IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011 725

Optical Layer Security in Fiber-Optic NetworksMable P. Fok, Member, IEEE, Zhexing Wang, Student Member, IEEE, Yanhua Deng, Student Member, IEEE, and

Paul R. Prucnal, Fellow, IEEE

Abstract—The physical layer of an optical network is vulnerableto a variety of attacks, including jamming, physical infrastructureattacks, eavesdropping, and interception. As the demand for net-work capacity grows dramatically, the issue of securing the phys-ical layer of optical network cannot be overlooked. In this surveypaper, we discuss the security threats in an optical network as wellas present several existing optical techniques to improve the se-curity. In the first part of this paper, we discuss various types ofsecurity threats that could appear in the optical layer of an op-tical network, including jamming, physical infrastructure attacks,eavesdropping, and interception. Intensive research has focusedon improving optical network security, in the above specific areas.Real-time processing of the optical signal is essential in order tointegrate security functionality at the physical layer while not un-dermining the true value of optical communications, which is itsspeed. Optical layer security benefits from the unique propertiesof optical processing—instantaneous response, broadband opera-tion, electromagnetic immunity, compactness, and low latency. Inthe second part of this paper, various defenses against the securitythreats outlined in this paper are discussed, including optical en-cryption, optical code-division multiple access (CDMA) confiden-tiality, self-healing survivable optical rings, anti-jamming, and op-tical steganography.

Index Terms—Fiber-optics network, optical layer security, op-tical signal processing, physical layer security.

I. INTRODUCTION

O PTICAL communication systems have foundwidespreadadoption in a variety of applications, ranging from per-

sonal to commercial to military communications. Due to thedramatic increase in network usage and the increased accessi-bility of optical networks, it is important that communicationscrossing these networks are properly secured. As with any othertype of network, the first line for securing communications startswith employing cryptographic protocols at higher layers of theprotocol stack. However, building security on top of an inse-cure foundation is a risky practice, and for this reason it is desir-able to make certain that the physical layer of an optical system(which we shall refer to as the optical layer in this paper) is madesecure against threats that might target the lowest layer of an

Manuscript received October 13, 2010; revised January 18, 2011; acceptedMarch 31, 2011. Date of publication April 11, 2011; date of current versionAugust 17, 2011. This work was supported in part by the U.S. Defense AdvanceResearch Projects Agency under Grant MDA972-03-1-0006 and in part by SSCPacific Grant N66001-07-1-2010. The associate editor coordinating the reviewof this manuscript and approving it for publication was Dr. Wade Trappe.The authors are with the Department of Electrical Engineering, Princeton

University, Princeton, NJ 08544 USA (e-mail: mfok@princeton.edu;zhenxing@princeton.edu; ydeng@princeton.edu; prucnal@princeton.edu).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2011.2141990

optical network. In particular, as with other network types, thephysical layer of an optical network is vulnerable to a varietyof attacks, including jamming, physical infrastructure attacks,eavesdropping, and interception [1]. Further, optical networksare unique in that the data rates that they currently experienceexceed 40 Gb/s, and this figure is only going to increase withtime. This presents a unique challenge for achieving security, assecurity mechanisms at the physical layer must be able to op-erate at real-time, which is not possible at these line rates usingconventional electronic computing. To overcome this challenge,the inherently high speed and parallelism of optical signal pro-cessing must be leveraged to perform security processing of op-tical signals in real time. Although accomplishing real-time se-curity processing at the optical layer is a very technically chal-lenging problem, the rewards can be quite significant: first, se-curing the optical layer will augment security procedures em-ployed at the higher layers of the protocol stack, leading to asystem that is overall more secure; and, unlike their electroniccounterparts, optical communication systems have less risk ofside-channel attacks, as optical devices do not generate electro-magnetic signatures and are hence inherently less vulnerable toelectromagnetic-based side-channel eavesdropping.By employing optical signal processing, the optical commu-

nications community has explored several avenues for securingoptical networks at the optical layer [2]–[4]. Some examples ofspecific research directions include devising all-optical logic forencryption [5][6], optical steganography [7]–[10], and opticalsurvivable networks [11]–[13]. Optical encryption allows sig-nals to be encrypted with low latency and high speed (at rates notpossible with conventional electrical implementations), withoutthe emission of a radio-frequency signature. Optical steganog-raphy provides an additional layer of privacy that can supple-ment data encryption by hiding the very existence of data trans-mission underneath the public transmission channel.The purpose of this paper is to provide a survey of several

