Table of Contents
ISRN Communications and Networking
Volume 2011, Article ID 502987, 9 pages
Research Article

Joint Scheme for Physical Layer Error Correction and Security

Department of Electrical Engineering, University of North Texas, Denton, TX 76207, USA

Received 31 August 2010; Accepted 21 September 2010

Academic Editors: M.-S. Hwang, C. Pomalaza-Ráez, Y. M. Tseng, and A. Vaccaro

Copyright © 2011 Oluwayomi Adamo and M. R. Varanasi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


We present a joint scheme that combines both error correction and security at the physical layer. In conventional communication systems, error correction is carried out at the physical layer while data security is performed at an upper layer. As a result, these steps are done as separate steps. However there has been a lot of interest in providing security at the physical layer. As a result, as opposed to the conventional system, we present a scheme that combines error correction and data security as one unit so that both encryption and encoding could be carried out at the physical layer. Hence, in this paper, we present an Error Correction-Based Cipher (ECBC) that combines error correction and encryption/decryption in a single step. Encrypting and encoding or decoding and decrypting in a single step will lead to a faster and more efficient implementation. One of the challenges of using previous joint schemes in a communications channel is that there is a tradeoff between data reliability and security. However, in ECBC, there is no tradeoff between reliability and security. Errors introduced at the transmitter for randomization are removed at the receiver. Hence ECBC can utilize its full capacity to correct channel errors. We show the result of randomization test on ECBC and its security against conventional attacks. We also present the nonpipelined and pipelined hardware architecture of ECBC, and the result of the FPGA implementation of the ECBC encryption. We also compare these results with non-ECBC schemes.

1. Introduction

Due to the rapid increase in the applications that can be carried out on portable wireless devices, it becomes necessary to secure data transmitted through these devices. Even though early work from [1] showed the existence of secrecy-achieving codes, error correction and data security schemes are still viewed as two different processes in a contemporary communication system. Error correction is carried out at the physical layer while security is performed at upper layers. Many security protocols today are designed and implemented with the assumptions that physical layer provides an error-free information. However with the emergence of resource constraint wireless devices and ad hoc network, encryption at higher layer become difficult to implement. As a result, there has been a lot interest in implementing encryption at the physical layer. The authors in [2] pointed out that the best and often the only way to secure data in a wireless sensor network is to encrypt the data using a secure encryption algorithm before it is transmitted over the air ways. They pointed out that the cost of software-based encryption procedure could outweigh the risks of the transmission being intercepted because of the constraint nature of resources, memory, and clock speeds on the sensor nodes.

Authors in [3, 4] have proposed physical layer encryption. However these encryption modules are visualized as a separate module from the error correction module. Contrary to their models, we propose a joint scheme that combines encryption and error correction in one step for physical layer encryption. In such a case, the secrecy achieving characteristics of channel codes could be exploited. This leads to improved efficiency, speeds and savings in hardware usage because of hardware reuse. This also gives flexibility in terms of design and technology used for fabrication. It is also difficult to build lower layer analyzers in terms of attacks.

The conventional secure communication model with the sender (Alice), legitimate receiver (Bob), and the eavesdropper (Eve) [1] is shown in Figure 1. Alice would like to send a confidential and reliable message 𝐮 to Bob with whom they share a secret key while making sure that Eve has no knowledge of 𝐮. She does this by encrypting 𝐮 with the secret key 𝐤 to obtain a ciphertext 𝐜. The ciphertext 𝐜 is encoded by introducing redundancy into 𝐜 to obtain 𝐱 so that channel errors could be detected and corrected at the receiver by Bob. Upon receiving 𝐲, the legitimate receiver (Bob) decodes it to obtain 𝑐 and he then decrypts with the aid of 𝐤 to obtain the message 𝑢 intended for Bob. It is important to note that eavesdropper (Eve) has a knowledge of the decoder, hence she can obtain an error-free ciphertext as shown in Figure 1. The knowledge of the decoder does not decrease Shannon's entropy of 𝐦 given 𝑐=𝐜 which can be expressed as 𝐇(𝐮/𝐜)=𝐇(𝐮).

