ICTON 2015 Tu.A1.

Double All-Optical Encryption of M-QAM Signals Based on

Spectrally Sliced Encoding Keys
Marcelo L. F. Abbade1, Milorad Cvijetic2, Carlos A. Messani1, Cleiton J. Alves1, and Stefan Tenenbaum3
1
PUC-Campinas, Campinas-SP, Brazil
2
University of Arizona, Tucson, AZ, USA
3
Centro de Tecnologia da Informação Renato Archer, Campinas, SP - Brazil
e-mail: abbade@puc-campinas.edu.br
ABSTRACT
The ever-growing demand for optical network security can be addressed by data encryption at different network
layers. In this work, we consider all-optical cryptography technique that applies a spectral phase change and
delay encoding on spectrum slices of a specified WDM channel. In this case we have investigated a novel
approach where signals are double encrypted to achieve an enhanced degree of security. Simulation results
indicate that such double cyphering scheme can be applied to high data-rate M-QAM signals propagating in
metro/regional networks.
Keywords: transparent optical networks, optical signal processing, cryptography.

1. INTRODUCTION
With the constant need for optical network security to address the vulnerability of high amount of data [1, 2],
cryptographic techniques were pushed to go beyond the electronic domain and implemented on
physical/photonic layer [3-5]. The possibility to encrypt data in optical domain has attracted more attention
recently due to its compatibility with transparent optical networks (TON) where no O-E-O conversions are
implemented. It is also worth to mention that all-optical cryptographic methods were brought not only to replace,
but also to work together with the electronic-based encoding, which potentially increases data security by setting
multiple-barriers for stolen data interpretation [1].
Several techniques applied in optical domain have been presented for encrypting of the optical signal, such as
spectral phase-encoding (SPE) [3] and electro-optical chaos [4]. Chaotic encryption, for instance, is very
challenging as it depends on the synchronization of transmitter and receivers in the presence of transmission
impairments and dynamic effects in an optical link. The SPE approach has shown effective protection on optical
CDMA (OCDMA) channels, but may not be suitable for systems with high number of WDM channels. On the
other side, the encoding of spectrum slices have been a technique showing a high potential for optical encryption
of WDM signals with different modulation formats, [5, 6].
The cryptographic method to be presented here is also based on encoding of spectrum slices the optical signal.
Herewith, we extend our previous analyses [5, 6] by doubling the encoding-decoding stages applied on spectral
slices obtained by optical band-pass filters (OBPFs) having identical 3-dB bandwidths. Encoding is done by
independently applying a precise amount of phase-shift and delay making to each slice, which makes the signal
data meaningless until the signal recovery is applied. The original signal can only be recovered back at the
decoder where phases and delays are brought back to the reference basis. To the best of our knowledge, this is
the first time that double-cyphering scheme is investigated and considered as an effective encryption scheme. To
simulate a realistic scenario, an M-QAM signal with bit rate of 200 Gb/s is transmitted over an optical link with
cascaded optical amplifiers. The integrity of the optical data that undergoes successive encoding and decoding is
verified by bit-error-rate (BER) evaluation, while the effectiveness of the technique is shown on constellation
diagram plots.
This work is organized as follows. In Section 2, we explain the principles of the investigated cyphering
technique and describe two double-encoding schemes. The sensitivity analysis and performance and for the
double-encoding schemes, are shown in Sections 3 and 4, respectively. Finally, conclusions are presented in
Section 5.

2. CYPHERING TECHNIQUE AND DOUBLE-ENCODING SCHEMES

The cryptographic method analysed here is based on the slicing of the optical signal spectrum in n portions at the
encoder (OE). As sketched in the block-diagram of Fig. 1, this task is accomplished by an 1×n optical splitter
where each output port is immediately followed by an OBPF with 3dB bandwidth equal to Boe and central
frequency given by fi = f c + (2i − n − 1) ⋅ Boe / 2 , where i is the slice index and fc is the carrier frequency. After that, an
amount of phase φi and time delay τi is imposed onto each spectrum slices by a delay line and phase-shifter.
Accordingly, the encoding is associated with the following cryptographic key: Ke = {n; φ1, φ2, …, φn; τ1, τ2, …,
τn}. At this point, the slices are multiplexed to compose the original spectrum bandwidth and transmitted through
an optical link to be decoded. At the decoder (OD), which is aware of the OE key, the signal is re-sliced again

978-1-4673-7879-6/15/$31.00 ©2015 IEEE 1

ICTON 2015 Tu.A1.3

(identically as in OE), where each portion i undergoes time delay, τmax - τι, and phase-shift ϕmax – ϕι (where τmax
and ϕmax stand for maximum τi and ϕi of Ke, respectively). A mathematical description for this proposal is
presented in [6].

Figure 1. Block diagrams for the optical encoder and decoder.

