soft verification of message authentication codes

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN

0976 – 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME

262

SOFT VERIFICATION OF MESSAGE AUTHENTICATION CODES

Natasa Zivic

Institute for Data Communications Systems, University of Siegen

Hoelderlinstrasse 3, 57076 Siegen

Germany

ABSTRACT

The subject of the paper is soft verification of message protected by symmetric

cryptographic check values, i.e. Message Authentication Codes. Soft verification is

introduced as an extension of hard or standard verification, which is usual today in

cryptographic applications. Algorithm for iterative correction of messages protected

by Message Authentication Codes is theoretically analyzed, using probability

theory. Results of the analysis are used for defining the most important parameter

for the correct work of the algorithm – a threshold value. Theoretical analysis is also

used for comparison with results of simulations of the threshold value used in the

algorithm for soft verification. Similar results of the comparison confirm the

theoretical analysis. At the end of the paper simulation results and a considerable

coding gain of corrected messages and their Message Authentication Codes is

shown.

1.1 Soft Verification versus Hard Verification

Standard verification accepts cryptographic check values (CCVs) as correct only if

the received CCV’ equals the cryptographic check value CCV” recalculated from

the received message M’ using the cryptographic check function CCF - see Fig. 1.

Therefore standard verification is sometimes called hard verification [1]. CCF will

be observed, which is a symmetric cryptographic function i.e. Message

Authentication Code (MAC) from Standard [2], [3] or [4]. The result of the

verification is a binary: YES or NO.

INTERNATIONAL JOURNAL OF ELECTRONICS AND

COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

ISSN 0976 – 6464(Print) ISSN 0976 – 6472(Online)

Volume 3, Issue 1, January- June (2012), pp. 262-285

© IAEME: www.iaeme.com/ijecet.html

Journal Impact Factor (2011): 0.8500 (Calculated by GISI)

www.jifactor.com

IJECET

© I A E M E



263

Fig. 1 Standard or Hard Verification

The iterative algorithm which corrects messages protected by their MACs was

published in 2006 under the name Soft Input Verification [5]. It uses standard

(hard) verification after each iteration and therefore it will be called “Soft Input

Hard Verification” in this paper.

This paper extends this hard decision of the verification process to a soft decision

which is called “Soft Verification”. Soft verification is not as strength as hard

verification: it accepts messages as correct if the received CCV’ differs from the

cryptographic check value CCV” recalculated from the received message M’ in few

bits, i.e. not more than dmax bits - see Fig. 2. dmax is the threshold value d defined

before the beginning of the algorithm, i.e. it is the maximal Hamming distance dmax

= HD(CCV’,CCV”) which is allowed. The algorithm based on Soft Input Hard

Verification was published in 2011 [6] and it will be called here “Soft Input Soft

Verification”. It is an iterative algorithm which uses soft verification after each

iteration. Another version of this algorithm which also uses soft verification is

published in [7].

Fig. 2 Soft Verification

The expression “soft“ for soft verification is taken from telecommunications: the

output of the line decoder as well as the output of the channel decoder can be “hard”

and “soft”. Soft output are often used in channel decoding, as for example in Soft

Input Soft Output (SISO) channel decoding [8], which is the base for turbo

decoding [9], or in Soft Output Reed Solomon codes [10][11].

The logic, that cryptographic check sums are accepted, as long as they do not differ

much from the given reference, can be compared to the handwritten signatures:



264

although the handwritten signature is every time different, it is accepted as long as it

does not differ to much from the reference signature.

1.2 Soft Input Soft Verification

The subject of this and next chapters are messages whose data integrity and

authenticity are ensured with a help of MACs. The algorithm works for symmetric

CCVs, but not for asymmetric cryptographic process, as the sender and the receiver

use different keys.

The algorithm of Soft Input Soft Verification [6] is based on the avalanche effect of

cryptographic functions [12][13]: if only one bit of the message is changed, every

output bit of the CCV changes with the probability of 0.5. That means that

avalanche effect causes the change of 50% of bits of the CCV in average. The same

applies to another number of changed bits of the message, whereby the avalanche

effect is not so obvious anymore.