Figure 1: Block diagram of a conventional secure communication system model.

In Figure 2, we show the alternative secure communication model for our scheme. When Alice wants to send a message 𝐮 to Bob with whom they share a secret key while making sure that Eve has no knowledge of 𝐮. She does this by passing the message through the Error Correction-Based Cipher (ECBC) to obtain encoded ciphertext 𝐱 with the aid of secret key 𝐤. Upon receiving 𝐲, the legitimate receiver (Bob) decodes and decrypts in a single step using ECBC with the aid of 𝐤 to obtain the message 𝑢 intended for Bob. The eavesdropper (Eve) does not have a knowledge of the key to ECBC, hence the ciphertext she receives is not error-free as shown in Figure 2. Shannon's entropy of 𝐮 for our model is therefore larger than that of the conventional model which can be expressed as (𝐇(𝐮/𝐜))ecbc>𝐇(𝐮).

Figure 2: Block diagram of a secure communication system using ECBC model.

This research combines the encryption and channel coding as one process thereby resulting in a potential reduction in hardware usage. This will potentially lead to reduction in hardware usage which in turn leads to an increase in power savings [5] as power consumption reduction and area efficiency are of utmost importance in modern wireless communication [6]. Also, there is no tradeoff between data reliability and security in ECBC as opposed to previous schemes [79]. The ECBC scheme, cryptanalysis of ECBC, the result of the randomization test on ECBC, and the hardware implementation of ECBC are presented in this paper. The ECBC carries out both encryption and error correction in a single step as opposed to two separate steps.

2. Related Work

The authors in [3] considered an architecture for physical layer encryption that first converts information sequences to longer channel codewords and then encrypts them using classical stream cipher. They pointed out that even though their architecture requires longer encryption sequences, it could use the natural randomness of the communication channel against known-plaintext. In our scheme, the order of the two processes is not of concern since they are done in one step by one unit. The authors in [2] pointed out how physical layer encryption is taking significant importance in wireless network security. They propose an efficient physical layer encryption that relies on implementation of OFB mode just after error correction.

The use of error correcting code as a public-key cryptosystem was introduced by [8]. McEliece scheme is based on algebraic coding theory using 𝑡-error correcting Goppa code. However, his scheme requires large block length (𝑛=1000) in order to correct large number of errors (𝑡=50 bits). This results in very large computational overhead [9]. The author in [10] proposed a private key algebraic-code using McEliece scheme where he suggested that the generator matrix be made private. Their scheme provides better security with simpler error-correcting code thereby making it less computational intensive compared with McEliece. However, the author in [9] showed that it could be easily broken by a chosen-plaintext attack. They introduced a private key cryptosystem that requires simpler error correcting codes with distance 6 and block length 𝑛250. If these schemes are used for error-correction based ciphers, there is a tradeoff between reliability and security. The authors in [7] presented the Secret Error Correcting Code (SECC) using nonlinear Preparata code. Their two schemes preserve full error correcting capability while providing data secrecy. However there scheme I does not incorporate the error vector into the process. However, in our scheme, the error vector is added to the plaintext for randomization, thereby increasing the security of our system. The most recent joint scheme for error correction and cryptography was presented in [11] where they used High Diffusion (HD) codes. They built their cipher using the structure of Advanced Encryption Standard (AES) [12] replacing the high diffusion layer of the AES with error correcting code. Though their scheme provides data security and error correction, it is higher in complexity compared to McEliece-based scheme. They [5, 11] even confirmed that McEliece-based schemes have advantage of low power consumption by using the same hardware components available for error correction for security. As a result, McEliece-like schemes are desired for a constraint environment. Our Error Correction-based Cipher provides data reliability, integrity, and security. The full error correcting capability of the error correcting code is preserved.