The OD reverses the delay to the correct time reference basis and to compensate for the amount of shifted-
phase by knowing in advance the cryptographic key. If the optical signal is detected by eavesdroppers before the
OD, data content cannot be recovered due to spectrum meaningless nature. The effectiveness of the
cryptographic method is shown through BER estimations for pre- and post-encoding or decoding under the
following assumptions: the bit-error-rate (BER) for the encrypted signal, BERe, should be as high as possible and
above the forward error correction (FEC) limit, BERFEC, that can produce error free detection when FEC codes
are applied. On the other hand, the BER for the decoded signal should be below the FEC limit. As, in [6], in this
work we assume that BERFEC = 2×10-3 and that a valid cryptographic key occurs when BERe ≥ 10-1. Generally
speaking, the higher the number of spectral slices, the longer the cryptographic key and the more secure
communication becomes. Therefore, the bandwidth of the OBPFs that generate spectral slices should ideally be
as narrow as possible. A diagram for the transmission of the encrypted signal through a TON lightpath is
sketched in Fig. 2(a), where there is Nl spans of standard single mode fibre (STDF) links of length l followed by
dispersion compensating fibres (DCF) and Erbium doped optical amplifiers (EDFA) applied after each span.
Therefore, the distance between the encoding and decoding end nodes is L = Nl l.
We have investigated two most relevant scenarios. In the first one, two encoding stages are applied at different
segments of a TON lightpath. This situation is illustrated in Fig. 2(b), where signal goes through the following
steps; i) it is cyphered by optical encoder OE1 with key Ke1 at the transmitter side, ii) travels a distance L1,
iii) receives a second key Ke2 by OE2, iv) is propagated by a distance L2, v) is decoded with respect to Ke2 by
decoder OD2, and vi) is propagated by a distance L3(= L – L2 – L3) down to its destination node where a final
decryption, related to Ke1, is performed by OD1. This case could happen when the signal goes through two
network domains, where different security policies are applied in each domain.
In the second scenario, two encoding stages are cascaded in the transmitter side with their slices detuned by
∆f=|fck,2–fck,1|, where fck,1 and fck,2 stand for the central frequencies of k-th slices of the first and second encoders
(OE1 and OE2), respectively. Such detuning effectively leads to generation of narrower spectral slices (larger key
length, increased security) with no need for using of sophisticated and expansive OBPFs with narrower
bandwidths. This case is depicted in Fig. 2(c).

3. SENSITIVITY PERFORMANCE
The analysis presented here is based on encryption/ decryption of 200 Gb/s 16-QAM signal at a frequency
carrier of fc = 193.1 THz, passed through slices of Nyquist optical filter with a roll-off of 0.1. Nevertheless, the
investigated technique could also be applied to signals with other bit rates and modulation formats as in our
previous work [5, 6]. To investigate the sensitivity performance, we initially simulated the single-encoding
L

(a) OE OD

L1 L2 L3

(b)
b) OE1 OE2 OD2 OD1
L

(c)
c) OE1 OE2 OD2 OD1

Figure 2. Block diagrams for (a) single-encoding and double-encoding in (b) different and (c) same
lightpaths nodes.

2
ICTON 2015 Tu.A1.3

Figure 3: (a) Spectrum for the sliced 16-QAM 200 Gbps signal; and (b) its sensitivity performance.
situation illustrated in Fig. 2(a). The input signal is encrypted by the 7-slice key K1= {7; 160°, 140°, 10°, 110°,
70°, 90°, 180°; 50 ps, 35 ps, 20 ps, 40 ps, 30 ps, 40 ps, 10 ps}. The STDF is characterized by attenuation of
0.2 dB/km, chromatic dispersion of 17 ps/(nm·km) at 193.1 THz, a dispersion slope of 0.080 ps/(nm2·km),
a nonlinear parameter of 2.0 (W·km)-1 and l = 70 km. The applied DCF parameters are: attenuation of
0.6 dB/km, chromatic dispersion of -90 ps/(nm·km) at 193.1 THz, dispersion slope of 0.080 ps/(nm2·km), and
length lDCF = 13.2 km. The EDFA gain is set to compensate the losses in the STDF and DCF and has a noise
figure of 4.0 dB. The encoder and decoder OBPFs profiles follow a 5th order Gaussian shape. Figure 3(a) shows
the spectrum for the sliced signal, whereas Fig. 3(b) plots the sensitivity performance for the cases where Nl = 0
(back-to-back configuration) and Nl = 5 (350 km of propagation). As we can see, the BER performance of the
encrypted signal is very similar to the one where no encoding is applied (uncoded signal) for the back-to-back
case, while a ~1-dB penalty is observed after 350 km of signal propagation. It is also noted that good BER
performances require and OSNR of at least 22 dB, and such value is utilized in the remaining of our
investigation.