The probability Pd, that d bits of CCV of the length n change, if the message M

changes and assuming that the probabilities of appearing of 0 and 1 in the message

are 0.5, is equal nd

n

2

1

(Bernoulli distribution). This probability is shown in Fig. 3

for different length n. Fig. 4 presents behavior of the probability Pd logarithmically

in order to show Pd by very small rsp. very high d (0 ≤ d ≤ n).

At the same time, it is not important how many bits of the message change. The

probability, that after one change of the message only few bits of the CCV change,

is very low. Therefore it can be claimed with the high probability, that the message

is correct and that only the CCV is disturbed during the transmission, if CCV’ and

CCV” differ in just a few bits. The difference (Hamming distance) between CCV’

and CCV” is then equal to the bit error rate after the transmission (and decoding, if

used).



265

Fig. 3 Pd in dependence on d for a) n = 128, b) n = 160, c) n = 192, d) n = 224

Fig. 4 Logarithmical dependence of Pd on d for

a) n = 128, b) n = 160, c) n = 192, d) n = 224

The algorithm of Soft Input Soft Verification works similar to the algorithm of Soft

Input Hard Verification: reliability values (or L-values) of the SISO channel

decoder are used as input to the verification, and the bits with the lowest absolute L-

values are inverted until the correct message is found, or the maximal number of

iterations is reached. But there are two crucial differences between these two

algorithms.

1. difference: the algorithm of Soft Input Hard Verification stops, if the hard

verification is successful, which means that both CCVs are equal (Hard Decision)

and the resulting message is announced correct; the algorithm of Soft Input Soft

Verification stops if both CCVs differ in only few bits, whereby the condition



266

HD(CCV’, CCV”) ≤ dmax has to be fulfilled (Soft Decision) and the resulting

message is announced correct.

As the consequence, messages can be accepted by the algorithm of Soft Input Soft

Verification, which would be rejected by the algorithm of Soft Input Hard

Verification.

2. difference: bit inversion within the algorithm of Soft Input Hard Verification is

applied to the bits of the message M’ and the received CCV’; in the algorithm of

Soft Input Soft Verification bit inversion is applied only to the bits of the received

M’ (and not on the bits of CCV’).

As the consequence, lower number of iterations is expected by the algorithm of Soft

Input Soft Verification, as only bits of the received message are inverted.

The algorithm of Soft Input Soft Verification [6] is shown in Fig. 5.

Fig. 5 Algorithm of Soft Input Soft Verification

Following four cases are possible after M‘ and CCV‘ are received and SISO

decoded:

1. Message M’ is not disturbed; CCV’ is not disturbed

2. Message M’ is disturbed, CCV’ is disturbed

3. Message M’ is disturbed, CCV’ is not disturbed

4. Message M’ is not disturbed, CCV’ is disturbed

Case 1: In this case the verification results in d = HD(CCV’,CCV”) = 0.

Case 2: If both M’ and CCV’ are disturbed, the recalculated CCV” differs from the

received CCV’ with the high probability in a high number of bits (plus/minus

erroneous bits of CCV’ caused by noisy transmission, which do not change the

statistics of Hamming distance HD(CCV’, CCV”)).



267

Case 3: If M’ is disturbed and CCV’ not, there is a high probability that CCV’ and

CCV” differ in a big number of bits (see Fig. 3).

Case 4: If M’ is not disturbed and CCV’ disturbed, the Hamming distance

d = HD(CCV’,CCV”) corresponds to the number of disturbed bits of CCV’. The

probability that only the bits from CCV’ are disturbed can be easily calculated.

It can be concluded that the Hamming distance d = HD(CCV’,CCV”) equals 0 or it

is very low, if the message is not disturbed. Vice versa, if the message is not the

original one, the Hamming distance is in average n/2 (see Fig. 3).