3. Error Correction-Based Cipher (ECBC)

We present a private key algebraic-based system for physical layer encryption called Error Correction-Based Cipher (ECBC) that combines encryption and error correction into a single step. The scheme is based on the block chaining technique. In ECBC, a 𝑘-bit plaintext block 𝑀 is enciphered into 𝑛-bit ciphertext block 𝐶. A detailed explanation of ECBC is presented in this section.(i)A stream of data is divided into 𝑘-bit blocks 𝑀𝑖, 𝑖 = 1, 2, 3, and so forth. (ii)Plaintext 𝑀𝑖 is XORed with a randomization vector to obtain 𝑑𝑖. The first plaintext block 𝑀1 at time 1 is randomized by XORing it with a 𝑘-bit initialization vector (𝑄0 = initialization vector (IV)).(iii)A nonlinear function 𝑓 transforms 𝑑𝑖 into 𝑋𝑖. The reason for the use of nonlinear function will be explained in the cryptanalysis section of this paper. (iv)The output of the nonlinear function 𝑋𝑖 is encoded with the aid of the generator matrix 𝐺 to obtain 𝑏𝑖. 𝑋𝑖 is also stored in a register for obtaining a delay version which is then used to produce randomly generated vector 𝑍𝑖 with the aid of an expansion function (𝑔). (v)The encoded data 𝑏𝑖 is permuted with the aid of permutation matrix 𝑃 to produce 𝑄𝑖. The first 𝑘-bit of 𝑄𝑖 is denoted as 𝑄𝑖 and is delayed with the aid of a register to produce 𝑄𝑖1 which will be XORed with the next block 𝑀𝑖+1. (vi)The randomly generated error vector 𝑍𝑖 is then added to 𝑄𝑖 to form ciphertext 𝐶𝑖 which is then sent through the channel.

A ciphertext 𝐶𝑖 is expressed mathematically as 𝐶𝑖=𝑋𝑖𝐺𝑃+𝑍𝑖.(1)

The block diagram representing the encryption process of ECBC is shown in Figure 3. Ciphertexts 𝐶𝑖 for 𝑖 = 1, 2, 3, and so forth, are shown as 𝐶1𝑀=𝑓1+𝑄0𝐺𝑃+𝑍1,(2) where 𝑄0=IV1 and 𝑍1=𝑔(IV2), 𝐶2𝑀=𝑓2+𝑄1𝐺𝑃+𝑍2,(3) where 𝑄1=𝑓(𝑀1+𝑄0)𝐺𝑃 and 𝑍2=𝑔(𝑋1),  𝑋1=𝑓(𝑀1+𝑄0), and 𝐶3𝑀=𝑓3+𝑄2𝐺𝑃+𝑍3,𝐶(4)𝑖𝑀=𝑓𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑖,(5) where 𝑄𝑖1=𝑓(𝑀𝑖1+𝑄𝑖2)𝐺𝑃 and 𝑍𝑖=𝑔(𝑋𝑖1), 𝑋𝑖1=𝑓(𝑀𝑖1+𝑄𝑖2).

Figure 3: Block diagram of the proposed ECBC encryption scheme.

The block chaining effect of this scheme allows the same plaintext block to be enciphered into different ciphertexts. Block chaining is a mechanism where each block of plaintext is XORed with the previous ciphertext block being encrypted. Similarly, the decryption of a block of ciphertext depend on all the preceding ciphertext block. From the encryption algorithm, the cryptanalysis would be difficult. The cryptanalyst cannot construct a combinatorially equivalent generator matrix of the code from the ciphertexts because the ciphertexts are not codewords. Hence, the cryptanalyst cannot correct errors systematically. The cipher also employs double randomization since the plaintext is XORed with 𝑄𝑖1 and the permuted codeword is XORed with 𝑍𝑖. This also prevents construction of the generator matrix from the ciphertext.

For decryption, we assume that the receiver has to agree with the transmitter. This means that they have to agree on the initial 𝑄0 and 𝑋0 vector (initialization vectors). For this section, we also assume that the decoding is done correctly in order to decrypt. The decoding process is outlined below.(i)The initialization vector is fed into the expansion function 𝑔 to produce error vector 𝑍𝑖.(ii)The vector (𝑍𝑖) is XORed with the ciphertext 𝐶𝑖 to produce 𝑄𝑖. (iii)𝑄𝑖 is multiplied by the transpose of the permutation matrix P to produce 𝑏𝑖. (iv)𝑏𝑖 is decoded into 𝑋𝑖. (v)The inverse of the nonlinear function 𝑓1 is applied to 𝑋𝑖 to produce 𝑑𝑖. (vi)𝑑𝑖 is XORed with 𝑄𝑖1 to obtain the plaintext 𝑀𝑖.

