2005-Security Performance of Optical CDMA Against Eavesdropping PDF

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO.
2, FEBRUARY 2005
655
Security Performance of Optical CDMA

Against Eavesdropping
Thomas H. Shake, Member, IEEE
AbstractEnhanced security has often been cited as an important benefit of optical CDMA (O-CDMA) signaling. However, the
quality and degree of security enhancement has not been closely examined in the literature. This paper examines the degree and types
of security that may be provided by O-CDMA encoding. A quantitative analysis of data confidentiality is presented for O-CDMA
encoding techniques that use both time spreading and wavelength
hopping. The probability of successful data interception is calculated as a function of several parameters, including signal-to-noise
ratio and fraction of total available system capacity. For reasonable choices of system and encoding parameters, it is shown that
increasing code complexity can increase the signal-to-noise ratio
(SNR) required for an eavesdropper to break the encoding by
only a few dB, while the processing of fewer than 100 bits by an
eavesdropper can reduce the SNR required to break the encoding
by up to 12 dB. The overall degree of confidentiality obtainable
through O-CDMA encoding is also compared with that obtainable
through standard cryptography. time-spreading/wavelength-hopping in particular, and O-CDMA in general, are found to provide
considerably less data confidentiality than cryptography, and the
confidentiality provided is found to be highly dependent on system
design and implementation parameters.
Index TermsCode division multiaccess (CDMA), communication system security, optical communication.
of securitydata confidentialitythat is provided by certain

representative types of O-CDMA signaling. This evaluation
includes quantitative results on the degree of confidentiality
that is provided. The degree of confidentiality obtainable by
O-CDMA techniques is also compared with that obtainable
from standard encryption techniques, which provide a familiar
and well-characterized benchmark of security.
The organization of this paper is as follows. Section II reviews some general principles of security analysis, and establishes assumptions for the analysis presented in the paper. Section III examines some basic security properties of O-CDMA
encoding techniques. Section IV presents eavesdropping strategies that will be used in the confidentiality analysis that follows.
Section V presents a quantitative analysis of the degree and type
of confidentiality that may be provided by time-spreading/wavelength-hopping encoding. Section VI discusses the results of
this analysis, considering practical implementation limitations
and comparing O-CDMA encoding with cryptography as a security technique. Section VII presents a brief set of conclusions.
II. FRAMEWORK FOR SECURITY ANALYSIS
A. Types of Security
I. INTRODUCTION
NHANCED security is a frequently cited benefit of optical

CDMA (O-CDMA) signaling techniques, and is often said
to be inherent in the technology [1][5]. However, most of the
literature discussing O-CDMA security relies on rather intuitive
and imprecise notions of security, and few papers present any
quantitative analysis of the degree of security that can be expected from O-CDMA techniques. Those papers that do present
quantitative results often consider only the most rudimentary
kinds of attacks on security, such as brute-force code-searching,
neglecting more sophisticated attacks which are typically more
effective. A systematic analysis of the types and degree of security that might be available from O-CDMA has, so far, been
lacking in the research literature.
This paper sets a framework for the security analysis of communication waveforms and considers, within this framework,
the types of security that O-CDMA might provide. It then
presents a detailed theoretical evaluation of one specific type
Manuscript received May 10, 2004; revised September 9, 2004. This work
was supported by the Defense Advanced Research Projects Agency under Air
Force Contract F19628-00-C-0002. Opinions, interpretations, recommendations, and conclusions are those of the author and are not necessarily endorsed
by the United States Government.
The author is with the Massachusetts Institute of Technology, Lincoln Laboratory, Lexington, MA 02420-9108 USA (e-mail: shake@ll.mit.edu).
Digital Object Identifier 10.1109/JLT.2004.838844
When evaluating the security of a communications technique,

it is important to define the type of security under consideration. Security in communications and computer networking is
traditionally divided into the categories of confidentiality, integrity, and availability [6]. O-CDMA could potentially provide
both confidentiality and availability protection. For example,
O-CDMA encoding could potentially enhance the availability
of a system by offering some degree of jamming resistance, because many of the O-CDMA techniques proposed in the literature involve significant spectrum-spreading of the transmitted
signals. Optical receiver structures differ from RF receiver structures. Consequently the degree and type of jamming protection that O-CDMA encoding can provide may differ significantly from the protection offered by traditional RF spread spectrum modulation [7]. O-CDMA encoding might conceivably
provide some degree of covertness of signal transmission, at
least for free-space optical transmissions. (Significant covertness is unlikely to be obtained through O-CDMA signaling in
a fiber-based transmission system, since an interceptor is likely
to be able to detect relatively high power levels propagating in
the fiber.)
While forms of security such as protection against jamming
and transmission covertness may be provided by some types of
O-CDMA encoding, it is data confidentiality that has been the
primary focus of published proposals for secure O-CDMA
0733-8724/$20.00 2005 IEEE
656
JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005
(e.g., [3] and [4]). Furthermore, data confidentiality is probably

the best known and most commonly sought form of security in
communications. Therefore, the remainder of this paper focuses
on evaluating the degree of data confidentiality that may be provided by O-CDMA encoding techniques.
B. Evaluating Data Confidentiality
1) Classes of Data Confidentiality: In theory there are two
distinct classes of data confidentiality. The most confidential
communication systems are called unconditionally secure if
they are theoretically unbreakable even with infinite computational resources [8], [9]. While unconditionally secure systems
do exist, they are not practical for most applications. A system
is called computationally secure if it requires a sufficiently large
amount of computational resources, applied over a sufficiently
long time, to break. Most practical cryptographic systems (most
good ones, anyway) fall into this category. Within the class of
computationally secure systems there can be different degrees
of confidentiality. If one system requires a large amount of
computational resources running for one hundred years to break
and another requires only ten years to break using the same
resources, then clearly the system requiring the longer time to
break is preferable, all other factors being equal.
2) Assumptions in Confidentiality Analysis: The assumptions used in a security analysis can strongly affect the degree
of security that the analysis shows. The analysis in this paper
assumes that potential adversaries are technologically sophisticated, have significant resources, and know a great deal about
the signals being transmitted. (See [10, Ch. 2] for a discussion
of threat evaluation in the context of cryptography.) In particular, the eavesdropper knows what types of O-CDMA signals
are being sent: the data rate, the type of encoding, and the
structure of the codesbut not the particular code that an individual user employs. These assumptions are made because it is
reasonably easy for a user to change codes in the event his code
is compromised. However, the other parameters mentioned,
such as the data rates, the types of codes, etc., are difficult to
change quickly, and might even require a hardware/software
redesign of the communication equipment in the event that they
were found out by an adversary. Depending on the secrecy of
hard-to-change parameters for data confidentiality is poor security practice; one must assume, when doing a security analysis,
that an adversary knows them or may know them. These same
principles are applied in the analysis of cryptographic systems,
and are often stated in the form of Kerckhoffs principle, which
essentially states that one should assume that the eavesdropper
knows everything about the cryptographic algorithm except for
the key that each user employs (see [10, p. 23]).
III. O-CDMA CONFIDENTIALITY BASICS
A. Code Space Size
It is worth briefly reviewing the basic reasons that lead to the
expectation that O-CDMA can provide some degree of data confidentiality. Each O-CDMA transmitter/receiver pair is assumed
to use a specific code. The receiver uses the exact knowledge of
the code to separate the transmission from other users transmitting on different codes and from random channel and receiver
noise. It is difficult for an eavesdropper to correctly demodulate

