Cryptographic CDMA Code Hopping (CH-CDMA) for Signal Security and Anti-Jamming

Cryptographic CDMA code hopping (CH-CDMA) for signal security and anti-jamming

Frank Hermanns

Deutsches Zentrum fur¨ Luft- und Raumfahrt (DLR), German Aerospace Center Institute for Communications and Navigation, D-82234 Weßling, Germany and University of Armed Forces, Neubiberg b. Munchen,¨ Institute of Information Technology Email: [email protected]

INTRODUCTION Today, military and commercial Spread Spectrum and CDMA transmission systems argue with security on the physical layer based on the secrecy of the seed values of static secure (and insecure) pseudorandom noise generators (PRNG). This should prevent eavesdropping and jamming [1, 2]. Confidentiality, data integrity and authenticity are usually realized in higher protocol layers [3]. Nevertheless, physical layer security is a valuable component of a high-end system security. Relying on one security layer alone is dangerous, because vulnerabilities are constantly discovered, compromising the overall system security (GSM, WLAN ...) [4]. With additional physical layer security measures, attacks on the upper security layers will be much more difficult. Furthermore, some security elements can only be realized on the physical layer (anti-jamming and low-detectability). Especially CDMA systems have a great potential to evolve their security strength with modifications proposed in this paper. According to [5], conventional LFSR long spreading-code generators are highly vulnerable (m-sequence linear feedback shift registers). The hidden 42 bit LFSR mask value of IS-95 can be reconstructed just by eavesdropping about 1 second of traffic. Better nonlinear generators (NLFG) are threatened by conditional correlation attacks [6]. Even when using highly secure PRNG based on good cryptographic generators, one could steal a communication device, read out the PRNG seed values and thus compromise the system security. Knowing the PRNG seed value, all the spreading factor security gain is lost. The attacker then can decode the signal just as the legitimate user. Jamming is most effective, if the attacker can exactly imitate the CDMA signal of a legitimate user. Far less jamming power is needed then, compared to broadband jamming, the classical brute-force alternative. On the other side, repeat-back and partial band jamming is not very effective for spread spectrum with long scrambling codes. This paper proposes a new approach with dynamic spread spectrum sequences. These are not completely dependent on deterministic pseudorandom sequences any more, but are fed by true random generators as entropy sources. The following section presents the idea of the new code-hopping principle. One possible system architecture is designed and system properties are discussed. A simulation system is under construction to demonstrate the feasibility of this approach.

FROM STATIC TO DYNAMIC SPREADING CODES, THE CODE-HOPPING PRINCIPLE The idea of code-hopping is to periodically feed the PRNG CDMA chip sequence generators with seed values from true random (entropy) sources. So, the spreading ”code” (the generated sequence) is changing in certain intervals. The ”code” hops from one instance to another when taking its seed value as the main characteristic and individual property. The underlying hardware or algorithm is of course constant, but securely parameterized by the seed value. This is only possible when using a hybrid cryptosystem in combination with a higher protocol layer. Asymmetric crypto algorithms are capable of synchronizing these true random sources between the distant communication partners. The resulting spreading code sequences therefore are highly non-deterministic for outside parties. Additional digital signatures can be introduced against man-in-the-middle attacks. But this man-in-the-middle would anyway have a hard job to break into the unknown spreading code sequence. If he would succeed after some cryptanalysis, the next hopping cycle would come very fast and give him a black-out again. The difference between static and dynamic SS/CDMA systems is shown in Fig. 1. Static spread spectrum methods are based on different orthogonalities in time, frequency and code domains (Fig.1(a)). They employ different code, pulse position or frequency hop patterns. Even synchronized chaotic systems are proposed to generate non-deterministic spread spectrum waveforms [7, 8], but they inherit some severe disadvantages concerning noise immunity [9] and cryptographic quality [10]. Although their non-deterministic waveform looks very dynamic, the security property is realized by individual and static parameter settings. The Figures 1(b) and 1(c) show, how the code space of static and dynamic seed values (a) Conventional static SS/CDMA systems (b) Static SS/CDMA systems (DS/FH/TH-CDMA,CSK,CPPM...) employ pseudo-random sequences, but leave their seed values constant