The decryption process is shown mathematically in (6), (7), (8), (9), (10), and (11). The block diagram representing the decryption process is shown in Figure 4.

Figure 4: Block diagram of the proposed ECBC decryption scheme.

To show the decryption process in a noiseless channel, let the received ciphertext be 𝐶𝑖 (assuming no error due to the channel),𝐶𝑖𝑀=𝑓𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑖.(6) Applying the decryption process to  (5) we get𝑄𝑖=𝑓𝑀𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑖+𝑍𝑖𝑀=𝑓𝑖+𝑄𝑖1𝐺𝑃.(7) Multiplying with the transpose of the permutation matrix, we have𝑏𝑖=𝑓𝑀𝑖+𝑄𝑖1𝑃𝐺𝑃𝑇𝑀=𝑓𝑖+𝑄𝑖1𝐺.(8) Applying the decoding algorithm to 𝑏𝑖 depending on the code employed, then𝑋𝑖𝑀=𝑓𝑖+𝑄𝑖1.(9) Applying the inverse of the nonlinear function 𝑓1, then𝑑𝑖=𝑀𝑖+𝑄𝑖1.(10) Adding the error vector 𝑄𝑖1 to 𝑑𝑖, we get𝑑𝑖+𝑄𝑖1=𝑀𝑖+𝑄𝑖1+𝑄𝑖1=𝑀𝑖,(11) where 𝑀𝑖 is the message block 𝑖.

For the case of noisy channel with error vector 𝑍𝑐 due to the channel, we assume that 𝑍𝑐 is within the error correcting capability of the code. The received ciphertext with the channel error is𝐶𝑖=𝐶𝑖+𝑍𝑐.(12) From (12), we know that𝐶𝑖=𝑓𝑀𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑖+𝑍𝑐.(13) Applying the decryption process (we use 𝑄𝑖 because of the effect of the channel error), we have𝑄𝑖=𝑓𝑀𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑖+𝑍𝑐+𝑍𝑖𝑀=𝑓𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑐.(14) Multiplying with the transpose of the permutation matrix, we get𝑏𝑖=𝑓𝑀𝑖+𝑄𝑖1𝐺𝑃+𝑍𝑐𝑃𝑇𝑀=𝑓𝑖+𝑄𝑖1𝐺+𝑍𝑒𝑃𝑇.(15) Note that 𝑃𝑇 does not change the weight of 𝑍𝑒. Let 𝑊𝐻 represent the hamming weight, hence𝑊𝐻𝑍𝑒=𝑊𝐻𝑍𝑒𝑃𝑇.(16) Applying the decoding algorithm to 𝑏𝑖, then𝑋𝑖𝑀=𝑓𝑖+𝑄𝑖1.(17) Applying the inverse of the nonlinear function 𝑓1, then𝑑𝑖=𝑀𝑖+𝑄𝑖1.(18) Adding the error vector 𝑄𝑖1 to 𝑑𝑖, we have𝑑𝑖=𝑀𝑖+𝑄𝑖1+𝑄𝑖1=𝑀𝑖.(19)

From the above proof, the error-correction ability of the code is fully preserved for possible channel errors because error introduced intentionally at the sender can be removed because of synchronization of the initialization vector. Hence error due to the channel can be removed. In summary, the decryption process is shown in Figure 4 and expressed mathematically:𝐷𝐶𝑖+𝑍𝑖𝑃𝑇𝑓1=𝑀𝑖,(20) where 𝑍𝑖 = g (𝑋𝑖1),𝐷𝐶1+𝑍𝑖𝑃𝑇=𝑋𝑖,𝑓1𝑋𝑖+𝑄𝑖1=𝑀𝑖.(21)

In this scheme, errors due to intruders tampering which cannot be removed by the error-correcting code will propagate to the later blocks due to the block-chaining technique. Hence, this scheme could be used as a checksum to detect illegal tampering or modification [13]. However, the transmitter will have to resend the data if the error-correcting code cannot correct the modification. Based on this features, ECBC does not only provide error detection and correction, but also data integrity.

