Demonstration of coherent stealthy and encrypted transmission for data center interconnection

Eyal Wohlgemuth; Yaron Yoffe; Tomer Yeminy; Zeev Zalevsky; Dan Sadot

doi:10.1364/OE.26.007638

1. Introduction

Data privacy and confidentiality are among the top priorities of enterprise networks operators, carriers and service providers. Physical layer (PHY) security threats and attacks appear frequently, require constant monitoring, defense, and mitigation of attack impacts. Today, most of the security solutions are implemented in the upper layers of the open systems interconnection (OSI) model. However, the security approaches in these layers are limited by both the processing speed of electronic circuits and the capacity of the optical networks. Furthermore, in the standard digital encryption techniques, metadata remains unencrypted and might be used by an adversary for eliciting sensitive information on the users by data mining techniques [1].

In order to ensure secured transmission, various approaches for PHY security were suggested [2]. Quantum encryption utilizes the fact that measurements perturb quantum systems. In quantum key distribution (QKD) [3] protocols, the key exchange process is information-theoretic secured, however, the data is encrypted in a conventional digital format, based on this key. Another approach to be mentioned is chaotic cryptography [4], which requires complicated hardware. Additional approach exploits the naturally broad spectrum of an amplified spontaneous emission (ASE) of an Erbium-doped fiber amplifier (EDFA) as the signal’s carrier with a very short coherence length, to provide high steganography [5]. Optical code division multiple access (OCDMA) based methods can also be used for secure transmission. In direct-sequence spread spectrum (DSSS) and OCDMA [6], the data is XOR-multiplied with fast time-varying chips to provide both spreading and encryption. Yet, they require hiding underneath a public channel.

A cost-effective approach, which incorporates both steganography and encryption of the physical layer has been recently proposed [6, 7] and demonstrated [8]. In this method, the spectral amplitude of the signal is spread wide by means of sampling to conceal its power spectral density (PSD) below the noise level. Additionally, two phase masks are used: A temporal mask is applied to flatten the signal’s PSD and to eliminate the DC peak in the spectrum. The second mask, a spectral phase mask (SPM) is applied to encrypt the signal in time domain, by transforming the transmitted symbols to a noise-like waveform. At the authorized receiver, the spectral replicas of the signal are folded to the baseband, in a coherent addition process. Whereas the spectral replicas of the noise are added incoherently, to be averaged to a low value. Therefore, the signal’s PSD is reconstructed and in turn, the signal to noise ratio (SNR) is improved. At the eavesdropper receiver, the sampling of the encrypted signal is done in an incoherent manner, i.e in a destructive way. Therefore, the phase information is lost and no real-time nor offline processing can be used to recover the destroyed information.

Contrary to DSSS and OCDMA approaches, in the demonstrated method, the spreading function is done by sampling, and the encryption by phase masks. Therefore, the encryption function is totally independent of the spreading operator, and can be chosen without orthogonality constrains. In addition, an arbitrary waveform is obtained in time domain, rather than chips. Follows, the signal is not recognized as bits but as a noise-like waveform.

In this work, we carry out a set of measurements in order to evaluate the expected system performance. We realized an experimental setup which includes stealthy and encrypted transmitter, receiver and the optical link. The first set of measurements incorporates a QPSK back-to-back transmission at varying stealthiness levels and bit-rates, up to negative OSNR of −15dB/0.1nm and 16Gbps, per single polarization. In this part, the detected SNR, the bit-error rate and the encryption processing gain where measured. Following, in order to realize a DCI scenario, we further extend the transmission distance to 100km and the constellation to 64-QAM, allowing the transmission of 3Gbps at OSNR of 5dB/0.1nm.

The rest of the paper is organized as follows. In Section 2, we present the encryption system, whereas in Section 3 the experimental setup and practical methods are described. The measured and analyzed data is given at Section 4. Finally, conclusions and summary are presented in Section 5.

