Soft Input Trust Output

Zivic Natasa Institute for Data Communication Systems

University of Siegen Siegen, Germany

Natasa.zivic@uni-siegen.de

Abstract— The scenario is considered, where a message with its Message Authentication Code is transmitted over a noisy channel. The usage of a forward error correcting channel code is assumed, which reduces the error rate, but no repeat mechanism to correct the remaining errors (ARQ). The uncorrected errors cause the rejection of messages with a wrong MAC. This paper introduces the extension of „hard“ verification of MACs, whose result is „true“ or „false“, to „soft“ verification, that outputs a trust level as verification result. This allows the acceptance of corrected messages and their MACs, even if a few bits of the MAC are different from the expected value. This is comparable to the situation that handwritten signatures are accepted as long as they are not too different from a reference. The costs are a loss of trust, which has to be considered. Therefore “Trust Output” is accompanied with the output of the verification process. A definition of „Trust Level” will be given, together with an algorithm of „soft” verification, which provides such Trust Output. This algorithm is based on a Soft Output channel decoder, which provides a reliability value for each bit, which is used as soft input for the proposed algorithm. Therefore we call the algorithm „Soft Input Trust Output”. Simulation results show an essential improvement of the acceptance rate of MACs - at the cost of a reduced trust level. The reduction can be calculated and the maximum permitted reduction of the trust level can be preset.

Keywords-component; Data integrity, MAC, H_MAC, Forward Error Correction, SISO channel decoder, Hamming distance, Soft Input Decryption, trust level

I. INTRODUCTION Cryptographic check values (CCV), for example Message

Authentication Codes (MAC) [1,2] and hash function based Message Authentication Codes (H_MAC) [3] provide secure information transfer: they protect against manipulation of information, or masquerading of data origin by cryptographic redundancy.

Channel codes use redundancy for the recognition and correction of errors that occur during the data transfer over a noisy channel, for example convolutional or turbo codes. Not all errors are corrected by the channel decoder, but there will be a remaining bit error rate after channel decoding depending on the channel characteristics, i.e. the signal-to-noise-ratio. The remaining bit errors will cause the rejection

of messages secured by CCV´s, and the information is lost. It is assumed that no ARQ mechanisms is possible for correction of the remaining errors by repetition of the message – may be caused by a very low S/N, which will again produce a message with errors, by real time requirements or by one way communication, which is used in deep space or broadcast applications.

Redundancy generated by the channel code as well as by the data integrity mechanism has been used for Joint Channel Coding and Cryptography [4] and will be also exploited for Soft Input Trust Output.

Cryptographic mechanisms are standard components of nowadays’ communication systems and distributed applications (Fig. 1). In this paper the mechanisms of an en-/decryptor are used to generate/verify the CCV of a message M using a shared secret key.

The channel decoder is assumed to be SISO (Soft Input Soft Output). SISO is a concept of channel decoding, which was originally used in iterative and turbo coding, because soft output is fed back internally [5]. Soft output of the channel decoder is used here as soft input for the cryptographic verification process, called Soft Input Verification. Soft output of the channel decoder is usually expressed as L-value of each output bit u’ (Fig. 1):

)0()1(ln)'(

===

uPuPuL

(1)

Figure 1. Modular Block Diagram of the Coding Model

L(u’) expresses the reliability of the decision of the channel decoder, if the sent bit u was 1 or 0. The sign of the L-value shows the hard output of bit u’ (1 or 0) and |L| is used as reliability value of the hard decision. Example: if L is positive, the hard output is 1, otherwise 0. As higher |L|, as more reliable is the hard decision and vice versa: a lower |L|

978-1-4673-0309-5/12/$31.00 ©2012 IEEE

means a less reliable decision. When the L-value is equal to 0, the probability of the correctness of the decision is 0.5.

In this paper CCV verification is used as part of Soft Input Decryption [6] for the correction of the received message M’ and the CCV’.