the O-CDMA signal without knowing the code being used, especially if there are multiple users transmitting simultaneously
on different codes. If an O-CDMA coding scheme that has a
very large number of possible codes could be developed, then
an eavesdropper would have to perform a brute-force search
through half of them, on average, before finding the proper code
to demodulate a given users data.
Thus, the first measure of the degree of security potentially
available from O-CDMA encoding is the size of its code space
(the number of different codes that might be used by an individual user). This can vary greatly depending on the type of
O-CDMA and the parameters of the coding. Table I compares
the code space sizes of example codes taken from four common
categories of O-CDMA techniques. Code parameters used in
the examples were chosen in an attempt to represent challenging, but potentially implementable codes for high data rate
transmission. However, detailed consideration of the feasibility
of implementing these types of codes is beyond the scope of
this paper. It should also be noted that the different categories
of codes considered here require different transmission bandwidths, have different cross-correlation properties, and may
have differing implementation complexities. The comparison
here focuses only on security properties.
The first category shown in Table I, time-spreading codes
(using a single wavelength), contains codes such as optical orthogonal codes [11], prime codes [12], and EQC codes [13].
These codes all have relatively small code spaces for a given
code length,1 and are not likely to produce large enough code
spaces to deter brute-force searching techniques for feasible implementations at high data rates (e.g., 1 Gbits/s and above).
The second category, time-spreading/wavelength-hopping
codes, can be viewed as an extension of time-spreading codes
into two dimensions (time and wavelength), and can also be
viewed as an analog to RF frequency-hopping [14]. These
codes can be designed to have a very much larger code space
size than the one-dimensional time-spreading codes (see [3],
for example). The resulting code space sizes can be large
enough to prevent a brute-force code space search from being
successful in any reasonable amount of time [3]. For example,
for 30 wavelengths and 1000 time slots, a code space size on
possible codes can be obtained.
the order of
The third and fourth categories in Table I represent spectral
encoding techniquesspectral amplitude encoding and spectral phase encoding, respectively. Spectral amplitude encoding
[15] relies on code sequences with particular properties to maintain a reasonable degree of orthogonality among different users
coded signals. The spectral amplitude codes in [15] require either Hadamard sequences or maximal length sequences ( -sequences) as their basis, and these codes are still fairly limited
in code space size. While time spreading codes may be implemented with code lengths of in the thousands or even tens
of thousands, depending on the data rate, implementation constraints for spectral coding masks limit feasible codes to lengths
of a few hundred or so. For a code length of 511 amplitude mask
1Code length, for these codes, is defined as the total number of code chips per
information bit.
SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA
657
TABLE I
CODE SPACE SIZE FOR FOUR CATEGORIES OF O-CDMA CODING
elements, one can calculate that there are 48 different -sequences that could be used as codes [17], and each of these sequences can be shifted by one or more code elements to produce a distinct code. This produces a maximum of about 25 000
(48 511) possible codes. This is a considerably larger code
space than that produced by most time-spreading codes, but still
quite small compared with time-spreading/wavelength-hopping
codes.
Spectral phase encoding has similar code mask implementation constraints to spectral amplitude encoding. However,
analysis has shown that spectral phase encoding may be able
to support a reasonably large number of simultaneous users
at low bit-error-rates (BERs) by employing code word sets
that are chosen randomly [16]. Unlike time-spreading/wavelength-hopping codes, the number of ones and zeros in a
spectral phase code does not affect the amount of energy in the
transmitted signal, and hence does not affect the power balance
among a group of users. Thus, a central controller choosing
codes to assign to a group of, say, 100 users could choose
code elements
100 different random combinations of the
in a spectral phase encoder, and each user would be assigned
one of these codes. Performance calculations in [16] show
that, on average, a reasonably large number of simultaneous
users can be supported with randomly chosen code word sets.
These calculations apply to average performance, though, and
it should be noted that a large portion of the many possible
code sets chosen randomly might have well below average
BER performance. In theory, though, a central controller could
select a set of randomly chosen codes for some desired number
of users, and could then pseudorandomly refine the set of codes
by discarding certain codes of the chosen set and randomly
choosing replacements until the overall performance of the
code set met the desired BER specifications. (This procedure
might be highly processing-intensive, and might need to be
pre-calculated before network operations begin.) The resulting
set of codes would still appear random to an eavesdropper
trying to guess which individual codes had been selected, and
Fig. 1. Linear system modeling of O-CDMA transmitter.
he would thus have to search a large fraction of the code space

before being successful. Random code choice allows the code
space to be very large indeed, with a 511 element phase mask
possible codes.
generating
Time-spreading/wavelength-hopping codes and spectral
phase codes appear to be two of the most promising code types
for generating code spaces that are large enough to prevent
successful brute-force code search attacks. However, a very
large code space is necessary, but not sufficient, for good data
confidentiality, as subsequent sections of this paper will show.
B. Code Interception
Brute-force searching for an individual users code is a very
inefficient attack strategy whenever the code space is large. Intelligent eavesdroppers will seek other forms of attack if they
are available. For most, if not all, O-CDMA techniques currently described in the literature, there is indeed another, more
efficient, form of attack. This attack is based on the observation
that many O-CDMA transmitter designs regularly broadcast the
very thing that is the key to keeping the users data confidential:
the code word itself. An intelligent eavesdropper can design
a listening device to detect this code word. Once a users code
word is detected by the eavesdropper, the eavesdropper has free
access to the users data until the users code is changed.
Consider the modeling of an O-CDMA transmitter. Most
every form of O-CDMA encoder in the literature, as far as
this author is aware, can be modeled as a linear time-invariant
(LTI) system for at least some finite time that is large compared
with the code duration, as illustrated in Fig. 1. When driven
, the output of the encoder
by an optical input waveform,
658
can be modeled as the convolution of the impulse response

, with
. (Alternatively, the output can
of the encoder,
be modeled in the frequency domain by the multiplication of
the Fourier transforms of the input waveform and the impulse
response.) If an eavesdropper can observe the transmitted
, in the channel, and if he knows the form of
waveform,
, he can use standard linear system
the input waveform
analysis to solve for the impulse response of the encoder (or
its Fourier transform, the transfer function). This reveals the
code being used. Even if a transmitters code is reconfigured
frequently, the encoder can still be modeled as a piecewise LTI
system, with linear analysis techniques being applicable during
the period between code changes.
Using an LTI transfer function to encode data thus presents
a fundamental security problem. There are three possible approaches to solving this problem. The user could try to keep the
, secret, preventing an eavesdropper from
input waveform,
being able to solve for the code even with accurate observations
. However, this solution violates
of the output waveform,
Kerckoffs principle (Section II)if the input waveform were
ever compromised, it would need to be changed to make the
system secure again, and this would probably be fairly difficult.
It is more realistic to assume that an interceptor knows the input
waveform(s) being used.
A second approach is to try to make it very difficult for an
in the channel, thus
eavesdropper to accurately detect
making it difficult for him to accurately solve for the code.
This can be attempted by transmitting signals of relatively
low power, making it difficult for an eavesdropper to attain
sufficient signal-to-noise ratios to make accurate channel measurements. The eavesdroppers ability to solve for the code can
also be decreased by increasing the code complexity, which
can decrease the eavesdroppers signal-to-noise ratio per code
element. With this overall approach, the eavesdroppers ability
to solve for the code can be determined by classical detection
theory [18]. The degree of confidentiality produced by this
approach will depend on the SNR that an eavesdropper can
attain when attempting to detect the users coded signals.
A third approach is for each transmitter to change its code
very frequentlymore frequently than an eavesdropper could
detect the channel waveform and solve for the code. This approach may be combined with the previous approach of minimizing transmitted power. The required rate of code reconfiguration depends on the time required for an eavesdropper to accurately detect the channel waveform and solve for the code.
This time depends, in turn, on the SNR that the eavesdropper
is able to obtain, and on the code complexity. The effectiveness
of code reconfiguration thus depends on how difficult the transmitter can make it for the eavesdropper to detect codes by observing the channel. The remainder of this paper concentrates
on evaluating this degree of difficulty.
IV. O-CDMA EAVESDROPPING STRATEGIES
A. Signal Tapping
An eavesdropper in an O-CDMA network may tap signals
from various locations within the network. He may commandeer
an authorized user terminal, or may tap signals from network
Fig. 2. Potential locations for taps that allow an eavesdropper to isolate

individual user signals.
fibers. For the purposes of code interception it is advantageous

to tap isolated user signals, avoiding the multiple user interference (MUI) that is characteristic of CDMA systems. Since each
authorized terminal in an all-to-all O-CDMA network receives
signals from all transmitters simultaneously (as shown in Fig. 2
for a broadcast star topology), commandeering an authorized
user terminal does not give an eavesdropper an isolated signal
for code interception. If the eavesdropper is interested in a specific, identifiable user, tapping a fiber in the network infrastructure is more advantageous for the eavesdropper, since it can give
the eavesdropper access to the isolated user signal. For example,
as Fig. 2 shows, a typical broadcast star LAN carries individual
user signals over approximately 50% of its total fiber length (the
user-to-star coupler links). Even if a single fiber is used to connect each user to the star coupler (implying bidirectional signal
propagation in the fiber), fiber taps can easily separate signals
propagating in opposing directions. This gives an eavesdropper
much opportunity to tap into individual user signals.
B. Vulnerability of OnOff Keyed O-CDMA
The majority of published O-CDMA techniques rely on
onoff keying (OOK) for data modulation [1]. Typically, a
coded transmission is sent during a bit interval to represent a
one, and no energy is sent during a bit interval to represent
a zero. While this allows the implementation of relatively
simple optical transmitters and receivers, it is also highly
vulnerable to relatively simple eavesdropping techniques. As
has been noted in [5], if an eavesdropper can isolate individual
users signals as in Fig. 2, he can use a simple energy detector
to detect whether energy is present or not in each bit interval.
(Acquiring bit interval synchronization from a coded OOK
stream should be fairly straightforward given knowledge of the
data rate and type of encoding, although the accuracy of synchronization would depend on the SNR at the eavesdroppers
receiver.) In this case, there is no need for the eavesdropper