2. The encryption system

2.1. Encryption by sampling and phase masks

In the demonstrated experiment, the transmitted data stream is separated to segments of $\tilde{N}$ symbols, ${s [n]}_{n = 0}^{\tilde{N} - 1}$ , which are mapped to 64-QAM or QPSK in a few measurements sets. Subsequently, an $L$ -upsampler operator is applied on the $\tilde{N}$ symbols segment to create a block of $N = L \cdot \tilde{N}$ samples. The upsampling operator is in turn responsible to replicate $L$ times the PSD of $s [n]$ in the spectrum domain, this can be seen in the summation term, in Eq. (1). Afterwards, the Fourier transform of the upsampled symbol stream, $FFT {↑_{L} {{s [n]}_{n = 0}^{\tilde{N} - 1}}$ , is encoded using a SPM, as follows:

S_{t x} [k] = (\sum_{l = 0}^{L - 1} S [k - l \tilde{N}]) \cdot H_{RRC} [k] \cdot Ψ [k],

where

Ψ [k]

is the SPM and

H_{RRC} [k]

is the transfer function of the pulse shaping root-raised cosine (RRC) filter. The length of the SPM is the same as the block length,

N

, corresponding to a spectral granularity of

{(N \cdot R_{D A C})}^{- 1}

Hz, where

R_{D A C}

is the digital to analog converter (DAC) sampling rate. The sampling operator is illustrated Fig. 1(a), for 16 spectral replicas, corresponding to

L = 16

. Due to the RRC filter, that rolls-off at 16GHz, only the eight replicas at the center of the double-sided spectrum are accounted. Each of the SPM elements,

ϕ

, is uniformly distributed in the range of

(0, 2 π)

as stated by:

Ψ [k] = e^{j ϕ [k]}; {ϕ [k]}_{k = 0}^{N - 1} \sim U (0, 2 π) .

The inverse mask,

\bar{Ψ} [k]

, is later used as the decryption key. One should consider that before the SMP, the signal consists of sparse symbols, separated by

L - 1

zeroes, this can be seen in the blue curve in Fig. 1(b). The SPM uniformly distributes the energy of the sampled symbols in the time domain, making it stealth. The signal after the SPM is represented by the red curve, in Fig. 1(b).

Fig. 1 (a): Spectral representation of a digital upsampling operator ( $↑_{L}$ ) for $L = 16$ , each replica delimited with vertical dashed line and labeled with the index $l$ . Secondary (blue) x-axis represents the assigned frequency after the signal being transmitted with 64 Gsamp DAC. (b): Temporal representation of QPSK symbol, before (blue) and after (red) encryption with SPM.

Download Full Size | PDF

In order to provide the desired degree of stealthiness, an additive white Gaussian noise (AWGN) is deliberately added by optical means. Therefore, $s_{t x} [n]$ is attenuated and amplified after being transmitted. The detected and filtered ASE noise has a variance of $σ$ is represented by $\tilde{z} [n]$ and added to the received signal in Eq. (3).

The signal travels through an optical channel with a varying distance up to 100km, which includes a noise loading mechanism at the beginning and filters at its end. Then, the signal is detected in a coherent receiver and sampled by analog to digital converter (ADC). The sampled signal can be expressed as follows:

s_{r x}^{raw} [n] = e^{j (ω_{IF} \cdot n + φ [n])} \cdot s_{t x}^{} [n] * h_{r x} [n] * h_{CD} [n] + \tilde{z} [n],

where

φ [n]

is the phase noise term associated with the

n^{th}

symbol,

ω_{I F}

is the intermediate frequency arise from the frequency differences of the local oscillator (LO) and the transmitter’s laser,

h_{CD} [n]

and

h_{r x} [n]

are the chromatic dispersion (CD) and receiver impulse responses, respectively. Note that the transmitter’s response is excluded from Eq. (3) since it is pre-equalized at the transmitter. The pre-equalization has two-fold effect: maintaining the flatness of the signal’s PSD in the optical domain, in order to achieve maximum stealthiness. In addition, it preserves the white nature of the noise after detection and thus it allows one to obtain the theoretical processing gain.