4. Cryptanalysis

Cryptanalysis will be more difficult because the same plaintext block will be encrypted to different ciphertext. The cryptanalyst cannot construct an equivalent generator matrix combinatorially [7], since the ciphertexts are not codewords, as a result, errors cannot be corrected systematically. We analyze the security that this scheme provides in this section.

In a case where 𝑋𝑖 is fed forward and 𝑄𝑖1 is not fed back, then the encryption process can be expressed as𝐶𝑖𝑀=𝑓𝑖𝐺𝑃+𝑍𝑖𝑍1=𝑔IV2,𝐶𝑖+1𝑀=𝑓𝑖+1𝑓𝑀𝐺𝑃+𝑔𝑖,𝐶𝑖+2𝑀=𝑓𝑖+2𝑓𝑀𝐺𝑃+𝑔𝑖+1,𝐶𝑖+3𝑀=𝑓𝑖+3𝑓𝑀𝐺𝑃+𝑔𝑖+2,𝐶𝑖𝑀=𝑓𝑖𝑋𝐺𝑃+𝑔𝑖1.(22)

A chosen plaintext attack will break 𝐺𝑃 if the expansion function 𝑔 is a linear function that has a left inverse based on the equations. To see this, let 𝑀𝑖=𝑀𝑖+1, and 𝑀𝑖+2 = 𝑀𝑖+3, then𝐶𝑖+1+𝐶𝑖+2𝑀=𝑓𝑖+1𝑀+𝑓𝑖+2𝐶𝐺𝑃,𝑖+2+𝐶𝑖+3𝑓𝑀=𝑔𝑖+1𝑓𝑀+𝑔𝑖+2.(23)

If 𝑔 is linear,𝑔𝑓𝑀𝑖+1𝑓𝑀+𝑔𝑖+2𝑓𝑀=𝑔𝑖+1𝑀+𝑓𝑖+2.(24)

From (24),𝑓𝑀𝑖+1𝑀+𝑓𝑖+2=𝑔1𝐶𝑖+2+𝐶𝑖+3.(25)

𝐺𝑃 can be derived if the cryptanalyst could obtain 𝑘 such distinct pairs. However, 𝐺𝑃 is a permutated version of 𝐺 which increases the work factor of deriving 𝐺. This is one of that features that differentiate previous schemes. Also, if 𝑔 is a secret nonlinear function, then this attack will not work at all and ECBC uses 𝑔 as a nonlinear function.

We analyze the case where 𝑄𝑖 is fed back and 𝑋𝑖 is not fed forward. The encryption sequence is shown below:𝐶1𝑀=𝑓1+𝑄0𝐺𝑃,𝑄0=IV1,𝐶2𝑀=𝑓2+𝑄1𝐺𝑃,where𝑄1𝑀=𝑓1+𝑄0𝐶𝐺𝑃,3𝑀=𝑓3+𝑄2𝐶𝐺𝑃,𝑖𝑀=𝑓𝑖+𝑄𝑖1𝐺𝑃,where𝑄𝑖1𝑀=𝑓𝑖1+𝑄𝑖2𝐺𝑃.(26)

The cryptanalyst would have to search for equivalent ciphertexts where 𝐶𝑖 = 𝐶𝑗, as a result, 𝑓(𝑀𝑖+𝑄𝑖1) = 𝑓(𝑀𝑗+𝑄𝑗1) which means that 𝑄𝑖=𝑄𝑗. If 𝑓 is a linear transformation, then 𝐶𝑖+1+𝐶𝑗+1=𝑓(𝑀𝑖+1)𝐺𝑃+𝑓(𝑀𝑗+1)𝐺𝑃. As a result 𝑓𝐺𝑃 can be figured out by a known plaintext attack. However if 𝑓 is a nonlinear transformation, the line of attack will not work. The cryptanalyst can collect 𝑘 linearly independent equivalent codewords to construct 𝐺=𝑓𝐺𝑃 which is combinatorially equivalent to 𝐺. It will be computationally infeasible to estimate the matrix 𝐺 if 𝑘 is large enough.