The algorithm of Soft Input Soft Verification has an advantage over the algorithm

of Soft Input Hard Verification: bit inversion iterations are limited only on

messages (the algorithm of Soft Input Hard Verification iteratively corrects

messages and CCVs). Consequently the correcting rate is higher and the iteration

process is faster.

In the step “Flipping of bits of M’ ” another combination of bits is inverted in every

iteration, depending on the strategy of bit inverting [14], which defines the schedule

of inversion of the bits with lowest |L|-values.

The following text explains the reasons why the algorithm of Soft Input Soft

Verification cannot be applied on digital signatures. If the received CCV is a digital

signature, the hash value of the original message can be extracted using the public

key of the sender, in case that the digital signature has not be disturbed or

manipulated during the transmission. Otherwise, the extracted hash value differs in

average in 50% of bits from the hash value recalculated from the received message.

Therefore is the hash value not suitable as the reference value for soft verification.

Digital signature is disturbed only in bit positions which were exposed to the noise

during the transmission. Therefore digital signatures could be taken as reference and

compared to the signatures, which are recalculated from the messages got after bit

flipping in every iteration. But it would be necessary that the receiver can create

digital signatures! This is unfortunately impossible, as the receiver posses only the

public key and not the private key.

For that reason hash values can be used as references only in cases that digital

signatures are non disturbed. Because of the low probability that digital signatures

are non disturbed, the algorithm of Soft Input Soft Verification cannot be applied on

digital signatures.

1.3 Calculation of the maximal Hamming Distance

1.3.1 Probability Distribution Function of Hamming Distance

On threshold dmax depends which CCVs will be accepted and how high is the

probability of miscorrection. To calculate dmax, it is necessary first to know the Bit

Error Rate (BER) before applying the algorithm of Soft Input Soft Verification, i.e.



268

after channel decoder. BER, error spreading and error distribution depend on

channel encoder and decoder and therefore the behavior of BER cannot be generally

described. In following, the model will be considered, where each output bit of the

SISO channel decoder is random and independent on other output bits. Then,

occurrence and distribution of bit and word errors can be described using the BER

after SISO channel decoding.

The probability distribution function pdf1(d), that d bits of CCV‘ of the length n are

disturbed, has the binomial or Bernoulli distribution B(n, BER) [6]:

( ) ndBERBERd

ndpdf

dnd≤≤−⋅

=

−0 ,1)(1 (1)

Fig. 6 shows pdf1(d) for different lengths of n.

Fig. 7 shows logarithmically pdf1(d) for different BER, in order to present the

behavior of pdf1(d) also for high values d.

Fig. 6 pdf1 (d) by BER = 0.01 for a) n = 128, b) n = 160, c) n = 192, d) n = 224



269

Fig. 7 pdf1 (d) for n = 160 by a) BER = 0.001, b) BER = 0.01, c) BER = 0.1

Here will be considered the probability that two CCVs differ in d bits. The

calculation of the cryptographic checksumm behaves as an oracle, which assigns a

random value to each input value, i.e. the probabilty of each output bit is 1/2. The

Hamming distrance has in that case a probabilty distribution function pdf1(d) which

is the binary or Bernoulli distribution with BER = 0.5, i.e. B(n, 0.5):

ndd

ndpdf

n≤≤⋅

= 0 ,

2

1)(2 . (2)

Simply explained, pdf2(d) is the probability distribution function of the Hamming

distance between two CCVs of two different messages. pdf1(d) is presented in Fig. 3

and Fig. 4 for different parameters of n and BER (observed as the probability Pd).

pdf1(d) and pdf2(d) differ mostly in the fact, that in case of pdf1(d) when the

message is not disturbed, every bit of CCV after transmission is changed „only‘‘

with the probability of BER which is between 10-1

and 10-9

, and in case of pdf2(d)

(when the message is disturbed), every bit value in CCV has the probability of 0.5,

i.e. it is randomly disturbed.

The total probability of d is given by equation (3) and shown in Fig. 8 for n = m =

160 and BER = 0.01.