Figure 1: Static and dynamic SS/CDMA codes differ in time. With n bits of seed value, a code spans a space of 2n instances. The probability of accidental collisions (short interruption of communications) is reasonable small for standard seed sizes, e.g. 128 Bit as AES key. Using CH-CDMA with the basic FH-CDMA frequency hopping scheme, we can see hopping patterns in hierarchical layers. The frequency hopping pattern is done with the highest hopping frequency, somehow related to the chip frequency. On the top, there is a code hopping scheme in the seed value (1(c)) of the generator that creates the frequency hopping pattern. This parametric hopping is operating at a relatively low frequency, covering several communication bursts between the partners. Another possibility is a hybrid code-frequency-hopping named DS-FH-CH-CDMA (Fig.1(d)). The 2n possible seed values of the DS-code together with the 2m possible FH code generator seed values span a 2-dimensional code space of size 2nm over the time. All those states are determined by true random generators, which makes it practically impossible for attackers to follow the state transitions. Every random point in this 2-dimensional code space realizes individual pseudo-random spreading codes. On the top of this physical layer security system, conventional end-to-end encryption systems can be used for perfect multi-layer protection. They cover different aspects of security. The purpose of physical layer protection is to hide the signal itself and make it resistant against jamming. End-to-end security protocols guarantee the secrecy between the distant communication partners even over relay hops and ensure their data integrity. Furthermore, the physical layer security will make attacks on the end-to-end cryptosystem much harder as it hides the cipher text in addition to the plain text. Active attacks are prevented by denying access to the correct spreading code. Drawbacks of this approach are performance and synchronization issues. Cryptographic secure PRNG generators are more complex and more limited in bandwidth than conventional LFSR generators. The efﬁciency on the transmission channel itself will not suffer, because randomness parameters of cryptographic secure sequences are in general better than Figure 2: CH-CDMA System Architecture those of simple LFSR sequences. The main challenge here is to keep the cryptographic synchronization of the spreading code sequences on sender and receiver side.

SYSTEM ARCHITECTURE Hardware Architecture The idea of code-hopping can be realized in many ways. This paper will present a general system design. The hardware architecture of Fig. 2 is organized in cryptographic modules and traditional elements of digital communication designs. Every communication partner needs a separate and independent true random source for the secret variables a/b (Fig.2:3,4). These entropy sources are crucial for the system security, e.g. realized with thermal Johnson noise [11]. The true random sequences then provide seed for the secure pseudorandom chip sequence generators ”SYM PRNG” (Fig.2:5,6,19,20). As an example, Fig. 3 shows a SYM PRNG constructed from a secure symmetrical algorithm like the AES block cipher [12, 13] in an output-feedback (OFB) circuit. It actually takes 2 input parameters, the cryptographic key k and the initialization vector IV, both practically non-invertible one-way functions. For the sequence to start, the IV can be derived from the key k by a hash function (Fig.3:6). Later, the IV can be set to a certain value to start in the middle of a sequence or just used as an alternative parameterization input. The performance requirements for SYM PRNG are extremely high, because the generated binary stream has the CDMA chip rate. One of the advantages of the AES winner algorithm Rijndael was its capabilities for hardware-optimization. So, there are VHDL/RTL/EDIF designs available for ASIC and FPGA implementations with AES-128 bandwidths up to 4.64 GBit/s with 36.8 Kgates [14]. Higher rates can be achieved by pipelined designs. Applications from narrowband up to broadband are possible with this hardware, although extreme high data rates are not very common on secure wireless channels. The cryptographic strength of AES is high enough that, up to now, nobody claims to have a practical way of breaking AES better than the exhaustive search in the 2n key space. Theoretical algebraic attacks (F/XL) are proposed, that would revolutionize cryptanalysis on block ciphers in general, but in practice they failed on Rijndael/AES. The discussion is still going on [15] and cryptanalysis is constantly developing. In any case, if a symmetric algorithm gets compromised, the code-hopping system can replace SYM PRNG quite easily by a new algorithm. In FPGA implementations it requires just a new structure upload. Of course the terminals should be protected against using the FPGA upload interface to compromise the algorithm implementation itself (by replacing AES with a less secure one). In this architecture, the random values a/b cannot be used directly as parameters for the spreading code generators, because the transmitter code has to be synchronized with the receiver code. If not synchronized, the receiver can neither detect nor decode the signal. That is the main security attribute against third parties. To beneﬁt from the entropy sources, cryptographic synchronization with asymmetric algorithms (like Difﬁe-Hellmann, DH) is applied here [16]. So, only the two involved communication parties share the common secret PRNG seed values. Figure 4: Possible CH-CDMA burst frame structure