areas of optical layer security and how the associated securityobjectives are being accomplished through optical signal pro-cessing.We will begin in Section II by providing an overview ofthe threats that may be faced in an optical network at the opticallayer. Although there are numerous security aspects that can beexamined, in this paper we shall restrict our detailed discussionsto three separate security objectives: supporting the confiden-tiality of communications, protecting the privacy of communi-cations (or low-probability of detection), and assuring the avail-ability of a communication link/network. Hence, in Sections IIIand IV, we examine techniques for confidentiality and authenti-cation, respectively. In Section V, we examine methods for as-suring the availability of communications, while in Section VIwe examine optical methods to hide the presence of communi-cations. Throughout our discussion, we provide examples and

1556-6013/$26.00 © 2011 IEEE

726 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

results from experimental efforts that validate the concepts ofsecuring optical networks at the physical layer.

II. THREATS AND DEFENSES IN OPTICAL NETWORKS AT THEOPTICAL LAYER

There are many types of optical networks, ranging from localarea networks to optical networks that form the backbone of theInternet. For each of these networks, the actual implementationof a particular type of threat may vary. However, in spite of thesemany different modalities, the threat categories can loosely becategorized as threats where an adversary tries to listen in oncommunications (confidentiality), where an unauthorized en-tity tries to communicate (authentication), where an entity al-ters or manipulates communication (integrity), where an adver-sary tries to subvert the successful delivery of communications(availability), and privacy risks associated with an adversary ob-serving the existence of communications (privacy and trafficanalysis). In the remainder of this section, we quickly surveyconfidentiality, authentication, privacy, and availability threatsand solutions at the optical layer.

A. ConfidentialityAlthough optical networks do not emit an electromagnetic

signature, an attacker can eavesdrop on an optical system usinga variety of approaches, including physically tapping into theoptical fiber [14], or by listening to the residual crosstalk froman adjacent channel while impersonating a legitimate subscriber[15]. Tapping optical fiber is not difficult if the fiber itself is ex-posed and without physical protection. For example, fiber canbe tapped by peeling off the protective material and cladding ofthe fiber, so that a small portion of the light escapes from theoptical fiber. By placing a second fiber directly adjacent to theplace where light escapes from the first fiber, it is possible tocapture a small amount of the desired optical signal. In prac-tice, tapping an optical fiber this way is not easy because only avery small amount of signal can be tapped without noticing thattoo much power has been removed from the optical signal. Forthe reduction in signal power to not be noticeable, the eaves-dropper must operate at a very low signal-to-noise ratio. Also,the procedure requires peeling protective material and claddingfrom the fiber, which can easily cause breakage. In reality, mostthe optical fibers in communications systems are bundled to-gether and will have multiple layers of protective materials andcabling. Therefore, physically tapping an optical fiber is not asimple task. Another way of eavesdropping is to listen to theresidual adjacent channel crosstalk while impersonating one ofthe subscribers. This is possible in wavelength-division-multi-plexing (WDM) networks, in which different wavelengths areused by different subscribers, and a desired signal is droppedat its destination using a wavelength demultiplexer. However,wavelength demultiplexers do not have perfect channel isola-tion, resulting in a small amount of optical power leakage fromadjacent channels (interchannel crosstalk). Thus, eavesdropperscan listen to the leakage from the adjacent channel to obtain theresidue signal. This approach requires special optical devicesand measurement equipment to extract the weak optical channelfrom the crosstalk. These two kinds of eavesdropping are notvery practical to implement, but are still possible in principle for

eavesdroppers with specialized optical equipment. Thus, confi-dentiality in an optical network can be improved through the useof optical encryption and optical coding.Encryption is an effective way to secure a signal and enhance

the confidentiality of a network in the physical layer. Withoutknowledge of the encryption key, the data cannot be recoveredfrom the ciphertext by an eavesdropper. To be compatible withhigh data rates of optical networks, there has been consider-able effort to develop architectures for implementing encryptionfunctions in the optical domain. As with the fiber-optical trans-mission channel, optical encryption also benefits from not gen-erating an electromagnetic signature, which makes it immuneto electromagnetic-based attacks. Even if eavesdroppers wereable to obtain a small portion of signal by tapping into the op-tical fiber or listening to a residue adjacent channel, no usefulinformation can be obtained without the knowledge of the en-cryption key.Optical coding through the use of optical code-division mul-

tiple access (OCDMA) is another way to provide optical layerconfidentially [1], [16]. The confidentiality that OCDMA canprovide originates from the encoding/decoding process and itsmultiplexing properties. In a typical OCDMA system, each datastream is encoded with a specific code which can only be de-tected with the corresponding decoder. Moreover, in a mul-tiple-access system, a plurality of CDMA codes can simulta-neously exist in the transmission channel which overlap bothin time and optical spectrum. This makes it difficult to detecta given code masked by other codes without a priori knowl-edge of the codes. Although optical coding does not provideconfidentiality that is as strong as optical encryption, it intro-duces an additional layer of protection from eavesdropping. InSection III, a detailed overview of OCDMA and the strength ofconfidentiality it can provide will be discussed for various typesof OCDMA systems.