to break the coding scheme or steal the code; the energy
detector output contains the users data stream.
There are several possible solutions to this problem. First,
vulnerable fibers could be physically made secure against tapping, or each users data could be encrypted. However, neither of these solutions has anything to do with O-CDMA techniquesO-CDMA security might not be necessary at all if they
were used. Since this paper deals with the strength of O-CDMA
encoding, these solutions will not be considered.
A workable solution that relies solely on the properties of the
encoding would be to either use a constant envelope modulation technique such as phase shift keying (PSK), or to force the
modulation technique to send a constant amount of energy for
each transmitted bit by transmitting one code sequence for a
one and a different code sequence for a zero. We will call
this latter approach 2-code keying. 2-code keying would require
distribution of twice as many codes for a given set of users. It
would produce significantly more MUI for a given number of simultaneous transmitters compared with OOK-based O-CDMA,
although it would also increase the receivers average energy
per data bit, since energy would be transmitted for both zeros
and ones. It would work with most proposed O-CDMA technologies, and would remove the vulnerability to eavesdroppers
with simple energy detectors.
(This approach can be generalized by assigning
code
words to each user and having each user transmit one code word
for each data bits, which denies the eavesdropper the ability
to detect data using a simple energy detector. Choosing
may make the eavesdroppers task slightly more complicated, as
discussed in Section V.B, though a full analysis of the trade-offs
involved is beyond the scope of this paper.)
Some form of constant energy-per-bit modulation is necessary if O-CDMA is to provide significant confidentiality for an
individual user. However, while it is necessary, such modulation
is not sufficient for complete confidentiality. Eavesdroppers may
mount other, albeit more difficult, attacks, such as trying to intercept the transmitted code words themselves. The next section
presents an analysis of the effectiveness of this type of attack.
V. QUANTIFYING O-CDMA CONFIDENTIALITY
A. Code Word Interception
Detecting exactly which code word a particular transmitter
is using would allow an eavesdropper to demodulate all of that
transmitters data until the code word were changed. Since most,
if not all, currently proposed O-CDMA coding structures can be
modeled by LTI transfer functions, as discussed above, an eavesdropper could (theoretically, at least) detect the coded transmissions of a particular user and derive the code from this information. This type of attack is quite general in its applicability
to various types of O-CDMA encodingthe author is unaware
of any type of O-CDMA encoding to which it would not apply.
Therefore, quantifying the effectiveness of this type of attack
yields information with broad implications for the security of
O-CDMA.
The exact techniques required for code detection depend on
the type of code being transmitted; therefore it is necessary to
659
Fig. 3. Simplified time-spreading encoded waveform (single wavelength).
choose a particular type of code to quantify the effectiveness

of this type of attack. This section examines the detection performance of one of the most promising classes of O-CDMA
encoding for providing confidentialitytime-spreading/wavelength-hopping encoding [3], [14]. (We consider time spreading
encoding on a single wavelength [11], [19] as a special case
of time-spreading/wavelength-hopping.) A separate paper will
deal with an analysis of the confidentiality performance of spectral encoding techniques, particularly spectral phase encoding
[29].
The analysis presented here treats the eavesdroppers code
interception problem as a problem in classical detection theory
[18]. The eavesdropper taps a coded transmission of a particular
user and performs the necessary calculations to derive the transmitters code word from these transmissions. The resulting code
will have some probability of error, which will depend strongly
on the signal-to-noise ratio at the eavesdroppers receiver.
This analysis is primarily theoretical, and assumes idealized
transmission components (e.g., fiber, couplers, and receiver
components). Receiver implementation losses are also not
modeled. The results described thus represent a near worst
case performance assessment, although a slightly suboptimum
receiver structure is analyzed because of its higher likelihood
of implementation.
We now consider the structure of a code intercepting receiver
for time-spreading/wavelength-hopping encoding. Consider
first the case of time-spreading on a single wavelength. Fig. 3
shows a simplified depiction of a time-spreading encoded
possible
signal. Each data bit to be encoded is divided into
of them containing an energy pulse for any
code chips,
is the length.)
given code. ( is the weight of the code, and
Each code pulse contains energy
. Thus, the total energy
transmitted per data bit is WE .
In theory, an eavesdropper can use a receiver that is highly
similar to a radar receiver to intercept this type of signal and
determine the code. The eavesdropper can divide each data bit
duration into time intervals, or bins (Fig. 3), and determine
whether an energy pulse is present or not in each one. This can
be done by implementing a filter that is matched to an individual
code pulse and sampling the output of the filter once per time
bin. The performance of this type of receiver can be determined
using the mathematics of classical radar detection theory (see,
for example, [18] and [20]).
660
Fig. 4. Coherent receiver with matched filter for code interception.
Fig. 5. Envelope detector structure for code intercepting detector.
The optimum implementation of this type of receiver would

be a coherent detection receiver and an exact matched filter, as
shown in Fig. 4 (see [24, pp. 257262]), where the matched filter
can be implemented by the combination of the bandpass and
lowpass filters illustrated. However, a simpler and more likely
implementation would be an optical amplifier, followed by an
optical filter that is approximately matched to the code pulses,
with a square law envelope detector such as a photodiode used
to detect the output of the optical matched filter [21], [22], [24].
The output of the electronic detector is then time sampled. Such
a code interceptor is shown in Fig. 5.
This code interception strategy generalizes to timespreading/wavelength hopping coding in a straightforward
time chips and
wavelengths,
way. Given a code using
times. If
the receiver structure in Fig. 5 can be replicated
is too large for this to be practical, a reasonable number
of wavelength channels can be implemented and scanned
sequentially over the different wavelength bands covered by
the coded signal. This would produce a tradeoff between the
number of wavelength channels implemented in the code intercepting receiver and the time required to detect the code with a
given degree of statistical reliability. (The statistics of reliable
detection are quantified later.)
We assume for the purposes of security performance calculations that the eavesdropper is able to synchronize to the transmitted signal. Given synchronization, the eavesdropper can then
locate the beginning and end of a data bit, and can sample the
detector output precisely at the end of each code chip time. This
assumption is not strictly necessary for either the operation or
the analysis of the code intercepting detector. It is made because
it is the worst case assumption from a security perspective (it
yields the best possible performance for the eavesdropper), and

it is better to overestimate an eavesdroppers capability than to
underestimate it. In reality, an eavesdropper will not have perfect
synchronization with the transmitted signal, and some performance loss will result. However, it is quite plausible, especially
under high SNR conditions, that an eavesdropper could attain
reasonably accurate code chip synchronization by correlating
the pulse stream with a replica of an individual pulse. Data bit
synchronization should also be fairly easy to attain if the transmitter is using OOK O-CDMA, and could probably be attained
by processing multiple bits of a non-OOK encoded stream.
The figure of merit that will be used here for code interception performance calculations is the probability that the eavesdropper can detect the users entire code word with no errors,
. This probability will depend on the type
denoted by
of detection processing and on the amount of time the eavesdropper observes the users signal for each detection; it can be
calculated from two quantities that are staples of classical detection analysisthe probability of missing a transmitted pulse
, and the probability of falsely detecting
in a given time bin,
. If the code
a pulse in a bin where none was transmitted,
interceptor makes a code word decision based on observing the
transmitted signal for a single data bit interval, the overall probability of error-free code word detection is given by
(1)
The first term represents the probability of not missing any of
pulses that are transmitted during a data bit. The second
the
term is the probability of not falsely detecting pulses in any of
time bins where pulses are not transmitted
the
during a data bit.
661
and
are determined by the SNR at the eavesdropper
and by the eavesdropping detectors performance in noise. Assuming that the dominant form of noise can be modeled as additive white Gaussian noise, the EDFA/optical matched filter receiver structure in Fig. 5 can be shown to give [22]
(2)
(3)
is the ratio of the peak pulse energy to the noise
where
power spectral density, is the detection threshold, and
is the Marcum Q-function defined as [23, p. 147]
(4)
Fig. 6. Code intercepting detector performance curves for coherent detection