The ECBC scheme withstands chosen-plaintext attacks [14] because of the nonlinear function 𝑓 that transforms the plaintext. As a result, the cryptanalyst cannot construct unit vectors from chosen plaintext to construct the 𝐺.

5. Architecture of Error Correction-Based Cipher

The architecture of the ECBC scheme for encryption is shown in Figure 5. The shift register contains received stream data. Each block of data is shifted into the 𝑘-bit buffer. The output of the buffer (message block) is randomized with the output of the multiplexer MuxA through an XOR gate. The inputs to the multiplexer is a random Initial Vector (IV) and a delayed version of the permutated encoded data. The control unit outputs the selector (selA) for the multiplexer as shown in Figure 5.

Figure 5: Architecture of proposed Error Correction-Based Cipher.

The output from the XOR gate is fed into the SBOX unit. The SBOX [12] represents the nonlinear function f. This is a function that computes the multiplicative inverse of each input byte of the state in GF(28) followed by affine transformation. It is a nonlinear byte substitution and it is composed of two transformations:(i)multiplicative inverse in GF(28): this is the mapping of x 𝑥1, where 𝑥1 is the multiplicative inverse; (ii)affine transformation over GF(2): x 𝐴𝑥+𝑏, where 𝐴 and 𝑏 are constants.

We implement the S-box with a multiplexer and lookup tables. In our implementation, given an 𝑛-bit input into the 𝑓 function, 𝑛/8 S-boxes are applied to the 𝑛/8 bytes of data that make up the input. Each of the 𝑛/8 bytes from the different S-boxes are substituted by the corresponding element in the S-boxes. Each of the byte output from each S-boxes are then concatenated together to form a vector. The & sign is used to represent the concatenation unit. The architecture of the SBOX is shown in Figure 6.

Figure 6: Architecture of SBOX.

The concatenated output from the SBOX is encoded using the generator matrix (G) of Low Density Parity Check Code (LDPC). LDPC codes are linear block codes. They are codes that have received major attention in recent years because of their excellent performance and error correction capability. We used LDPC code because it has good diffusion property. It has good linearity relationship between code length and the minimum weight/code distance. The random LDPC code has higher security than QC LDPC codes [15]. An (𝑛,𝑘) LDPC code has 𝑘 information bits and 𝑛 codeword bits with code rate 𝑟=𝑘/𝑛. The parity check matrix 𝐻 has a dimension of (𝑛𝑘)×𝑛. LDPC encoding is based on the property𝑢𝐻𝑇=0,(27) where 𝑢 is the 𝑛-bit codeword bits and 𝐻 is the parity check matrix. The parity check matrix 𝐻 can be expressed as𝐻𝐻=1𝐻2,(28) where 𝐻1's dimension is (𝑛𝑘)×(𝑛𝑘) and 𝐻2’s is (𝑛𝑘)×𝑘. The information bit could be expressed as𝑢=𝑝𝑠,(29) where 𝑠 is the 𝑘-bit information bits and 𝑝 is the 𝑛𝑘 parity bits. Based on (27),𝐻1𝑝+𝐻2𝑠=0,(30) since operation is in GF(2),𝑝=𝐻11𝐻2𝑠.(31)

The architecture of the LDPC encoder is shown in Figure 7. Each parity bit is obtained by matrix-vector multiplication of matrix 𝐻2 with the output of the SBOX unit. Since matrix-vector multiplication operation is carried out in GF(2), Each row of matrix 𝐻2 is ANDed with the vector output (𝑠) from the SBOX. The outputs from the (𝑛𝑘) AND gate are then XORed together to produce the parity bit. Multiplication by 𝐻11 is not necessary if the 𝐻 matrix is systematic. The codeword is reconstructed by concatenating the parity with the 𝑘×1 SBOX output with the aid of Codeword Construction Unit.

Figure 7: Architecture of the LDPC encoder unit.