Base parameters of a DH system are a public number g ∈ N 1

∈ SYM PRNG 5 and a public Prime p N. Now, every partner A/B produces 2 ∈ α ≡ a optional n bit feedback a random value a,b N. The public keys g (modp) and IV input 8 IV In: n bit OFB: Output- β ≡ b register state Feedback g (modp) are transmitted to their counterparts. Each of 6 a b a hash SYM example: them can then compute the common secret key k ≡ β ≡ (g ) ≡ 3 k key AES algorithm gba ≡ (ga)b ≡ αb(modp), used now as the SYM PRNG seed seed with n = 128 Bit SYM (AES-128) value. Note that k will never be transmitted on the channel. It 9 α β can only be computed locally with the public values / and the bit stream Out: n bit 4 secrets a or b. With large enough numbers, the discrete modular PRNG register state exponentiation is still easy while the discrete logarithm becomes practically impossible to solve. Man-in-the-middle-attacks can DATA 7 encDATA be prevented by digital signatures and certiﬁcates. However, XOR they would be quite hard, when the α/β-transmission is in-band the physical secure channel. Ideally, the α/β parameter exchange Figure 3: Secure PRNG with SYM in OFB mode would be multiplexed into the encrypted user or control data channel (Fig.2:9,10). As an additional security layer above the physical layer, conventional symmetrical data encryption (SYM) is realized on the binary data stream before channel coding, modulation and spreading (Fig 2:11,12). This conventional method in- creases the cryptographic strength of the overall system. The keys ki,SYM can be derived from the same random generators and ASYM modules that feed the code-hopping system. An alternative approach would be to use the SYM modules in an extended end-to-end security system, spanning several hops and (wireless) interconnection links. Then a separate key management system and protocol would be needed. Also the α/β key exchange needs a signalling protocol that is running between the A/B terminals, typically resident in the layer 2 MAC. Burst Frame Structure Both synchronous continuous and asynchronous burst packet transmission can be realized as CH-CDMA operating modes. They all need a difﬁcult state transition between two different spreading codes ki and ki+1. The code-hops are located most effective at the frame or cell boundaries for synchronous transmission. For burst packet transmission, a special acquisition for code-hopping has to be developed (Fig.4). An ever constant burst acquisition preamble would contradict to the idea of low-detectability and anti-jamming. In consequence, the preamble code should have the same quality as the secure spread sequence SYM PRNG. Taking the same sequence for the preamble as for the data part has a few severe disadvantages. A free-running SYM PRNG spanning several bursts is impossible, because the receiver would have no hint for acquisition and synchronization. If the SYM PRNG sequence starts with the same IV for every burst, the acquisition preamble would repeat very often between the hop intervals. That is a potential security vulnerability. Hopping every burst is impossible because of the key-exchange protocol and for performance and stability reasons. So, the only chance is to mange the preamble and data part with different IV’s (Fig.4:7,8). The key can be the same, because the IV’s are as well security-effective parameters. The preamble could use incremental IV’s for every subsequent burst (Fig.4:9). That guarantees different sequences for every burst, easy to compute for the communication partners, nearly impossible for outsiders. An acknowledgment and error recovery scheme is needed to counter the possible loss of a burst packet. Because every preamble is individual pseudo-noise, we could call it ”Pseudo One Time Pad Acquisition”. Also for the data part it is recommended to avoid repeating patterns (Fig.4:3-5). Using symmetrical encryption on the binary stream already provides a good data ”whitening” function. But this excludes data preamble, trailer and other deterministic structural elements. A solution is to modulate a new IV in the end of the preamble sequence from a random source (Fig.4:2,6,11), as new randomization input for the data part spreading sequence (Fig.4:8). For the purpose of low-detectability and anti-jamming, the burst-oriented CH-CDMA mode is better suited, if the user data is highly burst-oriented itself (like Internet or text messages). However, burst packet acquisition is much harder than decoding a synchronized continuous data stream.