)()()( 21_ dpdfPdpdfPdpdf DISTURBEDDISTURBEDNOT ⋅+⋅=

(3)



270

pdf

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100

Fig. 8 Regions of d in case of not disturbed (left) and disturbed (right) message M’

for n = m =160 and BER = 0.01

Two regions are clearly separated: the left one, for case of not disturbed messages,

and the right one, for case of disturbed messages. It can be seen in fig. 8 that pdf2(d)

is very low for a wide range of values of d between these two regions (like in Fig. 9

logarithmically shown). That means, that the threshold value dmax can be found in

the area between.

Fig. 9 Logarithmic presentation of regions of d in case of not disturbed (left) and

disturbed (right) message M’ for n = m =160 and BER = 0.01

Following figures show regions of disturbed and not disturbed messages for

different lengths of n and m (n + m = 320) for BER = 0.01.

pdf

1E-22

1E-20

1E-18

1E-16

1E-14

1E-12

1E-10

1E-8

1E-6

1E-4

1E-2

1E+0

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80



271

pdf

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100


for n = 128, m = 192 and BER = 0.01


for n = 192, m = 128 and BER = 0.01



272


for n = 224, m = 96 and BER = 0.01

Following figures show regions of disturbed and not disturbed messages for

different BER and n = 160.

pdf

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100


for n = 160 and BER = 0.001



273

pdf

0

0.02

0.04

0.06

0.08

0.1

0.12

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96 100


for n = 160 and BER = 0.1

1.3.2 Analysis of Hamming Distance and Threshold

This chapter analyzes the verification after receiving the message M’ (before the

iterations start) and the probability Pdi for four different cases (i = 1,...,4) of soft

verification.

1. Message M’ is not disturbed and HD(CCV’, CCV’’) ≤ dmax – the probabilty

of this event is Pd1

2. Message M’ is disturbed and HD(CCV’, CCV’’) > dmax – the probabilty of

this event is Pd2

3. Message M’ is disturbed and HD(CCV’, CCV’’) ≤ dmax – the probability of

this event is Pd3

4. Message M’ is not disturbed and HD(CCV’, CCV’’) > dmax – the probability

of this event is Pd4.

The same analysis applies to the case with iterations (M’’ instead M’) [15].

The probabilty Pd1, that the message M’ of the length of m bits is not disturbed after

transmission, and that CCV (with length of n bits) has not more than dmax errors,

equals to:

inid

i

DISTURBEDNOTd BERBERi

nPP

−

=

−

= ∑ )1(

max

0

_1 (4)

and:

( )m

DISTURBEDNOT BERP −= 1_ (5)

This is the probabilty that the message is actualy correct, also if the Hamming

Distance is non-zero: 0 < HD(CCV’, CCV’’) ≤ dmax .

The probabilty Pd2, that the message M’ is disturbed after transmission and

HD(CCV’, CCV’’) > dmax, equals:



274

∑+=

=

n

dinDISTURBEDd

i

nPP

1

2

max2

1

(6)

where:

( )m

DISTURBED BERP −−= 11

(7)

The probability Pd3, that the message is disturbed and that CCV’ and CCV” differ in

less than dmax bits equals:

n

d

i

DISTURBEDdi

nPP

2

1max

03

= ∑

=

(8)

Pd3 is the probability, that the disturbed message is not recognized by the algorithm

of Soft Input Soft Verification, rather it will be announced correct. Therefore this

probability is called the probability of miscorrection.

The last case applies to the probability Pd4, that the message is not disturbed and

CCV’ has more than dmax errors:

inin

di

DISTURBEDNOTd BERBERi

nPP −

+=

−

= ∑ )1(

1

_4

max

(9)

Pd4 is the probability that the message is not disturbed, but it is not recognized from

the algorithm of Soft Input Soft Verification as correct, because the CCV’ is much

damaged. Therefore this probability is called the probability of non detection.

The total probability is the sum of all probabilities Pdi (i = 1, …,4) and equals 1.