Soft Input Decryption is explained in Chapter 2. The extended algorithm of Soft Input Decryption providing soft verification, and called Soft Input Trust Output (SITO), is shown in Chapter 3. The maximum Hamming distance used by the extended algorithm is estimated and discussed in Chapter 4. Trust level and trust output will be introduced in Chapter 5. Results of simulations showing the improvements by the new algorithm are presented in Chapter 6. The paper is concluded in Chapter 7.

II. SOFT INPUT DECRYPTION The cryptographic check value CCV is generated by

using the cryptographic check function CCV and a shared secret key K. Message M and its cryptographic check value CCV are encoded by the channel encoder and transmitted over a noisy channel.

The algorithm of Soft Input Decryption is as follows [6] (see Fig. 2):

Figure 2. Algorithm of Soft Input Decryption

The received message M’, CCV’ and the L-values of all bits of M’ and CCV’ are the input from SISO channel decoder to Soft Input Decryption. CCV” = CCV(M’) by application of the shared secret key K. If CCV” = CCV’, the verification result is „true” and M’ is accepted as correct.

If the verification result is „false”, the L-values of the channel decoder are analyzed. Bits of M’ and CCV’ with the lowest |L|-values are flipped i.e. inverted. There are different strategies for choosing the bits to be inverted - not only L-values but also channel and decoder properties can be respected -, but they are out of the scope of this paper. After bit flipping, which results in M” and CCV”, the verification process compares CCV” and CCV(M”) and checks, if they

are equal. If the verification result is „false” again, another bit or combination of bits is changed. This iterative process stops, when the verification result is „true” or the provided resources are consumed.

In simulations [6] a length of 160 bit has been chosen for both, the message and the CCV. CCV has been calculated using RIPEMD160 [7] with a key K. Simulations have been performed using a convolutional encoder of code rate r = 1/2 and constraint length m = 2 as the simplest one, but used very often in theory and practice. As usual BPSK modulation and an Additional White Gaussian Noise (AWGN) channel are used together with a SISO decoder based on the Maximum A-Posteriori (MAP) algorithm [8]. The MAP decoder was programmed in such a way, that it supports the output of L-values. For each point of the resulting graphs, 50 000 simulations have been performed, programmed in C/C++.

Figure 3. Results of Soft Input Decryption using up to 8 (b) and 16 (c) lowest |L|-values compared to results without Soft Input Decryption (a)

valuescheckcryptreceivedofnumbervaluescheckcryptincorrectofnumberCCER

..=

(2)

An incorrect cryptographic check value is a cryptographic check value which could not be successfully verified or a cryptographic check value, which has been falsely successfully verified, i.e. the message is not the original one (collision).

Fig. 3 [6] shows the improvement of CCER with Soft Input Decryption for the cases that up to the 8 lowest |L|-values (graph b) or up to the 16 lowest |L|-values are used (graph c). Example: CCER of 10-3 at Eb/N0 ~ 6.2 dB without Soft Input Decryption is the same as for Eb/N0 ~ 4.2 dB with Soft Input Decryption, or decreased from 10-1 to 10-3 at Eb/N0 ~ 4.2 dB. Using up to the 16 lowest |L|-values a coding gain

of 2.33 dB can be reached, and CCER > 10-1 without Soft Input Decryption can be reduced down to CCER < 10-4 at Eb/N0 ~ 4 dB.

The idea of inversion of the least probable bits originates from Chase decoding algorithms [9] in 1972, which were the generalization of the GMD (Generalized Minimum Distance) algorithms from 1966 [10] and improved channel decoding.

It may happen, that a pair of M” and CCV” is generated by bit flipping, whose verification result is „true”, but the message M” is not equal to the original message M. The probability of this event [4] has to be considered, when the cryptographic parameters are chosen under security aspects.

III. IMPROVED CORRECTION AND VERIFICATION The new algorithm, Soft Input Trust Output (SITO),

which is presented here, uses the fact, that statistically50% of the bits of CCV = CCV(M) are different from CCV’ = CCV(M’), if a message M is changed to a message.