key transition i → i+1 12 ki ki+1 9 1 11 A Burst TX α ACK (β) 5

2 B Burst RX α ACK (β) 6

10 3 7 B Burst TX β

hop ACK 8 4 A Burst RX β

A/B TX/RX Hop 13 Terminal A/B Receive (RX) and Transmit (TX) Bursts time

Figure 5: CH-CDMA re-keying synchronization

The presented burst structure is quite complex and difficult to synchronize. In real systems, a simplified variant of this idea could be realized. For example, to enhance the security of UMTS, the existing burst structure could be retained and only the scrambling spreading code could hop dynamically. Then, there are some repeating patterns that could be analyzed with full-band recording and correlations. But anyhow, the security, the low-detectability, jamming-resistance and confidentiality would be greatly enhanced. State Machine and Synchronization The most critical part of a code-hopping system is the state machine and the algorithm to control the hop from one code to another. Fig. 6 shows a general approach for a user A initiated hopping. In real systems, both partners A and B could be allowed to initiate a code-hop, but this has to be coordinated. For a better understanding, the diagram just explains the A initiated variant. A time diagram of the CH-CDMA re-keying synchronization is presented in Fig. 5 as a result of the state machine behaviour. This is just the ideal code-hop sequence without transmission errors and loss of important control packets. The signaling information can also be attached to bursts with data payload. The very first spreading code should be agreed on before to achieve a first contact (Fig.6:3-4). This more vulnerable moment should be kept as short as possible and should be avoided in later communications. In the general situation of synchronized codes, a code-hop is initiated by a control packet and a (signed/certified) α parameter transmission (β for B-initiated), see Fig. 5:9. Still all CDMA-spreading units operate on the same code ki. The example assumes the bidirectional connection sharing the same spreading code. The hardware architecture could, however, also operate with different spreading codes in each direction. The state machine would be a bit more complex in this case and the random generators would have to produce the double rate. Back to the example, also here it happens that the 4 spreading code generators operate at different codes during the code-hop-sequence, the previous (ki) and the next one (ki+1). The algorithm has to guarantee, that at least sending and receiving spreading code are synchronous. Otherwise, no communication is possible, not even transmitting signaling and acknowledgment information. A robust method is to stay with the old code (ki) as long as the new code (ki+1) is fully confirmed between the partners. The parameter β answer of B does not switch the spreading code (Fig.5:10). Only the receive-acknowledgment ACK(β) by A assures that every partner is ready for the new code. The A sending unit can hop the code (ki → ki+1) for the next burst (Fig.5:5). Also the receiving unit B can hop the code (Fig.5:6) after decoding the last ACK(β) packet. But the ”hop ACK” signal from B back to A should still use the old code ki to give a more reliable way of confirming the hop in the following packet. Subsequently, the transmitting spreader of B hops to ki+1 (Fig.5:7) and after reception also the receiving spreader of A (Fig.5:8). After this last partial hop, the overall hop-sequence is complete 1 2 code-hop A local TX/RX process B remote TX/RX process initiator

3 4

Ki : A TX ready Ki : B RX ready 7

INIT K INIT K 13 std. data flow i i std. data flow

code hop timer αi+1 received b α ≡ ai+1 increase TX power increase TX power β ≡ i+1 send 14 8 send i+1 g 5 6 i+1 g send A DH reset send B DH reset