4. DOUBLE-ENCODING RESULTS
Let us now consider these two cases where signals receive double encodings, starting from the scheme illustrated
in Fig. 2(b). We now have that OE1 and OE2 are separated by L1 = 70 km and keys Ke1 = K1 and Ke2 = {7; 160°,
50°, 130°, 10°, 50°, 160°, 80°; 5 ps, 50 ps, 15 ps, 45 ps, 35 ps, 10 ps, 30 ps} are implemented in a serial manner.
Also, OD2 is placed at distance L2 = 210 km after OE2 and, as in a single encoding scenario, OE1 is located
350 km away from the transmitter. The constellation diagrams for the signals after (a) OE1, (b) OE2, (c) OD1,
and (d) OD2 are presented in Fig. 4. The BERs at the output of OE1 and OE2 are 7.4×10-1, 8.2×10-1, respectively,
and indicate that keys Ka and Kb meet appropriate cyphering strengths; this feature is confirmed by the blurred
constellations seen in Fig. 4(a) and (b). After OD2, BERd becomes 7.5×10-1, which is approximately the same
value obtained at the output of OE1. This result is expected since OD2 removes the encoding impressed by OE2
and lets only the OE1 stage encryption to be turned on. At the output of OD1, BERd = 7.4×10-4 is below our
BERFEC = 2×10-3 limit, indicating a rather good performance for the decoded signal (definite constellation points
of Fig. 4(d)).
Finally, we investigate the case sketched in Fig. 2(c) where two encoders, OE1 and OE2, are in the transmitter
site but their spectral slices are detuned by ∆f = |fck,2 – fck,1|. The receiver site, where both OD1 and OD2 are
placed, is again 350 km apart from the transmitter side. Encryption keys are Ke1 = K1 and Ke2 = {7; 175°,75°,
105°, 180°, 40°, 120°, 125°; 5 ps, 50 ps, 15 ps, 5 ps, 40 ps, 10 ps,30 ps}. A detuning sweep revealed that the

Figure 4. Constellation diagrams for 16-QAM signals after (a) OE1, (b) OE2, (c) OD2,
and (d) OD1 of Fig. 2(b).

3
ICTON 2015 Tu.A1.3

Figure 5: (a) Spectral slices after the detuned encoding stages. Constellation diagrams for 16-QAM signals
after (a) OE1, (b) OE2, (c) OD2, and (d) OD1 of Fig. 2(c).

optimum value ∆f for this situation is ~4 GHz. The resulting 14 spectral slices are presented in Fig. 5(a). The
same figure shows the constellation diagrams for the 200 Gb/s 16-QAM signal after (a) OE1 (b) OE2, (c) OD2,
and (d) OD1. The BERs after each one of these devices are of, respectively, 7.5×10-1, 8.1×10-1, 7.5×10-1, 1×10-3,
which suggest the effectiveness of slice detuning as a simple method for providing narrower spectral slices and
longer cryptographic keys.
Finally, we should note that eavesdroppers need to know the exact decoding parameters of slices that carry
approximately 90% of the signal power, as we explained in the earlier robustness analysis [6]. Due to the
detuning case considered here, the number of spectral slices has increased from 7 to 14. That means that
intruders need now to discover twice many parameters as compared to a single-encoding case (because the
number of spectral slices that contain the aforementioned 90% of signal power also doubles from 5 to 10). Since
the values of τi and ϕi vary continuously, the considered double-encoding scheme drastically enhances
communication security, without requiring the use of OBPFs with narrower bandwidths. We would also like to
outline that transmission of encrypted optical signals still falls within a generic engineering framework analysed
in [7] since it introduces a negative margin that cannot be overcome without proper decryption.

5. CONCLUSIONS
We investigated the application of double-encoding schemes, based on spectrally sliced cyphering keys applied
to 16-QAM with bit rate of 200 Gb/s signals. It was found that two optical encoders located at different nodes
along a given lightpath can be effectively used in metro/regional optical networks. It was also verified that two
optical encoders with a detuning between their spectral slices can be cascaded to double the encryption key
length and to enhance communication security without the need for more sophisticated OBPFs.

ACKNOWLEDGEMENTS
This work is supported by CNPq and FAPESP under grants 574017/2008-9, 08/57857-2, 310644/2011-9, and
311137/2014-8. Authors would like to thank VPIPhotonicsTM for providing academic licenses of the simulation
software tools utilized in this work.

REFERENCES
[1] K. Kitayama et al.: Security in photonic networks: Threats and security enhancement, J. Lightwave
Technol., vol. 29, pp. 3210-3222, Nov. 2011.
[2] M. Medard, D. Marquis, and S.R. Chinn: Attack detection methods for all-optical networks,
in Proc. NDSS 98, San Diego, 1998.
[3] L. Kocarev, S. Lian: Chaos-Based Cryptography, Berlin: Springer, 2011.
[4] J. Goedgebuer et al.: Optical communication with synchronized hyperchaos generated electrooptically,
IEEE Journal of Quantum Electronics, vol. 38, no. 9, pp. 1178-1183, 2002.
[5] M.L.F. Abbade et al.: All-optical phase and delay spectral encoding of signals with advanced modulation
formats, in Proc. ICTON 2014, pp. 1-4, Jun. 2014, paper Tu.B1.4.
[6] M.L.F. Abbade et al.: All-optical cryptography of M-QAM formats based on spectrally sliced encryption
keys, Applied Optics, 2015, to be published.
[7] M. Cvijetic: Optical Transmission Systems Engineering, Artech House, 2003.