Soft Input Trust Output is based on the idea of Soft Input Decryption, see Chapter 2 (Fig. 2). Soft Input Decryption searches for a matching pair of message M” and CCV” = CCV(M”) by bit flipping of M’ and CCV’. Now, in Soft Input Trust Output a message M’’ is searched by bit flipping only of M’, whose CCV” = CCV(M”) is „neighbored” to the received CCV’. Therefore the Hamming Distance (HD) is calculated: d = HD(CCV’,CCV”). d has to be smaller than a given threshold dmax for the acceptance of M”. dmax will be discussed in Chap. 4.

The background for the success of the algorithm is the (error) avalanche effect of CCV: If M’ and CCV’ do not result in a positive verification, M’ or CCV’ or both of them are modified during transmission. If M’ is correct and CCV’ has been modified by the noise of the channel, d = HD(CCV’,CCV”) will correspond to the BER (Bit Error Rate) after the channel decoder. After d is known, the probability can be computed, that this number of bit errors happened. If M’ is not correct, the probability is very high, that around 50 % of the bits of CCV” are different. Therefore, of course, the number dmax has to be chosen much smaller than n/2. By this way, it can be assumed if M or CCV has been modified during transmission. If both M and CCV have been modified during the transmission, then the behavior is like the case of a modified M.

This phenomenon is combined with an improved algorithm to correct M’.

If d is higher than the threshold dmax, M´ is tried to be corrected by knowing the least reliable bits. The successful correction is recognized, if CCV smaller than the threshold.

It is obviously, that the new strategy brings essential improvements: bit flipping is applied only to the message, so much more messages can be tried with the same number of low |L|-values, and much more messages are accepted, because the CCV of the message has not to be exactly one value.

The algorithm of Soft Input Trust Output is presented in Fig. 4.

Figure 4. Algorithm of Soft Input Trust Output

M’, CCV’ and the L-values of M’ are the input to (now called) Soft Input Trust Output after SISO channel decoding. CCV” = CCV(M’) by application of the shared secret key K. If HD(CCV’,CCV”) < dmax, message M’ is assumed to be correct, i.e. equal to the sent message M, with a certain reduction of the reliability level, rsp. trust level. The trust level will be introduced and discussed in Chap. 5.

If HD(CCV’,CCV”) ≥ dmax, M’ is assumed to be wrong and the process of changing of the message bits starts: the bit or a combination of bits with the lowest |L|-values of the message M’ are flipped, which results in a message M”. CCV” = CCV(M”) by application of the key K. If HD(CCV’,CCV”) < dmax, message M” is assumed to be correct, otherwise message M” is assumed to be wrong and followed by the next round of flipping other bits of M’ as chosen by the bit flipping strategy.

This iterative process is finished, if HD(CCV’,CCV”) < dmax, or the provided resources are consumed. If all attempts of correction fail, the number of errors is too high as a result of the noise of the channel or of an attack.

Simulation results will follow in Chap. 6 after the threshold dmax has been considered and the trust level has been introduced.

IV. HAMMING DISTANCE THRESHOLD The problem of choosing dmax is based on the evaluation

of the Bit Error Rate (BER) of M’ and CCV’. dmax will be chosen in such a way that the probability, that more than dmax bits of CCV’ will be changed during transmission is smaller than a given limit.

The probability that 0, 1, 2 …or d bits are wrong in a word of length n (knowing the Bit Error Rate (BER) of the channel including the channel decoder) is:

inid

id BERBER

in

P −

=

−⎟⎟⎠

⎞⎜⎜⎝

⎛=∑ )1(

0 (3)

dk will be calculated for Pd ≥ 1 – 10-k, rsp. for 1 – Pd <

10-k:

dk = min {d | Pd ≥ 1 – 10-k} (4)

For k = 4 (then the probability, that the number of errors

of CCV’ exceeds dmax = d4 is smaller than 10-4), the results for d4 from (8) are presented for n = 160 (H-MAC), n = 128 (MAC) and n = 64 (MAC) in Table 1. BER which is used for the calculation of d4 is the result of simulations (with the same parameters as explained in Chap. 2) and is shown in Table 1.