K : wait for K : wait for ACK( ) 15 9 i βi+1 timeout or timeout or i βi+1 DH reset DH reset 18 19 βi+1 received

send ACK( ) ACK( ) received 10 βi+1 βi+1

TX code hop to K i+1 : TX ready RX code hop to K i+1 : RX ready 16 11 unknown state of receiver B RX unknown state of sender A TX successful packet decoding successful packet decoding

progress state Ki → K i+1 :TX ready progress state Ki → K i+1 : RX ready 17 12 recepient RX listening with Ki+1 Ki+1 confirmed from sender

Figure 6: Code-Hopping state machines (A initiated hopping) and has to be stabilized. Stabilization means, that both partners know exactly the state of the other and don’t have to keep the old key ki as a fall-back solution any more (Fig.6:12,17). That is important in case that some acknowledgment bursts during the code-hopping are lost. There exist some faulty states due to transmission errors that the spreading units don’t get synchronized and can’t communicate any more. Not even information about these faulty states can be exchanged any more on a reliable channel. To intercept those states, a timer can trigger a time-out to go back to the last known working state with the old key ki (Fig.6:18,19). At the same time, kind of a DH-reset signal can be emitted to possibly speed up the reset sequence for the communication partner. Transmission failures are usually caused by bad wireless channel conditions or jamming. In any case it is advantageous to increase the transmitting power after such timeouts (Fig.6:5,6) and start the code-hop sequence again. Note, that the code-hop control signals can be attached to user data payload bursts. This way, the re-keying negotiation phase does not disturb the user data transmission. The code-hopping sequence can be considered as completed, when both partners after the ﬁnal ”hop ACK” decoded at least one burst in the new code ki+1 successfully (Fig.6:12,17). Now, the new ki+1 can be used as the new reliable fall-back solution.

SYSTEM PROPERTIES System properties can be derived from theoretical considerations and system simulations. There is work in progress to implement and simulate a CH-CDMA system in software. Hardware realizations would start with modifications of existing systems, without fully deploying the complex burst structure of Fig. 4. The analytical properties will be studied in future research. Many performance parameters do not differ from conventional CDMA systems. In particular, there are no performance drawbacks in between the code-hop sequences (first simulation runs). During the hopping sequence itself there can be transitional states that are more complex to analyze. Cryptographic Complexity Cryptographic power is measured in terms of complexity of the attacking algorithm. The ”linear complexity” of a CDMA sequence is defined by the length of the shortest LFSR, which can reproduce the sequence. The computing complexity to determine this value is of O(n2) with the Berlekamp-Massey algorithm. This very weak polynomal complexity allows to break the IS-95 sequence (linear complexity of 42 bit) in less than 1 second of intercepted signals [5]. Also Maximum Likelihood decoding and ”Edit Distance” are two successful attacks on the LFSR. Only exponential complexity O(2n) gives a sufficient cryptographic power, compared to a brute-force attack with all possible key combinations. Breaking AES-128 has this exponential complexity, until there is a vulnerability discovered, that allows practical attacks better than trying the 2128 ≈ 3.4 · 1038 key combinations. A hard requirement is that of realtime decryption in CH-CDMA. The attacker would have to attack every interval between the code-hops individually. In conventional CDMA systems, one single successful attack would already compromise the system. Furthermore, unlike conventional cryptanalysis (in higher layer protocols), the attacker has no direct access to every bit of the ciphertext. The CH-CDMA ciphertext sequence is hidden in noise. Without knowledge of the hidden dynamic random key, a decoder cannot reliably extract the ciphertext sequence and thus has almost no information about the hidden signal at all. With extreme efforts, broadband recording and analysis (like SETI project) one could possibly extract the ciphertext and possibly even break it. But it does not last very long. At the next key-hop the attacker will get a blackout again. The cryptographic power of Diffie-Hellmann (DH) is the asymmetric computing complexity of the discrete exponentiation/logarithm: α ≡ ga(modp) . In terms of practicability, it is a secure one-way function. The size in n bit of the numbers a and α is related to the prime number p. The computing complexity is linear in one direction and exponential in the other direction, even with the currently most efficient algorithm ”Baby Step, Giant Step” :

a → α : O(n) ′ α → a : O(2n/2) =b O(2n )