and optical matched filter with envelope detection.
where
denotes a zeroth order modified Bessel function of
the first kind.
versus
for a time-spreading/waveFig. 6 plots
length-hopping code and for both this type of receiver and the
coherently detected matched filter receiver. (Derivation of the
performance of the coherent receiver with matched filter detection can be found in standard texts [24], [25], [18]). The code
, and
parameters used for this sample calculation were
, and
, corresponding to a prime hop code
with 961 time slots and 31 wavelengths [28], for example. Note
plotted here refers to the enthat the numerator in the
ergy in an individual code pulse, not the energy received during
an entire data bit. In both the cases plotted, the eavesdropper
is assumed to be able to set the detection threshold to its optimum value. This requires knowing or estimating such param, and the SNR; the optimal threshold at each
eters as
SNR value for the envelope detector was determined by a search
algorithm for these calculations. As the figure shows, the loss in
performance of the optical matched filter with envelope detection relative to the optimum coherent matched filter detection is
relatively small, especially at higher SNRs.
The basic form of the result shown in Fig. 6 has strong implications for the degree of confidentiality that may be attained by
O-CDMA encoding. (While the results in Fig. 6 are for a particular type of time domain encoding with certain coding parameters, the same general results can be shown for different
types of O-CDMA encoding [29].) Since the eavesdroppers
ability to correctly detect user code words is strongly dependent
on the SNR at the intercepting receiver, it follows that the degree of confidentiality provided is also a strong function of this
SNR. Since the eavesdroppers SNR is a function of a number
of system design and operation parameters, this means that the
degree of confidentiality provided by O-CDMA techniques will
also be a function of these system design and operation parameters.
Since the degree of confidentiality of user data is dependent
on the SNR at the eavesdropper, it is important to quantify how
low this SNR could be made through intelligent system design.
This design is not completely straightforward, though, because
it must involve a tradeoff between communication performance
and confidentiality for the authorized users. This can be seen as

follows.
In CDMA networks (optical or electronic), the total number
of simultaneous users that can be supported with acceptable
BER performance is typically limited by interference among
the user signals, rather than by receiver noise. Assuming that
all users transmit at the same data rate, the total system data
carrying capacity is proportional to the maximum number of
simultaneous users the system can support. A theoretical maximum number of simultaneous users can be calculated by assuming that receiver noise is negligible compared to the MUI in
BER performance calculations. (This maximum number of simultaneous users is primarily a function of the type of encoding,
which determines the degree of orthogonality among different
codes; see, for example, [11], [16], and [19].) By specifying a
maximum acceptable BER and a particular type of encoding,
one can calculate a specific maximum number of simultaneous
users, and hence, the total capacity of the network.
To improve security in the network, the system design should
minimize the amount of energy that an eavesdropper can receive by tapping fiber signals. This requires that each transmitter
minimize the power it sends into the network. This minimization cannot be done without affecting the BER performance
of the system, however. An authorized receivers BER performance will be a function of the received SNR. The authorized
receivers SNR is given by
(5)
represents the total noise spectral density contribuwhere
represents the spectral density of the retion of the MUI and
is proportional to both the number of active
ceiver noise2.
transmitters and to the transmitted power of each user (we assume all users transmit equal powers, when transmitting), while
is fixed for a given receiver implementation.
2Strictly speaking, the spectral densities

and
exist only for widesense stationary noise processes, and are, in general, functions of frequency. The
heuristic explanation given here assumes the noise processes may be approximated by white Gaussian noise, in which case
and
may be treated as
constant scalar values. See [25] for more details.
662
Consider the situation with the theoretical maximum number

is negligible comof simultaneous users all transmitting. If
, the resulting SNR at an authorized users receiver
pared to
will be sufficient to maintain the specified BER. If each transmitter reduces its power level sufficiently to increase confidenwill also be reduced and
will become
tiality, though,
. While the ratio
will resignificant compared to
main constant no matter what power level each user transmits,
is what determines BER, and this will be rethe ratio
duced, increasing the BER. If the transmitted power is reduced
arbitrarily, the only way to keep the BER from exceeding a specterm as well (again assuming
ified value is to reduce the
is fixed by the implementation). The only way to do this
is to reduce the number of active users. Thus the total number
of simultaneous users that can be supported at a specified BER
must be reduced to allow each transmitter to reduce its power
level.
Using certain modeling approximations, Appendix A quantifies the aforementioned argument, and derives the relationship
between required user SNR and the eavesdroppers available
SNR per code chip as
(6)
In this equation, is the eavesdroppers fiber tapping efficiency,
is the number of taps in the broadcast star coupler that disis the ratio of the eavesdroppers retributes user signals,
ceiver noise density to the authorized users receiver noise denis the authorized user receivers multichip energy comsity,
is the maximum theoretical number of sibining efficiency,
multaneous users at a specified maximum BER,
is the required user SNR (per data bit) to maintain the specified BER,
is the actual number of simultaneous users supis the eavesdroppers effective SNR per
ported, and
code chip.
Equation (6) represents a fundamental, if approximate, relationship between the total system data capacity and the SNR
that an eavesdropper may obtain using a code detector of the
type shown in Fig. 5 for time-spreading/wavelength-hopping
O-CDMA. Analysis of this equation provides a great deal of insight into the limitations on attainable confidentiality of this type
of O-CDMA encoding, and on the tradeoff between system data
capacity and confidentiality. Since (1)(3) establish that the degree of confidentiality is a strong function of the eavesdroppers
, any of the factors in (6) that
SNR as represented by
change this SNR will affect confidentiality.
The factors in the first set of brackets in (6) can all cause
a direct increase or decrease in this SNR and a corresponding
decrease or increase in confidentiality. Confidentiality is decreased by an increase in the eavesdroppers tapping efficiency;
by an increase in the number of taps in the star coupler (which
reduces the fraction of transmitted power that reaches each authorized user and requires each user to transmit more power);
or by a decrease in the eavesdroppers receiver noise level relative to the authorized users receiver noise level. Confidentiality
is increased by an increase in the combining efficiency of the
user receivers (allowing an overall decrease in transmitted user
Fig. 7. Approximate
confidentiality.
tradeoff
between
system
data
capacity
and
power to maintain an acceptable BER); or by an increase in