The architecture of the permutation unit is shown in Figure 8. The unit permutates the codeword output from the encoder unit. We attempt to explain the permutation unit in Figure 8 in this section. Assuming we have a permutation matrix 𝑃 shown as follows:𝑝=010100001.(32)

Figure 8: Architecture of the permutation unit.

The column numbers where 1s are located in the permutation matrix are stored instead of storing the 0s and the 1s. The row number (index) is used for referencing the column. For example, from Figure 8, for row 1 (index), 1 is located in column 2, in row 2, 1 is located in column 1, and row 3, 1 is located in column 3. The column numbers are used as selectors for the multiplexer which in turn determines the output of the permutation unit. Each of the multiplexer is an n to 1 multiplexer.

The control unit for the ECBC is modeled as a Finite State Machine (FSM) as shown in Figure 9. The control unit has six states: Initial, Fetch, random, substitute, encode, and permutation. The initial state is the first state after reset where zeros are written to all the registers. If start is asserted at the initial state, the present state becomes the fetch state. At the fetch state, a block of data is read into the buffer from the stream shift register. Control is transferred to the randomization state after the fetch state where the input block is randomized. The control unit also outputs the selector for MUXA at the random state. At the substitute state, control signal is sent to the concat (&) unit in order to concatenate all the output blocks coming from the SBOX. In the encode state, codeword is generated by the encoder. The next state is the perm state where the codeword from the encoder is permutated. After perm state, an encrypted data is produced and the present state becomes the fetch state where another block is fetched. The 5-staged pipelined architecture of the ECBC is shown in Figure 10. The figure includes the 5 pipeline registers. This architecture helps to increase the throughput of ECBC.

Figure 9: Control unit as a Finite State Machine (FSM).
Figure 10: Architecture of the pipelined ECBC datapath.

6. Implementation and Result

The ECBC scheme was implemented in software for the purpose of verification and randomization test. The nonlinear function 𝑓 was implemented using S-box [12]. We used the generator matrix (𝐺) of Low-Density Parity Check (LDPC) code for error correction. We used LDPC code because it has good diffusion property. It has good linearity relationship between code length and the minimum weight/code distance. The random LDPC code has higher security than QC LDPC codes [15]. The permuted output of the ECBC is XORed with the output of a pseudorandom number. The key is the seed to a pseudorandom generator that generate a random sequence of bits that is XORed with permutated codeword. In our case, KISS99 was used as a generator. We heuristically tested the ECBC by testing for randomness in the output. The ECBC was used as a pseudorandom number generator in counter mode. The TestU01 [16] was used to test the randomness of the output of ECBC in counter mode. We tested for 𝑃-values within the boundary [104,1104]. Any 𝑃-values lying outside this range is considered as failure, while the ones within the range is considered as pass. Table 1 lists the test suites, the number of tests in each suite, and the results. A total of 319 tests were carried out and the ECBC passed all of them. It is important to point out that because the scheme passes the test of randomization, it is not a guarantee that such a scheme is secure. However, it is important that a cryptographic scheme’s output should be random.

Table 1: Result of test suites on ECBC.

We also plotted the graph of Bit Error Rate (BER) against Signal-to-Noise Ratio (SNR) in Figure 11 to see the effect of ECBC system on the performance. The green curve (𝑥) is for the case where ECBC is not used while the blue curve (𝑜) is for the case where ECBC is part of the communication system. The graph shows that the performance is the same in both cases.

Figure 11: Plot of BER against SNR.

We implemented the ECBC on Field Programmable Gate Array (FPGA) on Xilinx Spartan 3E xc3s1200e-4ft256 using ISE Foundation 11.2. The result of implementation is shown in Table 2. For the nonpipelined architecture, 23% of the slices were used and has a maximum frequency of 130.924 MHz. For the pipelined architecture, 26% of the slices were used and has a maximum frequency of 105 MHz. Even though maximum frequency reduced, the throughput for the pipelined architecture is 8 Gb/S. The non-ECBC method combines AES and LDPC as separate unit. These results show significant reduction in hardware usage.

Table 2: Result of FPGA implementation.