TABLE I. DEPENDENCE OF D4 ON EB/N0 FOR DIFFERENT N (N + M = 320)

Eb/N0 [dB] BER d4(n = 160) d4(n = 128) d4(n = 64)1 0.036 16 14 9

1.5 0.0234 13 11 8 2 0.0149 10 9 6

2.5 0.00681 7 6 4 3 0.00376 5 5 4

3.5 0.00142 3 3 3 4 0.00037 2 2 2

4.5 0.00024 2 2 2 5 0.00012 2 2 1

Table 1. shows, if Eb/N0 is for example 1.5 dB and n = 160, a Hamming distance of 13 has to be allowed for received CCV’, in order to find the correct CCV’ from all possible CCV’s. If Eb/N0 is 4 dB, allowed Hamming distance has to be 3, so that the right solution can be found. Corresponding Hamming distance has to be lower for the same Eb/N0, for lower n (n + m = 320).

TABLE II. DEPENDENCE OF DK ON EB/N0 FOR N = 160

Eb/N0 [dB] BER d1 d2 d3 d4 d5 d6 d7 d8 d9 d10

1 0.036 8 12 15 16 19 21 22 24 25 271.5 0.0234 6 9 12 13 15 17 18 19 21 222 0.0149 5 7 9 10 12 13 15 16 17 18

2.5 0.00681 3 5 6 7 9 10 11 12 13 143 0.00376 3 4 5 5 7 8 9 10 10 11

3.5 0.00142 2 3 4 3 5 6 7 7 8 9 4 0.00037 1 2 3 2 4 4 5 5 6 7

4.5 0.00024 1 2 2 2 3 4 4 5 6 6 5 0.00012 1 1 1 2 2 3 3 3 4 4

V. TRUST OUTPUT Soft Input Trust Output verification adds information

about the trust in the verification of the message after successful correction of the message.

For any message M”, for example generated by bit flipping of M’, the probability, that CCV(M”) = CCV’ is:

P(CCV(M”) = CCV’) = n21

(5)

If CCV” is neighbored to CCV’ with a Hamming

Distance of d, then ⎟⎟⎠

⎞⎜⎜⎝

⎛dn

values of CCV are possible.

Therefore the probability Prandomly_correct, that a message M” is generated with HD(CCV(M”),CCV’) = d is:

ncorrectrandomlydn

dP2

)(_

⎟⎟⎠

⎞⎜⎜⎝

⎛

= (6)

with:

∑=

=n

dcorrectrandomly dP

0_ 1)( (7)

The trust is reduced, because the possibility exists, that a message could be found randomly, which is not the original message. The worst case is d = n/2 bit, because then 50 % of bits are different.

Note: Prandomly_correct (d = n/2 + i) = Prandomly_correct (d = n/2 - i), i = 0,…,n/2, n even. This is plausible, but under practical aspects d should be smaller than n/2.

The trust level is defined as:

( )

⎥⎦⎤

⎢⎣⎡∈

−

−⎟⎠⎞

⎜⎝⎛

=2

,0,

2121

2ln_

_ nddP

nPT

ncorrectrandomly

ncorrectrandomly

(8)

T is infinite, if d = 0, i.e. CCV’ = CCV”, and T = 0, if d = n/2. T = ∞ does not mean that the trust in the verification of

the message is infinite, but that the trust is non reduced compared to the trust level of the security system using „hard“ verification.

T is computed, if a verific ation is successful, rsp. if d < dmax. dmax is only used as

limit of the soft verification process. The trust level in an individual message verification can be much higher than the requested lower boundary.