the weight of the code words (which divides the energy per bit
into more, hence lower energy, code pulses). Equation (1) also
implies a further increase in confidentiality if the length of the
, is increased.
code,
The second bracketed term in (6) relates to the trade between
confidentiality and system capacity. As the number of active
approaches the maximum theoretical number of
users
, this term increases
simultaneous users of the system
without bound, implying very high SNRs for the eavesdropper.
, the
Conversely, when only a single user is allowed
eavesdroppers SNR is minimized, but at the expense of system
capacity, assuming fixed BER performance.3
Finally, the third bracketed term in (6) shows that confidentiality can be increased by decreasing the SNR required by the
authorized users for acceptable BER performance. Confidentiality can be increased by allowing a higher BER. For a fixed
can still be deBER specification, however,
creased by using error correcting coding on user transmissions
and by using the most power-efficient modulation technique
possible. (Both power-efficient modulation and error correction
coding are typically used in cellular telephone CDMA systems
[26], [27].)
Fig. 7 shows an example of confidentiality performance
versus system capacity for a straw man set of system design
parameters. It plots the eavesdroppers approximate probability
of error-free code detection (integrating signal energy over one
data bit period) versus the fraction of theoretical system ca, that can be attained for a specified maximum
pacity,
BER.
The straw man design specifies 100 potential users connected
taps. The users each
to a broadcast star network with
employ time-spreading/wavelength-hopping codes with
timeslots,
wavelengths, and
code pulses
per data bit. These parameters would be produced by a 31, 31
Prime Hop Code as specified in [28], although they may apply
3If the number of active users exceeds the number calculated by (6), the BER
must go above the specified maximum for all active users, or else each user must
transmit more power, raising the eavesdroppers SNR.
to other types of codes as well. Users are assumed to use incoherent detection, modeled here by assuming that each code pulse
is optically matched filtered and envelope detected (much as in
Fig. 5), and combined after the envelope detection. The resultant
incoherent combining of 31 code pulses produces a combining
(see [23, p. 178]). The
efficiency of approximately
. Error
maximum acceptable system BER is assumed to be
correction codes used in commercial high-rate optical telecommunication equipment can produce this BER with a raw detector
. An optical matched filter receiver
BER of approximately
followed by envelope detection theoretically requires a (peak)
dB [22] to produce the required
SNR of
. The eavesdropper for this example
raw detector BER of
from a
is assumed to tap one percent of the energy
fiber carrying a single user signal, and to have a receiver that is
.
equal in sensitivity to the authorized users receivers
The solid curve, labeled baseline example, shows the performance of the straw man system. For this particular example,
if the authorized users transmit sufficient power so that 95% or
more of the theoretical system capacity is attained, the eavesdropper has a high enough SNR to detect the code without errors
with a probability of virtually one. To reduce the eavesdroppers
, for example, each user
probability of effectiveness below
must reduce its transmit power to the extent that only about 75%
of the theoretical system capacity can be attained.
Variations in system design parameters can strongly affect
this performance trade, as shown by the other three curves in
Fig. 7. A change in any combination of the factors in the first
bracket of (6) can result in a higher or lower SNR for the eavesdropper. If for example, the eavesdroppers receiver is 3 dB more
)
sensitive than the authorized users receivers (i.e.,
then the dotted performance curve (baseline 3 dB) in Fig. 7 is
obtained. If, in addition, the eavesdropper taps the fiber with 2%
efficiency rather than 1%, then the dash-dotted curve (baseline
6 dB) is obtained, and so on.
Depending on the type of encoding that is used, an eavesdropper may be able to improve on the performance specified
by (1)(3) and (6), and illustrated by Figs. 6 and 7. Most encoding schemes for O-CDMA use code words that are relatively far apart in Hamming distance; this allows relatively good
orthogonality properties among multiple users transmitting simultaneously. However, if the eavesdropper knows the structure of the code (e.g., that Prime Hop Codes are being used),
then an intercepted code wordwhich may contain detection
errorscan be compared with the set of allowable code words.
The allowable code word nearest in Hamming distance to the
intercepted code word would then be chosen. In this case, the
coding structuredesigned primarily for good orthogonality
propertieswill function much like an error-correcting code for
the eavesdropper, possibly allowing the eavesdropper to take an
intercepted code word with errors and correct the errors. Calculating the degree of improvement in the eavesdroppers ability to
intercept code words through this technique is beyond the scope
of this paper; still, the better the orthogonality properties of the
encoding scheme, the larger the minimum Hamming distance
between the codes is likely to be, producing a greater potential improvement in interception performance by making use of
the code structure in the interception process. This performance
663
improvement is, of course, only obtainable when the eavesdropper knows the set of allowable code words, as in well known
codes with well-established structures. If a completely random
coding scheme were employed, where any possible combination
of code chips could represent a users code word, then an eavesdropper could not improve its interception performance in this
way. In time-spreading/wavelength-hopping coding schemes,
however, such random coding would lead to variable weight
codes, which is problematic for maintaining good cross-correlation properties among multiple user codes. (Random codes are
more feasible with encoding schemes such as spectral phase encoding [16].)
B. Multiple Bit Combining
A further, and more dramatic, improvement in the eavesdroppers code interception performance can be obtained by
processing and combining code transmissions from multiple
data bits. The eavesdropper can use exactly the same detector
),
structure as shown in Fig. 5 (with multiple channels if
but can accumulate samples in each of
bins (Fig. 3) over
total bins if
.)
multiple data bits. (There will be
The eavesdropper must maintain bit synchronization so that
the same bins can be sampled repeatably on multiple data bits,
but this has already been assumed for the worst-case scenario
analysis.
The case of greatest interest for multiple bit combining
is where the transmitter uses 2-code keying, as described in
Section IV.B. Accumulating multiple bits from a 2-code keyed
O-CDMA data stream using time-spreading/wavelength-hopping encoding produces the superposition of the two code
words C1 and C2 in the eavesdroppers detector. Since the
codes are designed to be as mutually orthogonal as possible, it
is almost certainly possible for most codes to separate the two
individual code words from their superposition. For example,
it is quite simple to examine the superposition of two Prime
Codes and determine the individual code words, especially if
the two code words are synchronized in time (see examples on
[12, p. 46]). Note that the eavesdroppers detected superposition
of C1 and C2 will always be synchronized if they are from a
single transmitter using 2-code keying and the eavesdropper
has attained bit synchronization.
(If 2-code keying is generalized so that each user transmits
code words for each data bits, as mentioned
one of
in Section IV.B, the eavesdroppers task can be made a bit more
forces the eavesdropper to sepacomplicated. Choosing
rate several code words from a single multiple bit receiver detection rather than just two. Nevertheless, assuming that the eavesdropper knows the general structure of the codes in use, separation of multiple codes is almost certainly still possible in theory.
A number of variables affect a trade-off analysis of the security
of such a scheme, such as the increased energy per code word
that must be transmitted to maintain an acceptable BER with
multiple bit encoding, the increased number of code words that
must be assigned to each user, etc. A full analysis is beyond the
scope of this paper; here, we calculate the performance for the
.)
example case of
The eavesdroppers detection performance against a 2-code
keying transmitter is derived in Appendix B, which shows that
664
Fig. 8. Eavesdroppers detection performance for two different codes.

Example parameters are the same as those used for Fig. 7.
the overall probability of error-free code word detection by an

data bits can be
eavesdropper combining the energy from
approximated, for reasonably large , by
(7)
where
is the normalized cross-correlation between different
code words (i.e., the number of bins where pulses from two code
and
are given by
words overlap), and
(8)
and
(9)
and where
is the Generalized Marcum
defined as [25, p. 44]
-function,
(10)
and where
denotes an
th-order modified Bessel
function of the first kind.
These results are illustrated in Figs. 8 and 9. Fig. 8 shows
the eavesdroppers detection performance against two different
that produce
codes as a function of its SNR. (Values of
are included in this graph to
negligibly small values of
illustrate the large degree of improvement that can be obtained
by combining relatively few bits, as discussed in the next paragraph.) Both curves use all the same parameters as straw man
design example illustrated by the baseline performance curve
in Fig. 7. The solid line in Fig. 8 uses the same code used in the
, and
.
straw man example, i.e.,
The dashed line assumes a more complex (and more difficult to
, and
.
implement) code using
When the more complex code is used, the user must combine
101 separate detectionsincoherently, we assumeand thus
Fig. 9. Performance of multiple bit combining eavesdropper against two types

of codes.
the user combining efficiency factor decreases to about 15%.

The more complex code improves confidentiality performance
by requiring the eavesdropper to attain a higher SNR to attain a
given level of code detection performance.
Unfortunately, this improvement in confidentiality can be
overcome by the eavesdropper (at least in theory) by multiple
bit combining, as shown in Fig. 9. Fig. 9 assumes that the
dB,
eavesdropper is able to obtain an SNR of
which renders its probability of correctly detecting the code
word using a single data bit negligibly low for either code
shown in Fig. 8. By combining the energy from less than 100
bits, however, the eavesdropper can attain a probability of
error-free code word detection of essentially unity, even for the
more complex code.
The results in Fig. 9 are approximate (see Appendix B), although these results can, in theory, be attained when the number
of ones transmitted by the user during the eavesdroppers collection interval is exactly equal to the number of zeros transmitted in the same interval. The larger the number of bits combined, the more likely this is to be true, and the closer the approximation. Thus Fig. 9 should give a reasonable, if somewhat
optimistic, estimate of the code interception performance that
could be attained by an eavesdropper with an ideal detector implementation.
Table II summarizes the results from this section. It lists the
per code chip required at the eavesdropper to
values of
for codes of different complexities and for
attain
different levels of bit combining.
C. Code Detection With Multiple User Signals
The preceding analysis has assumed the best case for the
eavesdropper (and worst case for the targeted user). The eavesdropper simply pulls off a small fraction of the user signal. The
following analysis is for a slightly different problem where the
eavesdropper receives all of the OCDMA signals simultaneously. One might think that the obscuration of the targeted signal
in this scenario would significantly increase the level of confidentiality. However, the resulting degree of confidentiality is not
665
TABLE II
REQUIRED E =N PER CODE CHIP FOR P
Fig. 10.
Eavesdropping with multiple user signals.
as high as it may first appear, as can be seen from the following

analysis.
Consider an eavesdropper that only has access to fibers containing the superposed signals from all active users. This would
be the case if the eavesdropper commandeered an authorized
user terminal, as shown in Fig. 10.
A key observation is that if at any time there is only one user
transmitting, then the eavesdropper can use exactly the same
code detection techniques described in previous sections. Thus
user transmissions are only confidential if there are always other
signals being transmitted simultaneously.
The situation is even less secure if transmissions use on-off
keying. For on-off keying, at any given time, it is possible that
one user will transmit a one (using its code word) and all
other users will transmit zeros (no energy). During this time,
an eavesdropper can effectively isolate the signal of the one
user transmitting and use the same techniques described above.
Furthermore, the eavesdropper could easily monitor the overall
power level received on each bit to estimate when a single user
is transmitting energy, since the level of energy in the channel
= 0:9
is directly proportional to the number of users. (In a broadcast