The system designer can decide how secure the system should be, i.e. how high the

probability of false decision should be. If high security is wanted, i.e. as low level

of miscorrections as possible, it has to be taken into account that successful

correction also won’t be accepted if CCV’ is strong disturbed. If no high security is

needed, the probability increases, that the disturbed message is accepted as a correct

one. In such a way the system designer chooses and fixes his strategy depending on

dmax. There are several criteria how to choose dmax:

1. dmax is the cross point of curves of miscorrection probability Pd3 and non detection

probability Pd4.



275

Fig. 15 Cross point of probabilities of miscorrection Pd3 and non detection Pd4

for n = 160 and BER = 0.01

2. dmax is the minimal value of the sum of probabilities of miscorrection and non

detection:

Fig. 16 Minimum of the sum of probabilities of miscorrection Pd3 and non

detection Pd4 for n = 160 and BER = 0.01

3. dmax is any value dmax є [dmax_low, dmax_high], whereby dmax_low and dmax_high are

calculated depending on the probabilities of miscorrection and non detection.

The upper bound for the probability of non detection has to be defined as Pd4 < 110

k− (for the chosen integer k1) and dmax_low is defined as:

dmax_low = max (d | Pd4 < 110k− ) (10)

The lower bound for the probability of miscorrection has to be defined as Pd3 < 210

k− (for the chosen integer k2) and dmax_high is defined as:

dmax_high = min (d | Pd3 < 210k− ) (11)

Note: k1 and k2 have to be chosen so that: dmax_low < dmax_high.

For dmax = dmax_low, is the condition Pd3 < 210k− fulfilled.

Meaning of dmax_low

The system designer knows the channel behavior and the expectation of the number

of erroneous bits of CCV. Value of k1 defines the upper bound, and the upper bound

defines how many „erroneous bits“ can be accepted.

Meaning of dmax_high



276

With the choice of k2 the lower bound of the number of different bits is defined,

above which CCVs are announced as incorrect.

For example, if k1 = k2 = 6, it can be seen (Fig. 17) in which area dmax has to be

chosen.

d

Fig. 17 dmax_low and dmax_high for BER = 0.01, n = m = 160 and k1 = k2 = 6

Table 1 shows dmax_low for different BER after SISO channel decoding, which are

result of simulation using following parameters: 1/2 channel encoder (7, 5), Eb/N0

calculated from S/N of the AWGN channel after BPSK line modulation and a SISO

channel decoder using MAP decoding algorithm [16]. dmax_low is calculated using

equation (10) for k1 = 4 and presented for different lengths of a message M and

CCV, whereby the total length of M and CCV is fixed to 320 bits.

Table 2 shows dmax_low for different Eb/N0 and different k1, whereby the length of the

message and of the CCV are equal 160 bits.

Table 3 shows dmax_hgih which is calculated using equation (11) for k2 = 4 and

presented for different lengths of a message M and CCV, whereby the total length

of M and CCV is fixed to 320 bits.

Table 4 shows dmax_hgih for different Eb/N0 and different k2, whereby the length of

the message and of the CCV are equal 160 bits.



277

Table 1 dmax_low for different Eb/N0 and n (n + m = 320) and k1 = 4

Eb/N0

[dB] BER

dmax_low

(n = 128)

dmax_low

(n = 160)

dmax_low

(n= 192)

dmax_low

(n= 224)

1 0.036 8 10 14 16

1.5 0.0234 8 10 12 14

2 0.0149 8 9 10 11

2.5 0.00681 6 7 8 8

3 0.00376 5 6 6 7

3.5 0.00142 4 4 5 5

4 0.00037 3 3 3 3

4.5 0.00024 3 3 3 3

5 0.00012 3 3 3 3

Table 2 dmax_low for different k1 and Eb/N0 , and n = m = 160

Eb/N0

[dB] BER

dmax_low

(k1= 3)

dmax_low

(k1 = 4)

dmax_low

(k1 = 5)

dmax_low

(k1=6)

dmax_low

(k1 = 7)

dmax_low

(k1 = 8)

dmax_low

(k1 = 9)

dmax_low

(k1 = 10)