T is presented in Fig. 7 depending on d for n = 160 bit. Following information is given as output of Soft Input

Trust Output algorithm after successful soft verification: received message M’, corrected message M”, CCV’, CCV” = CCV(M”), and T.

successfulverification

[%]

Tx

x

Eb/N0 = 5 dB

2010 30 40 50 60 70 80 90 100

70

75

80

85

90

95

100

105

∞

Figure 5. Dependence of the trust level T on d

VI. SIMULATION RESULTS

Figure 6. CCER after SISO channel decoding (d = 0) (graph a), after Soft Input Decryption (d = 0) (graph b) and with Soft Input Trust Output (d ≤

dmax) (graph c)

Soft Input Trust Output has been simulated with the same

parameters as in Chap. 2 and Chap. 4. Results of simulations are presented in Fig. 8, showing achieved coding gains in comparison to a standard 1/2 convolutional coding with MAP decoder (graph a) (see Fig. 1)). Fig. 8 shows the improvement of CCER with Soft Input Decryption (see Fig. 3), and the additional improvement by Soft Input Trust Output (graph c) using up to 16 lowest |L|-values. For example, for CCER = 10-1 without Softinput Decryption the coding gain of Soft Input Decryption is 1.45

dB, but if Soft Input Trust Output is used, additional 0.59 dB are gained.

Figure 7. Distribution of T f successful corrections for Eb/N0 = 5 dB

Figure 8. Distribution of T f successful corrections for Eb/N0 = 4 dB

CCER without Soft Input Decryption is decreased from 0.5 to 10-2 (if Soft Input Decryption is used) and down to 10-

4 (if Soft Input Trust Output is used) at Eb/N0 ~ 3.5 dB. Fig. 6 shows how many messages are accepted if Soft

Input Trust Output is used. It is interesting to analyse the trust level of these additional successful verifications. This is done in Fig. 7 – Fig. 11: for i dB, i = 1,...5 the trust level of messages (in percent) is indicated. These figures present the distribution of T, and T corresponds to d (d converted to T by Table 2), 0 ≤ d < dmax, dmax chosen by dmessage_correct of Fig. 6.

.

Figure 9. Distribution of T f successful corrections for Eb/N0 = 3 dB

Figure 10. Distribution of T f successful corrections for Eb/N0 = 2 dB

VII. CONCLUSION This paper describes, how messages can be accepted,

whose CCV is not correct. The technique tries to correct the message till the received CCV is very similar to the CCV of the reconstructed message. If the message would be wrong, these both CCVs would be very different. The output is extended by trust information, because the trust level is reduced, if both CCVs are not equal. A measure of the trust level has been defined and simulations show an essential reduction of the messages, which are discarded due to a mismatching CCV caused by a noisy channel. In most cases the trust level is reduced only slightly. Applications exist, where short messages, protected by a CCV, are exchanged, for example in the automotive industry or generally in industrial scenarios. The technique of soft cryptographic

verification can be extended to other cryptographic mechanisms at the receiver side and open a new field of future work.

Figure 11. Distribution of T f successful corrections for Eb/N0 = 1 dB

REFERENCES [1] ISO/IEC 9797-1, Information technology – Security techniques –

Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher , 1999

[2] C. Ruland, Informationssicherheit in Datennetzen, datacom Verlag, Bergheim, 1993

[3] ISO/IEC 9797-2, Information technology – Security techniques – Message Authentication Codes (MACs) – Part 2: Mechanisms using a dedicated hash function , 2002

[4] N. Živić, Joint Channel Coding and Cryptography, Shaker Verlag, Aachen, 2008

[5] A. Giuiletti, B. Bougard, L.v.d. Perre, Turbo Codes: Desirable and Designable, Kluwer Academic Publishers, 2003

[6] Ruland C., Živić N.: Soft Input Decryption, 4thTurbocode Conference, 6th Source and Channel Code Conference, VDE/IEEE, Munich, 2006

[7] ISO/IEC 10118-3, Information technology – Security techniques –Hash-functions – Part 3: Dedicated hash – functions, 2003

[8] Bahl L., Jelinek J., Raviv J., Raviv F.: Optimal decoding of linear codes for minimizing symbol error rate, IEEE Transactions on Information Theory, IT-20, 1974

[9] Chase D.: A Class of Algorithms for Decoding Block Codes with Channel Measurement Information, IEEE Trans. Inform. Theory, IT- 18, pp. 170-182, 1972

[10] Forney G. D. Jr.: Generalized Minimum Distance Decoding, IEEE Trans. Inform. Theory, IT-12, pp. 125-131, 1966