star topology, power is likely to be controlled to achieve roughly
equal powers among users at the input to the coupler. If this is
not the case, an eavesdropper could still monitor overall power
and attempt detections when relatively low total power is detected. Some of these detections may contain multiple signals,
but these could be tested and discarded, and the remaining detections would still contain valid code words for a single user.)
This situation is simple to quantify. Consider a number of simultaneous transmissions, , each of which is O-CDMA encoded and modulated using OOK. Each operates at data rate
bits/s. The simpler calculation is when all users transmit synchronously (i.e., the beginning and ending time for transmission of each bit is the same for all users). In this case, assuming
equally likely ones and zeros, the probability that a specific
, and the
user transmits a one during a given bit period is
other users transmit zeros during the
probability that all
. Assuming that the value of each data
same bit period is
bit is independent of other data bits and independent of other
users bits, the probability that a specific user transmits a one
while all others transmit zeros on any particular bit is simply
. Thus, for each
the product of these two probabilities, or
user, the expected amount of time that the eavesdropper must
wait between isolated transmissions of that users code word is
.
A similar calculation can be done for nonsynchronized user
transmissions. In this case, when one user transmits a one, all
users may transmit fractions of two consecutive bits
other
during the transmission time of the one bit due to the lack of
synchronization among users. For the eavesdropper to isolate a
users must each transmit two consecsingle user, the other
utive zeros during the period of overlap with the single users
one bit. At any given point in time, the probability that a single
, and the probability that
user will be transmitting a one is
all other users transmit zeros for the two overlapping bits is
. The probability of these two events occurring simultaneously is the product of these two probabilities, or
,
and the expected time that an eavesdropper would have to wait
. The exbetween isolations for a particular user is
pected time for an eavesdropper to hear each users code word
666
the code on every single bit in a random way, such that the eavesdropper would not know, on a given data bit, whether the detected code word represented a one or a zero.
Lower SNRs would require the eavesdropper to process multiple data bits to correctly detect the code. If the transmitter
changed the code words more frequently than they could be correctly detected, then confidentiality could be significantly increased. However, code reconfiguration rates would probably
need to approach the data rate to achieve a strong assurance of
confidentiality, since the eavesdroppers advantage from combining multiple data bits increases quite rapidly, as shown in
Fig. 9. In addition, the transmitters codes would need to be
changed in a way that could not be predicted or guessed by
an eavesdropper. In other words, the code reconfiguration generator would need to have characteristics much like those of a
cryptographic keystream generator.
Fig. 11. Code word isolation rates for OOK transmitters at 100 Mbps.
VI. DISCUSSION
transmitted alone once vs. the number of simultaneous transmitters is shown in Fig. 11 for an example data rate of
Mbits/s.
users are not synchronized among themselves,
Since the
an eavesdropper probably cannot attain either bit or code pulse
synchronization for a particular user, which was assumed in
the analysis in previous sections. However, neither bit nor code
pulse synchronization is strictly required for detecting a users
code (although assuming synchronization greatly simplifies
the quantitative calculation of code detection performance).
Bit sync is not required because, under the aforementioned
assumptions, one data bit duration is guaranteed to contain
the entire code, albeit starting from an unknown point in the
code. This makes the eavesdroppers task more difficult, but
not impossible, since the eavesdropper may detect code pulses
over one bit duration and then sequentially search through
all possible time shifts over a single bit time to find the right
code word. The number of possible time shifts is not likely
to be a significant obstacle to a brute force search. Similarly,
code pulse synchronization is not strictly required, since the
eavesdropper could employ techniques similar to those radar
pulse detection (where the time of return of the radar pulse is
unknown). These techniques generally entail faster sampling of
the signal by a factor of 2 or 3 over the approach quantified in
previous sections, again making the eavesdroppers job more
difficult, but not, theoretically at least, impossible.
D. Code Reconfiguration
As mentioned in Section III-B, a transmitter could attempt to
increase confidentiality by changing its code words frequently.
The preceding analysis shows that the reconfiguration rate required to insure that a code-detecting eavesdropper could not
detect long strings of data depends on the SNR at the eavesdropper. If the eavesdropper could attain a relatively high SNR,
then he could, in theory, detect the new codes by processing a
single data bit, and could use the detected code to demodulate
every subsequent bit until the code were changed again. In this
case, strong confidentiality could only be attained by changing
A. Practical Implementation Considerations

The practical degree of confidentiality provided by
time-spreading/wavelength-hopping encoding will depend
on both the users ability to implement complex codes and the
eavesdroppers ability to implement the described interceptor
structure or similar ones. Since each data bit must be subdivided into time slots, the complexity of such codes is clearly
limited for high data rate systems. Assuming a desired user
data rate of 1 Gbit/s, the codes assumed in Figs. 69 require
individual code pulse durations of roughly 1 ps
and 100 fs
. These must be correspondingly
shorter for higher data rates. Implementing codes this complex
is taxing given the current state of the art. Similarly, a code with
wavelengths may be implementable, but may prove
cumbersome at the least from a practical point of view.
The implementability of the required detector structures for
the eavesdropper is also a significant issue. Reasonable approximations to the required optical matched filters are currently
available, and should not pose great difficulty for modest numbers of different encoding wavelengths. But time-sampling the
envelope-detected outputs of these filters quickly and accurately
enough is quite difficult. For example, if sampling were done in
, each wavereal time for a user signal at 1 Gbit/s and
length channel would have to be sampled at a rate of nearly 1
THz. Real-time sampling technology is currently available at
rates of 20 GHz (for 8-bit samples) in commercial, off-the-shelf
oscilloscopes. This is well short of the required THz rate for the
previous example.
A number of possibilities exist for increasing the effective
sampling rate, however. The technique of equivalent time
sampling is currently used in high-bandwidth sampling oscilloscopes, and allows very high effective sampling rates.
Optical means for equivalent time sampling have also been
demonstrated [30]. These techniques require good time synchronization and moderately large numbers of input sampling
passes (each sample would be taken from a different data bit,
in the code interception context). This would significantly
increase the time required to process and detect a given code
word.
A second possibility for implementing high effective rate

time-sampling of time-spreading/wavelength-hopping signals
would be to capture one or more user data bit transmissions in
an optical recirculating loop and replay the data into a dithered
time sampler, with the actual sampling done at a reasonably low
rate. This could produce the required effective sampling rates
without requiring large numbers of data bits to be processed.
Implementation of the required detector structures at high
data rates is clearly difficult. However, considering the implementation possibilities discussed previously, and others that
may become available as technology progresses, it is dangerous
from a security point of view to assume that such detectors
could not be implemented at all. Any uncertainty as to whether
such detectors can be implemented translates directly into
uncertainty about the degree of confidentiality provided by
O-CDMA encoding.
The results presented in this paper are primarily theoretical,
and as such represent upper bounds to what could be achieved in
hardware. However, even if significant amounts of implementation loss are factored in, the basic result remains the samethe
confidentiality of O-CDMA encoding can be broken convincingly given either a high enough SNR or sufficient time to accumulate and combine signal energy from encoded signal transmissions. The fact that a potential eavesdropper may have to expend a great deal of resources to successfully implement a code
detector capable of breaking this confidentiality is significant,
though. It implies that O-CDMA may offer confidentiality protection against adversaries who lack the resources to develop,
procure, or use such technology. This degree of confidentiality
may be suitable for protecting information that is not of high
enough value for a potential adversary to justify the expense and
difficulty of implementing the required detector.
B. Confidentiality Comparison With Source Cryptography
The standard technique for providing data confidentiality
today is source cryptography. It is instructive to compare the
confidentiality characteristics of O-CDMA encoding with those
of cryptography to assess the usefulness of O-CDMA for this
type of security.
This paper has shown that the confidentiality of timespreading/wavelength-hopping O-CDMA can be broken, in
theory, in a very short amount of time (for example, 100 bits)
even at relatively low SNRs and for reasonably complex codes.
By comparison, the amount of time necessary to break the
confidentiality of a state-of-the-art encrypted signal is usually
measured in tens of years or more. Furthermore, the degree
of confidentiality from O-CDMA encoding is dependent on
the many design parameters of the communication system that
affect the amount of signal power available to the eavesdropper.
In contrast, the confidentiality of an encrypted signal depends
in no way on the design of the communication system. Some
confidentiality can be obtained through O-CDMA encoding
if the eavesdropper can be forced to detect multiple signals
simultaneously. However, this advantage is lost if a single user
ever transmits without other users also transmitting, or if the
eavesdropper is able to isolate individual user transmissions in
a particular fiber. Cryptography has no such limitations.
667
VII. CONCLUSION
It is clear that, in theory at least, source cryptography
provides a much greater degree of confidentiality than does
time-spreading/wavelength-hopping O-CDMA encoding. In
principle, this conclusion also applies to any form of O-CDMA
encoding that can be represented by an LTI transfer function.
On the other hand, an intelligently encoded O-CDMA signal
can force a potential eavesdropper to implement a sophisticated
and possibly expensive detector in order to be able to break the
users confidentiality. Rapid reconfiguration of codes can also
increase the difficulty of interception. These factors can provide
significant security advantages compared with standard optical
communication technologies such as WDM, where a commercial off-the-shelf detector can be purchased to read the data.
Whether or not this degree of confidentiality is sufficient for
a given purpose depends largely on the value of the information being protected, and the likelihood that an adversary will
be willing to expend the resources necessary to read the information.
APPENDIX A
This Appendix derives a quantitative relationship between the
users SNR per data bit and the eavesdroppers SNR per code
chip, which allows a tradeoff between system capacity and confidentiality to be quantified. With a reasonably large number of
can be approxisimultaneous users, the MUI noise term
mated by white Gaussian noise4 [19], as can the receiver noise
term [24]. Using these approximations, the following analysis
shows a quantitative trade between confidentiality and system
capacity, and allows calculation of how low the eavesdroppers
SNR can reasonably be made given various system design parameters.
users are connected to a broadcast star
We assume that
LAN and that the total number of taps in the star coupler is
equal to . We assume that the eavesdropper taps into a fiber
carrying a single users coded transmission (Fig. 2) with a tapping efficiency of . To model a general time-spreading/wavecode pulses are dislength-hopping code, we assume that
tributed among
possible time slots and
possible waveand the code length is
lengths. Thus, the code weight is
. No assumptions are made concerning how the
pulses are distributed among the
possible code bins,
which assures that the analysis can be applied to any type of
time-spreading/wavelength-hopping code.
The eavesdropper is assumed to use optical matched filtering
followed by envelope detection, as shown in Fig. 3 for a single
wavelength. Separate but identical detectors are used for each
different wavelength. Time samples from the output of each envelope detector are taken in each of the time bins illustrated in
total samples,
Fig. 3. Thus, the eavesdropper collects
4Various types of Gaussian approximations, both simple and sophisticated,