B. Authentication

Authentication requires the use of a unique coding/decodingscheme between the desired users. The coding scheme formsan identity for the user. In the physical optical link, an opticalsignal travels freely in the network and can reach any destinationas long as it has the correct wavelength (for a WDM network),or a correct temporal synchronization (for a time-division-mul-tiplexing (TDM) network). With an OCDMA coding/decodingscheme, a certain level of authentication can be achieved byusing a unique OCDMA code that is agreed upon by the senderand designated recipient. Without knowledge of that code, anunauthorized user cannot decode the OCDMA signal in thepresence of other OCDMA traffic. In other words, in addition toproviding multiaccess capability, OCDMA codes also providea means for authentication between two users. Here, eachsender encodes their own data with a unique OCDMA codethat represents the sender’s identity. To receive the data froman authenticated sender, the recipient uses the correspondingdecoder to drop the signal from the multiaccess channel. Dataencoded by other encoders are treated as unauthenticated data,and are automatically blocked due to the mismatch betweenthe encoders and decoders. The adversary cannot impersonatethe authenticated sender without knowledge of the code used

FOK et al.: OPTICAL LAYER SECURITY IN FIBER-OPTIC NETWORKS 727

by the sender, and is therefore incapable of compromising theOCDMA system.

C. Privacy

Steganography can enhance the privacy of communicationssystems by hiding messages in plain sight, such that apart fromthe sender and intended recipient, no one else is aware of the ex-istence of the transmission. In optical communications, opticalsteganography enables the transmission of a secret data channelcalled the “stealth channel,” which can be hidden in the pres-ence of “public channels” [1], [17]. To achieve this, the datarate of the stealth channel must be lower than that of the publicchannel. This may be acceptable in applications where a lowbit-rate, high priority channel requires additional confidentialitycompared to the public channels.The principle of optical steganography is based upon gen-

erating a series of short optical pulses (stealth pulses) whichare temporally stretched using a dispersive optical element withhigh group-velocity dispersion (GVD), as shown in Fig. 1. Shortoptical pulses inherently have a wide spectral width, whereasthe high-dispersion element causes each wavelength componentto propagate at different speeds. Using high GVD, the stealthpulses are stretched sufficiently to reduce their peak amplitudesto a level below the system noise, such as amplified spontaneousnoise generated by optical amplifiers. If a public signal is alsopresent, the stretched stealth pulses can be hidden under both theambient noise in the network and the public signal, as shown inthe middle figure in Fig. 1. In the spectral domain, the stealthsignal can either be submerged beneath the background noise(if it has a wide spectrum), as shown in Fig. 1 in bottom figure,or it can share the same spectrum as the public channel. Theaim is to make the stealth signal not noticeable in the spectraldomain.At the receiver side of the network, the public channel is

recovered using a conventional optical receiver. Performancedegradation due to the presence of the stealth signal is minimalbecause of its low amplitude. To receive the stealth data, thestealth pulses need be recovered through matched GVD com-pensation. Since the public signal is strong and is mixed withthe stealth signal, it has to be removed from the received signalbefore the stealth signal can be detected. In Section VI, sev-eral examples are presented of applying optical steganographyto various public transmission systems and issues in the imple-mentation of optical steganography are addressed.