The authorized receiver recovers the signal and deciphers the encrypted symbols by means of real-time DSP. The DSP block implements standard coherent algorithm: IQ imbalance compensation, phase noise - carrier phase estimation (CPE) and IF cancellation, CD compensation and equalization for the electronic circuits response. During the decryption process a conjugate phase mask ( $\bar{Ψ} [k] = e^{- j ϕ [k]}$ ) is applied on the recovered analog and signal, and the signal is further sampled in order to enable a coherent addition of all the spectral replicas as follows:

\begin{matrix} S_{r x}^{s a m p} [k] = \frac{1}{L} \sum_{m = 0}^{L - 1} \sum_{l = 0}^{L - 1} {S [k - 1 \tilde{N} + m \tilde{N}] {| {\bar{H}}_{R R C} [k + m \tilde{N} |}^{2}}, \\ + \frac{1}{L} \sum_{m = 0}^{L - 1} {\tilde{Z} [k - m \tilde{N}] | {\bar{H}}_{R R C} [k + m \tilde{N} |} \end{matrix}

where the upper summation term represents the signal’s term (denoted by

S_{r x, s i g}^{s a m p} [k]

) and the lower term represents the noise term (denoted by

S_{r x, n}^{s a m p} [k]

).

While an eavesdropper is trying to detect the signal, he applies a wrong phase mask, thus, the summation of $S_{r x, s i g}^{s a m p} [k]$ is done while each replica is multiplied with a different arbitrary spectral phase elements [6]. The signal is therefore built in a destructive way, via incoherent addition process.

2.2. Performance: quantitative analysis and measures

The ability of the authorized user to detect the covert signal relies on two principles: decryption and processing gain. In this subsection we quantitatively analyze the SNR performance of the authorized user. A set of measures is presented, and later compared with the experimental results at Section 4.

It is useful to define the SNR of the received “analog” signal at the authorized receiver, ${SNR}^{Authorized,analog}$ , after removing the SPM and before the coherent addition process. This SNR is achieved by one of the two following methods: calculating the SNR of the “analog” signal, as stated in Eq. (5). Alternatively, the same SNR is obtained by filtering the baseband replica, namely executing the summation in Eq. (5) over $\tilde{N}$ instead of over $N$ , essentially yielding the same SNR. Therefore, ${SNR}^{Authorized,analog}$ as given at Eq. (5) is considered as the SNR of a single replica detection, corresponding to a conventional two samples per symbol (SPS) transmission.

S N R^{A u t h o r i z e d, a n a l o g} = \frac{1}{N} \sum_{k = 0}^{N - 1} {\frac{[E {| S_{r x, s i g} [k] |}^{2}]}{E [{| S_{r x, n} [k] |}^{2}]}} = \frac{a^{2}}{σ^{2}},

where

S_{r x, sig} [k]

and

S_{r x, n} [k]

are the signal and the noise terms of the detected and recovered “analog” signal, before it is sampled.

α^{2}

equals to the variance of the transmitted symbols

var {{s [n]}_{n = 0}^{\tilde{N} - 1}}

, while assuming that the signal is normalize to the same variance at the receiver DSP. Additionally,

σ^{2}

is the variance of the noise over the entire spectrum of all the transmitted replicas. Considering Eq. (4), the SNR for the authorized user, after the coherent addition process, takes the following form:

S N R^{A u t h o r i z e d} = \frac{1}{\tilde{N}} \sum_{k = 0}^{\tilde{N} - 1} {\frac{[E {| S_{_{r x, s i g}}^{s a m p} [k] |}^{2}]}{E [{|_{_{r x, n}}^{s a m p} [k] |}^{2}]}} = \frac{L}{2} \cdot \frac{a^{2}}{σ^{2}},

as the signal power is coherently added thus multiplied by

{(\frac{1}{2} L)}^{2}

while the noise power is incoherently added thus multiplied by

\frac{1}{2} L

.