have been developed for modeling MUI noise for various types of O-CDMA
systems (e.g., [16]). The simple approximation used here is admittedly rough,
but should be sufficiently accurate to illustrate the basic tradeoff between confidentiality and system capacity.
668
assuming that a single data bit is processed. Each sample is compared with a threshold to decide whether or not a code pulse is
present in the corresponding bin.
, the
Assuming the energy transmitted per code pulse is
. The autotal energy transmitted per data bit is
thorized users receiver is assumed to produce additive white
.
Gaussian thermal noise of double-sided spectral density
The eavesdropper has an equivalent receiver noise of spectral
, which is also assumed to be white and Gaussian.
density
represent the ratio of the eavesdroppers
Let
receiver noise density to the authorized users receiver noise
density.
The total effective energy per data bit received at the authorized users receiver from the desired user signal is given by
(A1)
where
represents the users efficiency for combining the energy from multiple code pulses.
for coherent detection
and combining, and is between zero and one for incoherently
detected and combined signals.
As described previously, the eavesdropper must make decisions in each time/wavelength bin as to whether or not a code
pulse was transmitted. Given that a code pulse is transmitted in
a particular bin, the amount of energy received by the eavesdropper in that bin is given by
(A2)
where the second equality makes use of (A1).
The eavesdroppers effective SNR for an individual
. Comtime/wavelength bin detection decision is
bining all factors defined so far gives
(A3)
If a particular maximum BER level is specified for the authorized users in the network, the eavesdroppers received SNR
(per code pulse) can be related to the required SNR (per bit) of
the authorized users as follows. Since the BER of an authorized
user is some monotonically decreasing function of the
given in (5), setting a maximum BER specification is equivalent
. We denote this value by
to setting a minimum value of
.
The eavesdroppers SNR can be related to
as
a function of the relative levels of the MUI noise term and the
receiver noise term (5). Defining the parameter as the ratio of
the receiver noise to the total noise gives
(A4)
We can then write either
(A5)
or, alternatively
(A6)
Substituting the result of (A6) into (A3) and rearranging terms,
we get
(A7)
which directly relates the eavesdroppers SNR to the minimum
SNR that the authorized users must have to meet some BER
specification.
may vary between zero and one. (ArbiThe parameter
trarily setting to a value outside this range requires that one
of the spectral densities in (A4) be negative, which is not allowed by the definition of power spectral density.) For a fixed
, and assuming that
is fixed by the
value of
receiver implementation, (A6) implies that must increase as
the total transmitted energy per data bit decreases. Minimizing
each users transmitted power thus implies maximizing . Setthus gives the minimum possible value of the eavesting
droppers SNR for a given maximum BER specification. Since
the eavesdroppers probability of correctly detecting a users
code word is a function of this SNR, this implies that for a given
there is a limit to the degree of confidentiality that
can be obtained [for a given set of the system design and coding
parameters in the first term of (A7)].
produces the case
At the other end of the range, setting
where receiver noise is completely negligible compared with the
MUI noise term (A4). This situation can be approached if each
user transmits at high power levels. Note that the eavesdroppers
SNR becomes arbitrarily large as approaches zero.
The form of the trade between system capacity and confidentiality can be made plain by introducing one further approximation. Assuming that the MUI noise from each interfering user
adds incoherently in an authorized users receiver and is roughly
proportional to the number of active transmitters, we obtain
(A8)
is the number of active users and
is the equivawhere
lent noise spectral density contributed by each user. Substituting
(A8) into (A5) gives
(A9)
be the theoretical maximum number (assuming
, i.e., that
) of simultaneous users that
can be active and still maintain a BER that meets the system
performance specification. The maximum data carrying camultiplied by the data rate of an
pacity of the network is
individual user. Setting
in (A9) and replacing
with
gives the relationship between
and
for
ideal, noiseless receivers as
Let
(A10)
Combining (A9) and (A10), solving for

result in (A7) yields
669
, and substituting the
(A11)
This equation relates all the various system design factors (the
first bracketed term), the number of active users relative to the
maximum theoretical number (the second term), and the SNRs
of both the eavesdropper and the authorized users. Its interpretation is discussed in the main body of the paper.
they apply to the envelope detected output of optical matched

for
filters.) Using the previous approximation that
bins with signal energy
large , the distributions of the
from C1 only and the
bins with signal energy from C2
only are the same.
is compared to a decision threshold, , to
Each variable
determine whether or not a code pulse is present in bin . The
threshold is assumed to be optimized to minimize the overall
probability of error, making use of the approximation that
. The probability of error given that no pulse was actually
transmitted in bin is
APPENDIX B
This Appendix derives the statistics of the decision variables
for a code detecting eavesdropper combining the energy from
multiple transmitted data bits. Assume that the eavesdropper incoherently5 combines the energy from data bits for each code
word detection. As described in Appendix A, time samples from
an envelope-detected optical matched filter output are taken in
each of the time bins illustrated in Fig. 3. For each transmitted
total samples. Let the
data bit, the eavesdropper collects
.
sample from the th bin of the th data bit be denoted by
For each of the bins, the eavesdropper forms the statistic
(B2)
noise
The probability of error given that signal energy from either

C1 or C2, but not both, have accumulated in bin is
(B3)
C1 or C2
is the Generalized Marcum
where and
defined as [25, p. 44]
-function,
(B1)
of the bits will repFor each transmission of data bits,
resent ones (codeword C1) and
of them will repis a binomially disresent zeros (codeword C2), where
. The
tributed random variable whose expected value is
probability distribution of each sample, , will thus depend on
the value of
. For relatively large values of , we can approxby its expected value and determine the probability
imate
distributions of . First, assume that the codewords C1 and
C2 overlapi.e., both have energy pulses in the same binin
locations. (
must be small for acceptable orthogonality
among different users.) There will then be
bins in which no code pulses are transmitted, and whose stahas a Chi-square
tistics reflect noise only. For these bins,
distribution with
degrees of freedom. There will also be
bins where C1 and C2 overlap. These bins will have signal enwill have a noncenergy on each transmitted data bit, and
degrees of freedom and
tral Chi-square distribution with
noncentrality parameter of
. There will be
bins
that have signal energy only on bits where C1 is transmitted.
will have a noncentral Chi-square distribuFor these bins,
degrees of freedom and noncentrality parameter of
tion with
. Finally, there will be
bins that have signal energy
have a noncentral
only when C2 is transmitted, and these
degrees of freedom and nonChi-square distribution with
. (See [25] and [22] for more
centrality parameter
detailed discussion on these probability distributions and how
5The structure of Fig. 5 implies that the combining will be incoherent. If a coherent matched filter detector were implemented, more efficient coherent combining of the energy from multiple bits could be accomplished.
(B4)
denotes an
th order modified Bessel
where
function of the first kind.
The probability of error given that signal energy from both
C1 and C2 have accumulated in bin is
(B5)
C1 and C2
Following the notation of (1)(3), we have
noise
(B6)
The probability of error in (B5) will generally be much lower