1 0.036 9 10 13 16 18 20 21 23

1.5 0.0234 8 10 12 14 16 17 18 20

2 0.0149 7 9 11 12 13 15 16 17

2.5 0.00681 6 7 8 9 10 11 12 13

3 0.00376 5 6 7 8 9 9 10 11

3.5 0.00142 4 4 4 5 6 7 7 8

4 0.00037 3 3 4 4 5 5 6 6

4.5 0.00024 2 3 3 4 4 5 5 6

5 0.00012 2 3 3 4 4 4 5 5

Table 3 dmax_high for different Eb/N0 and n (n + m = 320) and k2 = 4

Eb/N0

[dB] BER

dmax_high

(n = 128)

dmax_high

(n = 160)

dmax_high

(n= 192)

dmax_high

(n= 224)

1 0.036 43 57 71 82

1.5 0.0234 43 57 71 82

2 0.0149 43 57 71 82

2.5 0.00681 44 58 72 83

3 0.00376 44 58 73 84

3.5 0.00142 45 60 75 86

4 0.00037 48 63 78 89

4.5 0.00024 49 64 79 91

5 0.00012 50 65 81 93



278

Table 4 dmax_high for different k2 and Eb/N0 and n = m = 160

Eb/N0

[dB] BER

dmax_high

(k2 = 3)

dmax_high

(k2 = 4)

dmax_high

(k2 = 5)

dmax_high

(k2 = 6)

dmax_high

(k2 = 7)

dmax_high

(k2 = 8)

dmax_high

(k2 = 9)

dmax_high

(k2 = 10)

1 0.036 61 57 53 50 47 45 42 40

1.5 0.0234 61 57 53 50 47 45 42 40

2 0.0149 62 57 53 50 47 45 42 40

2.5 0.00681 62 58 54 51 48 45 43 41

3 0.00376 63 58 54 51 48 45 43 41

3.5 0.00142 65 60 56 52 49 46 44 42

4 0.00037 69 63 58 54 51 48 45 43

4.5 0.00024 71 64 59 55 51 48 46 43

5 0.00012 76 65 60 56 52 49 46 44

Tables 1–4 show the huge distance between dmax_low and dmax_high.

1.3.3 Simulations for estimating the threshold value

The theoretical values of dmax_low and dmax_high, from Tables 1–4, which were

calculated on the basis of probability, will be compared with results of simulations

in this chapter. The same simulation parameter are used, as explained in chapter

1.3.2 for finding of BER for Tables 1-4. The case of equal lengths of M and CCV

will be simulated: n = m = 160.

The algorithm of Soft Input Soft Verification is modified for simulations in such a

way that the receiver knows the original message M with the correct CCV. In this

way the receiver can check eventually if the received or corrected message is

wrongly verified (miscorrection) or perhaps the correct message is not accepted

(non detection). The Hamming Distance d = HD(CCV’, CCV”) is calculated after

each iteration and saved for statistic purposes. The iterative process is continued

until the corrected message equals to the sent one, or until the maximal number of

216

iterations is reached.

After every iteration and calculation of the Hamming Distance d, the calculated

value is added to set D1 (when M is equal to the original one) or to set D2 (when M

is not equal to the original one):

)}"'(),",'(|{1 MMMMCCVCCVHDddD =∨=== (12)

)}"'(),",'(|{2 MMMMCCVCCVHDddD ≠∧≠== (13)

As dmax_low and dmax_high the following values are chosen for i = 1,…,5 dB:

}/|{max)( 0max_1

iNEdid bD

low == (14)

}/|{min)( 0max_2

iNEdid bD

high == (15)

dmax_low(i) is for i dB after 50 000 simulations for each value of Eb/N0 the highest

Hamming Distance, in case that the message was correct received or corrected



279

during iterations. dmax_low corresponds to the maximal number of erroneous bits of

CCV for the case of a correct message.

dmax_high(i) is, after 50 000 simulations for each value of Eb/N0, the lowest Hamming

Distance, in case of an incorrect message.