By comparing the SNR after the coherent addition as presented in Eq. (6) to the SNR of the “analog” recovered signal in Eq. (5), one can obtain the processing gain, as given below:

P r o c e s s i n g G a i n = \frac{S N R^{A u t h o r i z e d}}{S N R^{A u t h o r i z e d, a n a l o g}} = \frac{L}{2} .

The processing gain of

\frac{1}{2} L

is proportional to the number of the coherently added replicas that exist within the available analog bandwidth. Since a RRC filter with two SPS is used, the BW is half of the signal’s digital bandwidth, therefore

\frac{1}{2} L

replicas are counted within the available analog bandwidth. The noise folding, shown at the lower term in Eq. (4), preserves the white Gaussian nature of the noise, thus the following bit error rate is derived:

P_{b}^{A u t h o r i z e d} = \frac{1}{2} e r f c (\sqrt{\frac{L}{2}} \cdot \frac{a}{2 σ}) .

In addition, the resulting bit-rate per single polarization,

R_{b}

, is given by:

R_{b} = \frac{\log_{2} (M) \cdot R_{D A C}}{L},

where

R_{D A C}

is the DAC’s speed in [samp/sec] and

M

is the order of the QAM constellation. Considering Eqs. (7) and (9), one can observe the intrinsic trade-off between the bit-rate and the processing gain, as the information capacity is conserved for a given constant bandwidth.

3. Experimental Setup

The experimental setup is depicted in Fig. 2 and the hardware parameters are shown in Table 1. At the transmitter, offline DSP is used to generate encrypted and stealthy QPSK or 64-QAM symbols. In turn, a high-speed DAC is used to convert the uploaded samples to an analog signal. Subsequently, two RF amplifiers drive the in-phase (I) and quadrature (Q) components into a DP-MZM coherent transmitter, which its output is optically attenuated and amplified by EDFA to obtain a controlled ASE noise adjustment. The expected analog SNR ( ${SNR}^{Authorized,analog}$ ) is given as follows [9]:

S N R^{A u t h o r i z e d, a n a l o g}_{[d B]} = O S N R [\frac{[d B]}{0.1 n m}] - 10 l o g_{10} {\frac{B W_{s i g}_{[G H z]}}{{12.5}_{[G H z]}}} + P E R_{[d B]},

where

{BW}_{sig}

is the signal’s double-side bandwidth and PER is polarization extinction ratio, corresponding to the intensity of the transmitted polarization which is aligned to the receiver axis. For

{BW}_{sig}

of 32 GHz, and PER of 80%, the experimental ratio is:

S N R^{A u t h o r i z e d, a n a l o g}_{[d B]} = O S N R [\frac{[d B]}{0.1 n m}] - {2.04}_{[d B]}

. It should be noted that Eq. (10) holds for the regime where the ASE is the dominant noise mechanism. Using this ratio, one can compare the detected analog SNR to the observed OSNR, and thus confirm the reliability of the receiver and the signal recovery DSP.

Fig. 2 Experimental setup for encrypted and stealthy coherent optical system. The following abbreviation were used: ECL – external cavity laser; SSMF – standard single mode fiber; VOA – variable optical attenuator; PC – polarization controller; BPF – (optical) bandpass filter; EDFA – Erbium-doped fiber amplifier; PM – polarization maintaining; DP-MZM – dual parallel Mach-Zehnder modulator; ICR – integrated coherent receiver.

Download Full Size | PDF

Table 1. Experimental setup hardware parameters

View Table

At this stage, the optical signal is both encrypted and buried under the ASE noise. An example of typical encrypted and stealthy signal, with negative OSNR of −15 dB/0.1nm, is shown in Fig. 3. The signal is combined with a public channel separated by 200GHz, and both channels propagate through SSMF. To evaluate the actual performance of an optically routed system, the signal passes through arrayed waveguide grating (AWG) multiplexer before it is amplified. In such way, the signal experiences a narrowband optical filtering before it loaded with ASE. This scenario considered more challenging in terms of noise enhancement in the receiver side [10].