than the probability of error from (B3), in which case, we have
C1 or C2
(B7)
The eavesdroppers overall probability of detecting an errorfree code word is then given by
(B8)
total bins where some signal energy
since there are
total bins where only
has accumulated and
noise has been accumulated.
is significantly different from
, the
Note that if
signal noise bins where energy has been accumulated from
than
one code word will have a significantly higher
the signal noise bins where energy has accumulated from
670
the other code word, since more one bits were accumulated
than zero bits (or vice versa). In this case, the probability of
error-free code word detection would be somewhat lower than
that given by (B8).
ACKNOWLEDGMENT
The author would like to acknowledge the many useful
discussions concerning this work with other staff members
at Lincoln Laboratorys Communications and Information
Technology Division, most especially Dr. P. A. Schulz, who
has had a substantial influence on the work reported here.
REFERENCES
[1] N. Karafolas and D. Uttamcandani, Optical fiber code division multiple
access networks: A review, Optical Fiber Technol., vol. 2, pp. 149168,
1996.
[2] K. Iverson and D. Hampicke, Comparison and classification of all-optical CDMA systems for future telecommunication networks, in Proc.
SPIE, vol. 2614, 1995, pp. 110121.
[3] L. Tancevski, I. Andonovic, and J. Budin, Secure optical network architectures utilizing wavelength hopping/time spreading codes, IEEE
Photon. Technol. Lett., vol. 7, no. 5, pp. 573575, May 1995.
[4] P. Torres, L. C. G. Valente, and M. C. R. Carvalho, Security system for
optical communication signals with fiber bragg gratings, IEEE Trans.
Microwave Theory Tech., vol. 50, no. 1, pp. 1316, Jan. 2002.
[5] D. D. Sampson, G. J. Pendock, and R. A. Griffin, Photonic code-division multiple-access communications, Fiber Int. Opt., vol. 16, pp.
129157, 1997.
[6] W. Ford, Computer Communications Security. Upper Saddle River,
NJ: Prentice-Hall, 1994, ch. 2.
[7] M. K. Simon, J. K. Omura, R. A. Scholtz, and B. K. Levitt, Spread
Spectrum Communications. Rockville, MD: Computer Science Press,
1985.
[8] D. R. Stinson, Cryptography. Boca Raton, FL: CRC, 1995, ch. 2.
[9] B. Schneier, Applied Cryptography, 2nd ed. New York: Wiley, 1996,
pp. 89.
[10] N. Ferguson and B. Schneier, Practical Cryptography. Indianapolis,
IN: Wiley, 2003.
[11] J. A. Salehi, Code division multiple-access techniques in optical fiber
networksPart I: Fundamental principles, IEEE Trans. Commun., vol.
37, no. 8, pp. 824833, Aug. 1989.
[12] G.-C. Yang and W. C. Kwong, Prime Codes. Belmont, MA: Artech
House, 2003.
[13] S. V. Marhic, Z. I. Kostic, and E. L. Titlebaum, A new family of optical code sequences for use in spread spectrum fiber-optic local area
networks, IEEE Trans. Commun., vol. 41, no. 8, pp. 12171221, Aug.
1993.
[14] H. Fathallah, L. A. Rusch, and S. LaRochelle, Passive optical fast frequency-hop CDMA communications system, J. Lightwave Technol.,
vol. 17, no. 3, pp. 397405, Mar. 1999.
[15] M. Kavehrad and D. Zaccarin, Optical code-division-multiplexed systems based on spectral encoding of noncoherent sources, J. Lightwave
Tech., vol. 13, no. 3, pp. 534545, Mar. 1995.
[16] J. A. Salehi, A. M. Weiner, and J. P. Heritage, Coherent ultrashort

pulse code-division multiple access communication systems, J. Lightw.
Technol., pp. 478491, Mar. 1990.
[17] T. Ojanpera and R. Prasad, Eds., Wideband CDMA for Third Generation
Mobile Communications. Belmont, MA: Artech House, 1998, p. 110.
[18] C. W. Helstrom, Statistical Theory of Signal Detection, 2nd ed. New
York: Pergamon, 1968.
[19] W. C. Kwong, P. A. Perrier, and P. R. Prucnal, Performance comparison
of asynchronous and synchronous code-division multiple-access techniques for fiber-optic local area networks, IEEE Trans. Commun., vol.
39, no. 11, pp. 16251634, Nov. 1991.
[20] M. I. Skolnick, Introduction to Radar Systems, 3rd ed. Boston, MA:
McGraw-Hill, 2001.
[21] P. A. Humblet, Design of optical matched filters, in Proc. IEEE
GLOBECOM91, vol. 2, Dec. 25, 1991, pp. 12461250.
[22] P. A. Humblet and M. Azizoglu, On the bit error rate of lightwave systems with optical amplifiers, J. Lightw. Technol., vol. 9, no. 11, pp.
15761582, Nov. 1991.
[23] B. R. Mahafza, Radar Systems Analysis and Design Using
MATLAB. Boca Raton, FL: Chapman Hall/CRC, 2000.
[24] S. B. Alexander, Optical Communication Receiver Design. Bellingham, WA: SPIE Opt. Eng. Press, 1997.
[25] J. G. Proakis, Digital Communications, 3rd ed. Boston, MA: McGrawHill, 1995.
[26] A. J. Viterbi, CDMA: Principles of Spread Spectrum Communication. Reading, MA: Addison-Wesley, 1995.
[27] T. Ojanpera and R. Prasad, Eds., Wideband CDMA for Third Generation
Mobile Communications. Belmont, MA: Artech House, 1998.
[28] L. Tancevski and I. Andonovic, Wavelength hopping/time spreading
code division multiple access systems, Elect. Lett., vol. 30, no. 17, pp.
13881390, Aug. 1994.
[29] T. H. Shake, Confidentiality performance of spectral phase encoded
optical CDMA, J. Lightw. Technol., 2005, to be published.
[30] Y. Han and B. Jalali, Photonic time-stretched analog-to-digital converter: Fundamental concepts and practical considerations, J. Lightw.
Technol., vol. 21, no. 12, pp. 30853103, Dec. 2003.
Thomas H. Shake (M94) was born in Syracuse, NY,

in 1957. He received the B.S. degree from Syracuse
University in 1980 and the M.S. degree from the University of California, Berkeley, in 1981, both in electrical engineering.
He has been a Member of the Technical Staff
at Massachusetts Institute of Technology, Lincoln
Laboratory, Lexington, MA, since March 1982. He
is currently assigned to the Advanced Networks and
Applications Group. His work at Lincoln Laboratory
has included research and development in various
aspects of communication systems and data networks, including military
satellite system analysis and design, interactions between space-based and
terrestrial communication networks, and network security in heterogeneous
environments. His current research interests include optical network architecture, network and communications security, high-precision network timing,
and optical communication waveform design.

2005-Security Performance of Optical CDMA Against Eavesdropping PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2005-Security Performance of Optical CDMA Against Eavesdropping PDF

Uploaded by

Copyright:

Available Formats

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO.

Security Performance of Optical CDMA

of securitydata confidentialitythat is provided by certain

NHANCED security is a frequently cited benefit of optical

When evaluating the security of a communications technique,

0733-8724/$20.00 2005 IEEE

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

(e.g., [3] and [4]). Furthermore, data confidentiality is probably

noise. It is difficult for an eavesdropper to correctly demodulate

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

Fig. 1. Linear system modeling of O-CDMA transmitter.

he would thus have to search a large fraction of the code space

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

can be modeled as the convolution of the impulse response

Fig. 2. Potential locations for taps that allow an eavesdropper to isolate

fibers. For the purposes of code interception it is advantageous

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

receiver.) In this case, there is no need for the eavesdropper

Fig. 3. Simplified time-spreading encoded waveform (single wavelength).

choose a particular type of code to quantify the effectiveness

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

Fig. 4. Coherent receiver with matched filter for code interception.

Fig. 5. Envelope detector structure for code intercepting detector.

The optimum implementation of this type of receiver would

yields the best possible performance for the eavesdropper), and

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

Fig. 6. Code intercepting detector performance curves for coherent detection

and confidentiality for the authorized users. This can be seen as

2Strictly speaking, the spectral densities

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

Consider the situation with the theoretical maximum number

power to maintain an acceptable BER); or by an increase in

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

Fig. 8. Eavesdroppers detection performance for two different codes.

the overall probability of error-free code word detection by an

Fig. 9. Performance of multiple bit combining eavesdropper against two types

the user combining efficiency factor decreases to about 15%.

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

Eavesdropping with multiple user signals.

as high as it may first appear, as can be seen from the following

is directly proportional to the number of users. (In a broadcast

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

A. Practical Implementation Considerations

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

A second possibility for implementing high effective rate

4Various types of Gaussian approximations, both simple and sophisticated,

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

SHAKE: SECURITY PERFORMANCE OF OPTICAL CDMA

Combining (A9) and (A10), solving for

, and substituting the

they apply to the envelope detected output of optical matched

The probability of error given that signal energy from either

The probability of error in (B5) will generally be much lower

JOURNAL OF LIGHTWAVE TECHNOLOGY, VOL. 23, NO. 2, FEBRUARY 2005

[16] J. A. Salehi, A. M. Weiner, and J. P. Heritage, Coherent ultrashort

Thomas H. Shake (M94) was born in Syracuse, NY,

You might also like