Fig. 18 Simulations of Soft Input Soft Verification for calculation of

dmax_low and dmax_high

Fig. 19 shows dmax_low and dmax_high for Eb/N0 = i, i = 1,…,5 [dB].

Fig. 19 Results of simulations for a) dmax_low and b) dmax_high



280

Results of simulations show, that Hamming Distance d = HD (CCV’, CCV”) after

50 000 simulations per Eb/N0 was always higher than dmax_high, in case of disturbed

received or non corrected message, as well as it was always lower than dmax_low, in

case of not disturbed or corrected message. The Hamming Distance has never been

in the aera between dmax_high and dmax_low. The left and the right region are again

clearly separated from each other.

These values are results of 50 000 simulations per Eb/N0. If the number of

simulations increases even more , dmax_high and dmax_low could, depending on

probabilties functions for dmax , come close to each other and even overlap.

At the and of this chapter, simulation results will be compared with the theoretical

results from Table 1 for m = n = 160. This comparison shows that results of

simulations fit very well the results of equations of the probabilty theory. In Fig. 20

it can be seen that theoretical and simulation results differ in maximal 1 bit and in

Fig. 21 that they differ in maximal 2 bits.

Fig. 20 dmax_low for n = m = 160: a) after simulations and b) using Table 1 for k1 = 4

Fig. 21 dmax_high for n = m = 160: a) after simulations and b) using Table 3 for k2 = 4



281

6.4 Verification Gain

Simulations are performed for different lengths of the message and CCV, whereby

their total length is fixed on 320 bits. The CCV was calculated using the hash

function RIPEMD-160, initialized with the key K of the length of 160 bits. A new

message is randomly generated in every simulation. The same simulation

parameters as in previous chapters are used. The algorithm of Soft Input Soft

Verification was simulated, as presented in Fig. 5.

For each point of the curves presented in figures 22–26, a total of 50 000

simulations is performed. Maximal number of iterations was 216

, i.e. maximal 16

bits with the lowest absolute L-values are flipped. The Cryptographic Check Error

Rate (CCER) is defined as:

CCVssentofnumber

CCVserroniousofnumberCCER

=

(16)

Fig. 22 CCER for n = 128, m = 192 and dmax = 1kd for k1 = 4

a) Hard Input Hard Verification

b) Soft Input Hard Verification

c) Soft Input Soft Verification

Simulation results in Fig. 22 show coding gain of Soft Input Hard Verification of

maximal 1.8 dB compared to Hard Input Hard Verification (see results from [6])

and coding gain of Soft Input Soft Verification of maximal 2.5 dB compared to

Hard Input Hard Verification. The additional coding gain of Soft Input Soft

Verification of maximal 0.7 dB compared to Soft Input Hard Verification is caused

by different steps of bit flipping: for the same number of iterations only bits of the

message are flipped using the algorithm of Soft Input Soft Verification and bits of

the message and CCV using the algorithm of Soft Input Hard Verification.

The lowest coding gain is by the lowest Eb/N0, because the number of erroneous bits

is too high for the defined number of iterations. Therefore only few messages can be

corrected.



282

Simulation results in Fig. 23 show the same coding gain of Soft Input Hard

Verification compared to Hard Input Hard Verification, because the total length of

the message and CCV is the same: 320 Bit. Coding gain of Soft Input Soft

Verification compared to Hard Input Hard Verification is maximal 0.55 dB. The

additional coding gain is lower than in Fig. 22, because of the longer message in

case of Fig. 23.

Fig. 23 CCER for n = 160, m = 160 and dmax =

1kd for k1 = 4




Fig. 24 CCER for n = 192, m = 128 and dmax =

1kd for k1 = 4






283

Simulation results in Fig. 24 show again the same coding gain of Soft Input Hard

Verification compared to Hard Input Hard Verification, because the total length of

the message and CCV is the same (320 Bit). Coding gain of Soft Input Soft

Verification compared to Hard Input Hard Verification is maximal 0.5 dB. The

additional coding gain is lower than in Fig. 23, because of the longer message in

case of Fig. 24.