7. Conclusion

In this paper we have presented a physical layer encryption scheme that is capable of providing data reliability, secrecy, and integrity. The scheme is able to provide error correction and security. We also presented the architecture and the implementation of the Joint scheme. The error correcting capability of the code is fully preserved because the error deliberately introduced at the sender end can be removed at receiver because of synchronization. In the joint scheme presented, there is no tradeoff between reliability and security because errors introduced at the transmitter are removed at the receiver. Hence ECBC can utilize its full capacity to correct channel errors. The scheme is also secure against some conventional attacks. The result of implementation is also presented. This joint scheme could easily be adapted to existing protocols such as in CC2420—Single-Chip 2.4 GHz IEEE 802.15.4 Compliant and ZigBee Ready RF Transceiver where AES is already implemented.


  1. A. D. Wyner, “The wire-tap channel,” Bell System Technical Journal, vol. 54, no. 8, pp. 1355–1387, 1975. View at Google Scholar · View at Scopus
  2. M. Healy, T. Newe, and E. Lewis, “Analysis of hardware encryption versus software encryption on wireless sensor network motes,” in Smart Sensors and Sensing Technology, vol. 20 of Lecture Notes in Electrical Engineering, pp. 3–14, Springer, 2008.
  3. A. Zúquete and J. Barros, “Physical-layer encryption with stream ciphers,” in Proceedings of IEEE International Symposium on Information Theory (ISIT '08), pp. 106–110, July 2008. View at Publisher · View at Google Scholar
  4. A. Ahmad, A. Biri, and H. Afifi, “Study of a new physical layer encryption concept,” in Proceedings of the 5th IEEE International Conference on Mobile Ad-Hoc and Sensor Systems (MASS '08), pp. 860–865, October 2008. View at Publisher · View at Google Scholar
  5. C. N. Mathur, A mathematical framework for combining error correctionand encryption, Ph.D. dissertation, Stevens Institute of Technology, Hoboken, NJ, USA, 2007.
  6. T. Pionteck, T. Staake, T. Stiefmeier, L. D. Kabulepa, and M. Glesner, “Design of a reconfigurable AES encryption/decryption engine for mobile terminals,” in Proceedings of IEEE International Symposium on Circuits and Systems, vol. 2, pp. 545–548, May 2004.
  7. T. Hwang and T. R. N. Rao, “Secret error-correcting codes (secc),” in Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, pp. 540–563, 1988.
  8. R. J. Mceliece, “A public-key cryptosystem based on algebraic codingtheory,” Tech. Rep., DSN Progress Rep., Jet Propulsion Laboratory, Pasadena, Calif, USA, 1978. View at Google Scholar
  9. T. R. N. Rao and K. Nam, “Private-key algebraic-code encryptions,” IEEE Transactions on Information Theory, vol. 35, no. 4, pp. 829–833, 1989. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  10. T. R. N. Rao, “Joint encryption and error correction schemes,” in Proceedings of the 11th Annual International Symposium on Computer Architecture, pp. 240–241, 1984.
  11. C. N. Mathur, K. Narayan, and K. P. Subbalakshmi, “On the design of error-correcting ciphers,” EURASIP Journal on Wireless Communications and Networking, vol. 2006, Article ID 42871, 12 pages, 2006. View at Publisher · View at Google Scholar
  12. J. Daemen and V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard, Springler, Berlin, Germany, 2002.
  13. C. H. Meyer and S. M. Matyas, Cryptography: A New Dimension inComputer Data Security, John Wiley & Sons, New York, NY, USA, 1982.
  14. R. Struik and J. van Tilburg, “The rao-nam scheme is insecure against a chosen-plaintext attack,” in Proceedings of the 7th Annual International Cryptology Conference on Advances in Cryptology, pp. 445–457, 1987.
  15. Q. Su and Y. Xiao, “Design of LDPC-based error correcting cipher,” in Proceedings of the 2nd IET International Conference on Wireless, Mobile and Multimedia Networks (ICWMMN '08), pp. 470–474, October 2008.
  16. P. L'ecuyer and R. Simard, “TestU01: a C library for empirical testing of random number generators,” ACM Transactions on Mathematical Software, vol. 33, no. 4, Article ID 1268777, 2007. View at Publisher · View at Google Scholar