Fig. 3 (a): Spectral measurement of an encrypted stealthy channel with OSNR of −15 dB, inset show a 200 GHz zoom around the stealthy channel. (b): Bit error rate measurements received for a B2B QPSK transmission, at different SNR values.

Download Full Size | PDF

At the receiver side, a sequence of two bandpass optical filters (BPFs), interleaved with an EDFA, is added before the integrated coherent receiver (ICR). The amplifier is aimed to enhanced the receiver sensitivity by adjusting the optical input power to the correct level. The first BPF selects the desired WDM channel while the second BPF is used to avoid the saturation of the amplifier and the ICR by discarding unnecessary ASE. The ICR is then used to convert the optical signal into I and Q orthogonal components. Subsequently, the analog I and Q signals are digitized and buffered using ADC. The received samples are processed offline to correct the system impairments and decipher the information bits.

4. Measurement Results

The optical spectrum of the encrypted and stealthy signal is presented in Fig. 3(a). The inset shows a zoom-in of the encrypted and stealthy signal at −15 dB/0.1nm OSNR, demonstrating that the signal is totally buried under the ASE noise. Figure 3(b) presents the BER of the decoded symbols versus the SNR of the authorized user, for both the theoretical prediction and actual measurements, indicating good agreement between the two cases.

The processing gain of the authorized user is presented in Fig. 4(a), by plotting the analog SNR versus the improved SNR after sampling. Each of the dashed curves represents different bandwidth of a single replica, corresponding to different upsampling factors ( $L$ ) of Eq. (7). The lower group of solid line curves represents the measured SNR for single replica which is the classical non-encrypted QPSK transmission case. A black solid line obeys the linear SNR-OSNR relation stated in Eq. (10). It is observed that all the continuous curves coincide with the theoretical black solid line as expected, up to a saturation level starting at 5dB/0.1nm OSNR.

Fig. 4 (a): Processing gain (P.G.) at different OSNR values. Right – Constellation diagram (b.1) and eye diagram (b.2) as received by the eavesdropper with arbitrary phase mask, at OSNR of −15 dB/0.1nm. The authorized user performance at (b.3), (b.4) at BER of 1e-3.

Download Full Size | PDF

Additionally, the vertical gaps between the dashed and continuous curves on Fig. 4(a) represent the processing gain of the decryption. For example, the dashed versus continuous blue curves (125MHz) is associated with processing gain of 256. Indeed, it is demonstrated that 24 dB gain is achieved between the continuous blue (single replica case) and the dashed blue (the analog double side band of 32GHz accommodates 256 replicas of 125MHz). It should be noted that there is a tradeoff between the processing gain and the bit-rate (according to Eq. (9)).

Constellation diagram and eye diagram as received by the eavesdropper with arbitrary phase mask are shown in Figs. 4(b.1) and 4(b.2), respectively. Similarly, same measurements as received by the authorized user with correct phase mask, are shown in Figs. 4(b.3) and 4(b.4).

Figures 5(a)–5(c) shows the authorized user constellation diagrams taken after 100km transmission, with varying OSNR values of 28, 15 and 5 dB/0.1nm, respectively. In the 100km transmission case the DSP also includes CD compensation and coarse IF correction blocks. Therefore, SNR is approaching the theoretical limit, as can be seen in Fig. 4 where the theoretical analog SNR and the measured analog SNR coincide, and no saturation is observed. Consequently, the digital SNR is improved accordingly, approaching 32 dB.

Fig. 5 Constellation diagrams taken after 100km transmission, with varying OSNR values of (a) 28, (b) 15 and (c) 5dB/0.1nm.