D. Availability

Optical networks are susceptible to a variety of attacks ontheir physical infrastructure as well as signal jamming attacks[18]. The net result in either case can be a denial of service.Although denial of service does not necessarily result in the theftof information, it can translate into loss of network resources(such as bandwidth), impact many users, and could result insignificant fiscal losses to the network provider.Physical damage to an optical fiber can happen intentionally

or unintentionally. For example, an attacker can simply snip anexposed portion of the fiber that is not protected by casing, ora construction crew can inadvertently damage an underground

Fig. 1. Top: Schematic illustration of optical steganography using group ve-locity dispersion. Insets: (a) measured temporal profile of stealth channel beforespreading; (b) measured temporal profile of temporally spread stealth channel.Middle: the measured public signal eye diagram (a) without stealth signal, and(b) with stealth signal. Bottom: Spectral masking of the stealth transmission(a) spectrum without stealth transmission, (b) spectrum with the stealth signalpresent, and (c) spectrum of the stealth signal alone.

fiber cable during digging. Regardless of the intent, optical net-works are typically configured with redundant paths enablingself-healing in a short period of time that minimizes disruptionof services. Self-healing ring architectures ensure both surviv-ability and service availability [19]. Many telecommunicationinfrastructures in metropolitan and local area networks are im-plemented with such architectures, and those networks are guar-anteed to have 60 ms or less restoration time against link failure[20]. From the perspective of information assurance, comparedto other types of optical multiplexing schemes, OCDMA hasthe advantage of large code cardinality and soft-blocking [1],which can help enhance service availability under physical in-frastructure attack while also minimizing bandwidth usage. Forthis reason, the use of an OCDMA-based backup channel hasbeen proposed as a means to implement a bandwidth-efficientbidirectional OCDMA ring network [13].Passive networks (e.g., rings, buses, stars) are vulnerable to

denial of service by the injection of a strong optical signal up-stream at any access point. An optical jamming signal can takemany different forms, ranging from aweak random signal that isaimed at introducing errors in the demodulation of the received

728 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

Fig. 2. System architecture of all-optical encryption. QDK: Quantum key distribution.

signal, a narrowband strong continuous-wave (CW) signal thatis intended to saturate the receiver on a specific channel, or abroadband signal that attempts to jam all users that within aspecified bandwidth.Whatever the specific form of the jammingsignal, it is advantageous to shift the communications channelto a wavelength or waveband that is not being jammed. This canbe accomplished using either wavelength conversion or wave-band conversion, translating the optical frequency/wavelengthto unjammed regions [21], [22].

III. OPTICAL LAYER SECURITY: CONFIDENTIALITY

A. Optical Encryption

In encryption, the data cannot be recovered from the cipher-text by an eavesdropper without knowledge of the encryptionkey. This makes encryption an effective way of securing a signaland enhancing the confidentiality of a network. There has beenconsiderable effort to develop optical architectures for imple-menting fast encryption functions in the optical domain. Onemotivation for such work is that optical processing can operateat data rates far in excess of what is capable with electroniccomponents. Further, optical components do not have electro-magnetic emissions that are observable from a distance, andhence pose less side-channel risk than their electrical counter-parts. As an example, the investigation of optical XOR logichas been carried out by several researchers as a starting pointfor building optical encryption algorithms. The resulting op-tical XOR gates do not have electromagnetic signatures that canbe monitored by an eavesdropper. Optical XOR gates have beenproposed and demonstrated using various techniques, includingfour-wave mixing for phase-modulated [23], [24] and polariza-tion-modulated [25], [26] signals, cross-phase modulation in in-terferometric-based optical devices [27], [28], cross-polariza-tion modulation [29] and cross-gain modulation [30] in a semi-conductor optical amplifier, and pump depletion with sum anddifference frequency generation in a periodically poled lithiumniobate (PPLN) waveguide [31].XOR logic is an important starting point for building optical

layer encryption since, in cryptography, combining XOR withfeedback is essential in generating long key streams fromsmaller keys or for processing registers used in the processof enciphering by Vernam ciphers [32]. The implementationsof block ciphers require XOR, feedback, and feed-forwardcapabilities. Translating these building blocks into the opticaldomain and using them together can provide a high-speed,

electromagnetic wave-immune, all-optical means for encryp-tion. However, practical optical implementations of the abovebuilding blocks face many challenges. Notably, optical systemsare susceptible to noise accumulation and the propagationof undesirable logic levels. Various XOR gates with feedbackhave been proposed using a semiconductor optical amplifierin a Sagnac loop [33], semiconductor optical amplifier in aMach–Zehnder interferometer (MZI) [34], and cross-polar-ization rotation with Sagnac loop [35] for various kinds ofapplications including pseudorandom number generation andcorrelation.With the development of various types of XOR gate, an op-