But as the parameters α/β are transmitted on the secured physical layer, the attack on DH is not available and even if it would succeed somehow, the derived secret key is only valid until the next code-hop. DH is not the only public key protocol suitable for CD-CDMA. Also other approaches with elliptical curves (EC) or RSA are realistic. The main advantage of CH-CDMA over other security protocols is the dynamization of spread spectrum coding techniques with strong cryptographic algorithms. Low Detectability Low detectability is often used as an argument for Spread Spectrum and CDMA. However, this is only valid as long as the spreading code and/or its seed values are secret. The introductory thoughts about [5] point out, that this secrecy is a commonly underestimated problem. Vulnerable PRNG may be cryptanalyzed if their seed values are constant over a long time. Furthermore, static PRNG seed values may be exposed by other attacks on the communication systems or simply by theft and tampering with the device hardware. Once a spreading code can be reconstructed by the adversary, the detectability is not lower than with other non-CDMA coding techniques. The code-hopping approach minimizes the detectability by introducing as much random as possible into the transmitted signals. The statistical properties of secure PRNG sequences come very close to those of true random sequences. Chaos modulation techniques on the other hand exhibit certain structures (chaotic attractors) in the phase space, although the signals are truly non-deterministic. CH-CDMA is a compromise between chaos modulation and traditional CDMA. It does not have the performance drawbacks of chaotic modulation, but provides also non-deterministic sequences. The CH-CDMA sequences seem chaotic to 3rd parties, but between the communication partners and only between them, they are synchronized and well structured. Jamming Resistance Just like low detectability, the jamming resistance relies on the secrecy of the spreading code and its seed value. With the knowledge about these secrets, the adversary can jam a CDMA system as effective as any other non-protected communication system. When talking about worst case jamming, even nowadays the traditional categories like repeat-back, partial-band, broadband, multitone or pulse jamming are usually cited. For the case, that the jammer has not the knowledge about the PN code, that is justified. But it includes a risky assumption. The real thread, the absolute worst case jammer that can fully imitate the legal communication partner, is constantly ignored. In higher-layer protocols (OSI 2-7), these kinds of attacks become more and more common. Hackers imitate banking servers for electronic financial transactions, introducing false certificates, imitating legal users with stolen passwords and pretend the man-in-the-middle for attack. The same has to be expected on the physical layer. While conventional CDMA systems have no protection against this thread, the proposed CH-CDMA is relatively immune to imitating jammers. Systems with chaotic modulation are somehow inherently immune against imitation jammers, because their wave-forms are non-deterministic. This is however only valid until their static parameters don’t get revealed. In consequence, this protection is not much better than in conventional CDMA systems. Furthermore, their BER/SNR performance is relatively low [9], making them more vulnerable to noise-like jamming.

A traditional broadband jammer would inject a spectral noise density of NJ = J/WSS with the power J into the secure system, equivalent to AWGN noise in the system bandwidth WSS [1]. As WSS is very wide in spread spectrum systems, this kind of jamming not especially effective. Energy in the range of the spreading factor is wasted due the the lack of cross-correlation between the signal and the jamming noise. Partial-Band noise jamming concentrates the jamming power J only on a fraction ρ of the system bandwidth. Depending on the power relation between communications signal and jamming signal, this could lead to better or worse jamming efficiency. Multi-tone jammers concentrate more on the frequency slots of FH. The efficiency is determined by the probability µ that any of the FH slots are hit by the jammer. However, without knowing the FH PRNG sequence, most of the FH slots are missed and lots of jamming power is wasted. Repeat-back jammers can disturb FH-systems as long as their hop rate is slow enough for the jammer to respond within the hop duration. The jammer can simply be defeated by faster hop rates. So far, conventional CDMA systems in general are quite resistant against jamming. But now, if a jammer is able to exactly imitate the PRNG sequence, its effectiveness will greatly increase. The full processing gain PG is applied to the jamming power. Intelligent jammers would concentrate their jamming energy for example on sensible parts of the bursts like the acquisition preamble. So, already a jamming power would be sufficient, that is lower than the signal power itself. Possibly, the jamming signal needs a negated binary modulation, to introduce destructive and not constructive interference. In any case, a random binary modulation on the imitated and synchronized PRNG sequence would at least be destructive for 50% of the time. CH-CDMA systems protect exactly against those types of intelligent imitating jammers by making the PRNG sequence practically unpredictable. CH-CDMA combines the advantages of two different techniques, the good BER- and statistical performance of CDMA with the non-determinism of chaotic generators.