Download Full Size | PDF

5. Conclusions

We experimentally demonstrate an encrypted and stealthy end-to-end transmission system over 100km SSMF, using commercially available optical communication components. Even though the signal is fully buried under ASE noise and cannot be neither observed nor detected by an eavesdropper, it is successfully detected by the authorized user with a pre-FEC BER of better than 1e-3.

Funding

Israel Innovation Authority, KAMIN grant (53362).

References and links

1. L. Xu, C. Jiang, J. Wang, J. Yuan, and Y. Ren, “Information Security in Big Data: Privacy and Data Mining,” IEEE Access 28(4), 1149–1176 (2014).

2. B. Wu, B. J. Shastri, P. Mittal, A. N. Tait, and P. R. Prucnal, “Optical signal processing and stealth transmission for privacy,” IEEE J-STSP 9(7), 1185–1194 (2015).

3. H. K. Lo, M. Curty, and K. Tamaki, “Secure quantum key distribution,” Nat. Photonics 8(8), 595–604 (2014). [CrossRef]

4. A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. García-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fibre-optic links,” Nature 438(7066), 343–346 (2005). [CrossRef] [PubMed]

5. B. Wu, Z. Wang, Y. Tian, M. P. Fok, B. J. Shastri, D. R. Kanoff, and P. R. Prucnal, “Optical steganography based on amplified spontaneous emission noise,” Opt. Express 21(2), 2065–2071 (2013). [CrossRef] [PubMed]

6. T. Yeminy, D. Sadot, and Z. Zalevsky, “Spectral and temporal stealthy fiber-optic communication using sampling and phase encoding,” Opt. Express 19(21), 20182–20198 (2011). [CrossRef] [PubMed]

7. T. Yeminy, D. Sadot, and Z. Zalevsky, “Sampling impairments influence over fiber-optic signal decryption,” Opt. Commun. 291(15), 193–201 (2013). [CrossRef]

8. E. Wohlgemuth, T. Yeminy, D. Sadot, and Z. Zalevsky, “Experimental demonstration of encryption and steganography in optical fiber communications,” in Proceedings of European Conference of Optical Communications (ECOC, 2017).

9. R. J. Essiambre, G. Kramer, P. J. Winzer, G. J. Foschini, and B. Goebel, “Capacity Limits of Optical Fiber Networks,” J. Lightwave Technol. 28(4), 662–701 (2010). [CrossRef]

10. P. J. Winzer, A. H. Gnauck, C. R. Doerr, M. Magarini, and L. L. Buhl, “Spectrally Efficient Long-Haul Optical Networking Using 112-Gb/s Polarization-Multiplexed 16-QAM,” J. Lightwave Technol. 28(4), 547–556 (2010). [CrossRef]

Component	Parameter	Value	Component	Parameter	Value
DAC/ADC	Sample rate	64 Gsamp/s	Modulation	Type	64-QAM / QPSK
	Analog bandwidth	18 GHz	Modulation	Polarization	Single
	PNOB / ENOB	8 / 5.6 bits	Pulse shape	Shape	RRC
	Memory ( $N$ )	$2^{15}$	Pulse shape	Roll-off factor	0.15
Modulator	Type	Dual-parallel MZM	ECL	Linewidth	100 KHz
	Analog bandwidth	25 GHz		Output power	+ 15.5 dBm
	Extinction ratio	15 dB		$λ_{s}$ (Stealthy ch.)	193.400 THz
	$V_{π}$	7 V (@20 GHz)		$λ_{p}$ (Public ch.)	193.200 THz
BPF	Type	50 GHz AWG	EDFA	Saturation power	17.5 dBm
	Shape	Gaussian	EDFA	Noise figure	5.5 dB (ss)
	BW	32 GHz

Demonstration of coherent stealthy and encrypted transmission for data center interconnection

Abstract

1. Introduction

2. The encryption system

2.1. Encryption by sampling and phase masks

2.2. Performance: quantitative analysis and measures

3. Experimental Setup

4. Measurement Results

5. Conclusions

Funding

References and links

Cited By

Figures (5)

Tables (1)

Equations (10)

Optics Express