Soft Verification and bits of
the message and CCV using the algorithm of Soft Input Hard Verification.
The lowest coding gain is by the lowest Eb/N0, because the number of erroneous bits
is too high for the defined number of iterations. Therefore only few messages can be
corrected.
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
282
Simulation results in Fig. 23 show the same coding gain of Soft Input Hard
Verification compared to Hard Input Hard Verification, because the total length of
the message and CCV is the same: 320 Bit. Coding gain of Soft Input Soft
Verification compared to Hard Input Hard Verification is maximal 0.55 dB. The
additional coding gain is lower than in Fig. 22, because of the longer message in
case of Fig. 23.
Fig. 23 CCER for n = 160, m = 160 and dmax =
1kd for k1 = 4
a) Hard Input Hard Verification
b) Soft Input Hard Verification
c) Soft Input Soft Verification
Fig. 24 CCER for n = 192, m = 128 and dmax =
1kd for k1 = 4
a) Hard Input Hard Verification
b) Soft Input Hard Verification
c) Soft Input Soft Verification
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
283
Simulation results in Fig. 24 show again the same coding gain of Soft Input Hard
Verification compared to Hard Input Hard Verification, because the total length of
the message and CCV is the same (320 Bit). Coding gain of Soft Input Soft
Verification compared to Hard Input Hard Verification is maximal 0.5 dB. The
additional coding gain is lower than in Fig. 23, because of the longer message in
case of Fig. 24.
Fig. 25 CCER for n = 224, m = 96 und dmax =
1kd for k1 = 4
a) Hard Input Hard Verification
b) Soft Input Hard Verification
c) Soft Input Soft Verification
Simulation results of Soft Input Hard Verification in Fig. 25 are the same as in Fig.
22-24. Coding gain of Soft Input Soft Verification compared to Hard Input Hard
Verification now only maximal 0.4 dB, because of the longest message length.
CONCLUSION
Using Soft Input Soft Verification, cryptographic check values (MAC) can be used
for the correction of messages modified due to the channel noise. The Hamming
distance of the received MAC and the MAC of the corrected message corresponds
then to the bit error rate after SISO channel decoding. The range of values of the
decision threshold in the verification process has been determined under
consideration of the risk of non detection on one hand, and of miscorrection on the
other hand. Simulations show that a significant coding gain can be achieved by the
use of the Soft Input Soft Verification algorithm.
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
284
REFERENCES
1. C. G. Boncelet .Jr (2006), “The NTMAC for Authentication of Noisy
Messages”, IEEE Trans. On Information Forensics and Security, vol.1, no.1
2. ISO/IEC 9797-1 (2011), Information technology -- Security techniques --
Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block
cipher
3. ISO/IEC 9797-2 (2002), Information technology -- Security techniques --
Message Authentication Codes (MACs) -- Part 2: Mechanisms using a
dedicated hash-function
4. ISO/IEC 9797-3 (2011), Information technology -- Security techniques --
Message Authentication Codes (MACs) -- Part 3: Mechanisms using a
universal hash-function
5. Ruland .C and Zivic .N (2006), “Soft Input Decryption”, 4th
Turbocode
Conference, 6th
Source and Channel Code Conference, VDE/IEEE, April 3-
7, Munich, Germany
6. Zivic .N (2011), “Soft correction and verification of the messages protected
by cryptographic check values”, Conference on Information Sciences and
Systems (CISS 2011), Baltimore, USA
7. Zivic .N and Flanagan .M (2012), “On Joint Cryptographic Verification and
Channel Decoding via the Maximum Likelihood Criterion”, IEEE
Communication Letters, vol. PP, issue 99
8. Kabatiansky .G, Krouk .E, Semenov .S (2005), “Error Correcting Coding and
Security for Data Networks, Analysis of the Superchannel Concept”, John
Wily and Sons
9. Berrou .C, Glavieux .A, Thitimajshima .P (1993): Near Shannon Limit Error
Correcting Coding and Decoding: Turbo Codes, Proc. IEEE International
Conference on Communication, vol. 2/3, pp. 1064-1070, Geneva,
Switzerland
10. Kötter .R and Vardy .A (2002), “Soft Decoding of Reed Solomon Codes and
Optimal Weight Assignements”, 4-th International ITG Conference on
Source and Channel Coding, Berlin, Germany
11. Ponnampalam .V and Vucetic .B (1999), “Soft decision decoding of Reed-
Solomon codes”, Proc. 13th
Symp. Applied Algebra, Algebraic Algorithms
and Error-Correcting Codes, Honolulu, USA
12. Hays .H.M. and Tavares .S..E. (1995), “Avalanche characteristics of
Substitution – Permutation Encryption Networks”, IEEE Trans. On
Computers, Vol. 44, Nr. 9
13. Forre .R (1990), “The Strict Avalanche Criterion: Spectral Properties of
Boolean Functions and an Extended Definition”, Advances in Cryptology,
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN
0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME
285
Crypto '88, Lecture Notes in Computer Science, vol. 403, pp.450-468,
Springer Verlag Berlin Heilderberg
14. Zivic .N (2008), “Joint Channel Coding and Cryptography”, Shaker Verlag,
Aachen
15. Zivic .N (2012); “Iterative method for correction of messages protected by
symmetric cryptographic check values”, International Conference on
Information netwprking (ICOIN), Bali, Indonesia
16. Bahl .L, Cocke. J, Jelinek .F, Raviv .J (1974), “Optimal decoding of linear
codes for minimizing symbol error rate”, IEEE Transactions on Information
Theory, IT-20, pp. 284-287