CONCLUSION The dynamic code hopping approach offers best protection against eavesdropping and intentional jamming in CDMA spread spectrum communications. Systematic vulnerabilities in conventional secure spread spectrum systems will be fixed by this countermeasure. Performance drawbacks are not expected on the transmission channel, but the PRNG generators and synchronization will have a higher complexity. Simplified variations of this idealistic approach can also help to increase security of existing spread spectrum solutions like WLAN, UWB or (S-)UMTS. In satellite communications, vulnerable telemetry channels and military communication channels will find a high-end solution in this approach. Fu- ture research should evaluate analytical properties of this approach. As a proof of concept, a simulation system should demonstrate the main system properties.

REFERENCES [1] M. K. Simon, J. K. Omura, R. A. Scholtz, and B. K. Levitt, Spread Spectrum Communications Handbook. McGraw-Hill, 1994. [2] J. S. Lee and L. E. Miller, CDMA Systems Engineering Handbook. Artech House, 1998. [3] G. M. Køien, “An introduction to access security in UMTS,” IEEE Wireless Communications, Feb. 2004. [4] E. Barkan, E. Biham, and N. Keller, “Instant ciphertext-only cryptanalysis of GSM encrypted communication,” in CRYPTO 2003 - The 23rd Annual International Cryptology Conference, International Association for Cryptologic Research (IACR). University of California, Santa Barbara: Springer, Aug. 2003. [Online]. Available: http://www.cs.huji.ac.il/labs/danss/presentations/GSM.ps [5] M. Zhang, C. Carroll, and A. Chan, “Analysis of IS-95 CDMA voice privacy,” in Seventh Annual Workshop on Selected Areas in Cryptography, Ontario/Canada. Springer, Aug. 2000. [6] B.Lohlein,¨ “Attacks based on conditional correlations against the nonlinear ﬁlter generator,” Cryptology ePrint Archive, Report 2003/020, 2003. [Online]. Available: http://eprint.iacr.org/2003/020.pdf [7] A. Abel and W. Schwarz, “Chaos communications - principles, schemes and system analysis,” Proceedings of the IEEE, vol. 90, no. 5, pp. 691–710, May 2002. [8] N. F. Rulkov, M. M. Sushchik, L. S. Tsimring, and A. R. Volkovskii, “Digital communication using chaotic-pulse-position modulation,” IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, vol. 48, no. 12, pp. 1436–1444, Dec. 2001. [9] A. Abel, W. Schwarz, and M. Gotz,¨ “Noise performance of chaotic communication systems,” IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, vol. 47, no. 12, pp. 1726–1732, Dec. 2000. [10] F. Dachselt, K. Kelber, and W. Schwarz, “Discrete-time chaotic encryption systems - Part III: Cryptographical analysis,” IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, vol. 45, no. 9, pp. 983–988, Sept. 1998. [11] B. Jun and P. Kocher, “The Intel random number generator,” Cryptography Research Inc., White Paper prepared for Intel Corporation, Apr. 1999. [Online]. Available: http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf [12] J. Damen and V. Rijmen, “American Encryption Standard AES / FIPS 197.” [Online]. Available: http://www.nist.gov/aes [13] ——, The Design of Rijndael – AES - The Advanced Encryption Standard. Springer, 2002. [14] CAST Inc., “AES hardware designs in VHDL, verilog RTL & EDIF, up to 4.64 Gbit/s AES-128 bandwidth.” [Online]. Available: http://www.cast-inc.com/cores/aes/ [15] S. Murphy and M. J. B. Robshaw, “Essential algebraic structure within the AES,” in Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, vol. 2442, International Association for Cryptologic Research (IACR). Springer, Aug. 2002. [16] B. Schneier, Applied Cryptography. Addison-Wesley, 1996.