Fig. 25 CCER for n = 224, m = 96 und dmax =

1kd for k1 = 4




Simulation results of Soft Input Hard Verification in Fig. 25 are the same as in Fig.

22-24. Coding gain of Soft Input Soft Verification compared to Hard Input Hard

Verification now only maximal 0.4 dB, because of the longest message length.

CONCLUSION

Using Soft Input Soft Verification, cryptographic check values (MAC) can be used

for the correction of messages modified due to the channel noise. The Hamming

distance of the received MAC and the MAC of the corrected message corresponds

then to the bit error rate after SISO channel decoding. The range of values of the

decision threshold in the verification process has been determined under

consideration of the risk of non detection on one hand, and of miscorrection on the

other hand. Simulations show that a significant coding gain can be achieved by the

use of the Soft Input Soft Verification algorithm.



284

REFERENCES

1. C. G. Boncelet .Jr (2006), “The NTMAC for Authentication of Noisy

Messages”, IEEE Trans. On Information Forensics and Security, vol.1, no.1

2. ISO/IEC 9797-1 (2011), Information technology -- Security techniques --

Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block

cipher


Message Authentication Codes (MACs) -- Part 2: Mechanisms using a

dedicated hash-function


Message Authentication Codes (MACs) -- Part 3: Mechanisms using a

universal hash-function

5. Ruland .C and Zivic .N (2006), “Soft Input Decryption”, 4th

Turbocode

Conference, 6th

Source and Channel Code Conference, VDE/IEEE, April 3-

7, Munich, Germany

6. Zivic .N (2011), “Soft correction and verification of the messages protected

by cryptographic check values”, Conference on Information Sciences and

Systems (CISS 2011), Baltimore, USA

7. Zivic .N and Flanagan .M (2012), “On Joint Cryptographic Verification and

Channel Decoding via the Maximum Likelihood Criterion”, IEEE

Communication Letters, vol. PP, issue 99

8. Kabatiansky .G, Krouk .E, Semenov .S (2005), “Error Correcting Coding and

Security for Data Networks, Analysis of the Superchannel Concept”, John

Wily and Sons

9. Berrou .C, Glavieux .A, Thitimajshima .P (1993): Near Shannon Limit Error

Correcting Coding and Decoding: Turbo Codes, Proc. IEEE International

Conference on Communication, vol. 2/3, pp. 1064-1070, Geneva,

Switzerland

10. Kötter .R and Vardy .A (2002), “Soft Decoding of Reed Solomon Codes and

Optimal Weight Assignements”, 4-th International ITG Conference on

Source and Channel Coding, Berlin, Germany

11. Ponnampalam .V and Vucetic .B (1999), “Soft decision decoding of Reed-

Solomon codes”, Proc. 13th

Symp. Applied Algebra, Algebraic Algorithms

and Error-Correcting Codes, Honolulu, USA

12. Hays .H.M. and Tavares .S..E. (1995), “Avalanche characteristics of

Substitution – Permutation Encryption Networks”, IEEE Trans. On

Computers, Vol. 44, Nr. 9

13. Forre .R (1990), “The Strict Avalanche Criterion: Spectral Properties of

Boolean Functions and an Extended Definition”, Advances in Cryptology,



285

Crypto '88, Lecture Notes in Computer Science, vol. 403, pp.450-468,

Springer Verlag Berlin Heilderberg

14. Zivic .N (2008), “Joint Channel Coding and Cryptography”, Shaker Verlag,

Aachen

15. Zivic .N (2012); “Iterative method for correction of messages protected by

symmetric cryptographic check values”, International Conference on

Information netwprking (ICOIN), Bali, Indonesia

16. Bahl .L, Cocke. J, Jelinek .F, Raviv .J (1974), “Optimal decoding of linear

codes for minimizing symbol error rate”, IEEE Transactions on Information

Theory, IT-20, pp. 284-287

soft verification of message authentication codes

Documents