tical encryption system might consist of encryption at the trans-mitter and decryption at the receiver, as shown in Fig. 2. Thekey and data are kept in a trusted area which the eavesdropperis not able to access. The signal can be pre-encoded using a dif-ferent coding scheme such as OCDMA. The signal and key arethen launched into the optical encryption block consisting ofan optical XOR gate. At the receiver side, the signal is decodedoptically and decrypted using the key. In the following, resultsfrom [21], [26], [35], [36] are described, focused on achievingreliable XOR logic, and developing optical feedback for the XORdevices.Based on four-wave mixing (FWM) in a 35-cm highly non-

linear bismuth-oxide fiber (Bi-NLF), optical encryption of aWDM signal in a compact and low latency fashion is demon-strated [21], [26]. FWM-based encryption relies on the polar-ization-sensitivity of FWM. Both the input data and the encryp-tion key are polarization modulated. FWM occurs only if boththe key and data are of the same polarization. The scheme usesa new wavelength to represent the encrypted signal that inher-ently provides the capability for anti-jamming by controlling thepump wavelength [21], which will be described in Section V-B.The above FWM encryption scheme can be further extended

to encrypt OCDMA signals and enhance the security using in-terleaved waveband switching modulation [36]. Unlike ampli-tude modulation, in which the intensity changes with each bitchange, two spectrally interleaved wavebands with equal inten-sity are used to represent the bit 0 and bit 1 of the ciphertext.It is more difficult for the eavesdropper to detect the content ofthe cipher text, since there is no intensity difference during thebit change. Fig. 3 shows the experimental results. The temporalprofiles of just one waveband, each representing XOR and NXORencryption operations, are shown in Fig. 3(a) and (b). With boththe orthogonal keys turned ON, the temporal profile of the en-crypted signal is shown in Fig. 3(c) and interleaved waveband

FOK et al.: OPTICAL LAYER SECURITY IN FIBER-OPTIC NETWORKS 729

Figure 3. Temporal profiles (a) XOR output; (b) NXOR output; (c) encryptedsignal with interleaved waveband switching modulation; (d) encrypted signalafter decoding.

switching modulation is obtained. A decoded signal is obtainedas shown in Fig. 3(d).Further, XOR gates based on cross-polarization rotation in a

40-m Ge-doped nonlinear fiber (HDF) were presented in [35],while the challenging problem of building reliable optical feed-back loops is achieved using a terahertz optical asymmetric de-multiplexer (TOAD). The TOAD in the optical feedback is forsignal regeneration and wavelength conversion, while the twoinputs—the signal and key—are orthogonally polarized. A po-larizer is placed at the end of the HDF to convert the polarizationstate into amplitude. If only one input is present, the polariza-tion of the CW signal is rotated and is transmitted through thepolarizer, while if both inputs are present with a similar magni-tude, the overall polarization rotation of the CW light is zero sothat the CW signal is again blocked by the polarizer. The aboveoperation results in an XOR logic operation, where a bit 1 resultsif and only if one of the controls has a bit 1. To build a feedbackpath for the XOR gate, a TOAD is exploited to avoid noise ac-cumulation and to convert the feedback signal wavelength.Besides experimental demonstration, simulation has been

done using VPI photonics simulation software to verify theoperation, step by step. An eight-bit pattern “01100110” is usedas the initial input for control 2 [Fig. 4(b)], while a PRBS isused for control 1 with first eight bits as “10010110” [Fig. 4(a)].The resultant XOR output is “11110000” [Fig. 4(c)]. The XORoutput is then launched back to the device input at control 2 andis XOR-ed with the incoming control 1, forming an XOR outputoperating in its feedback mode. The resultant XOR output isshown in Fig. 4(c), indicating correct logic operation of the de-vice in feedback mode. By successfully building an optical XORwith optical feedback, these building blocks can potentially betranslated into the optical domain and can provide a high-speedand all-optical means for data encryption.

B. OCDMA Confidentiality

As mentioned in Section II, system confidentiality dependson the type of OCDMA codes used. OCDMA codes aregenerally divided into two major groups: coherent OCDMAcodes and incoherent OCDMA codes. One typical coherentOCDMA scheme is spectral-phase encoding (SPE), whichapplies different phase shifts to multiple coherent spectral

components [37], [38]. At the receiver, the decoder conductsthe conjugate phase shifts so that all the spectral compo-nents become in-phase, forming an autocorrelation peak fordata reception. Incoherent OCDMA implements the systemthrough intensity modulation and direct detection. Amongvarious incoherent OCDMA schemes, we focus on a typ-ical two-dimensional OCDMA scheme, wavelength-hoppingtime-spreading (WHTS), because of its code flexibility andbetter code performance compared with other schemes [39].Apart from the OCDMA codes utilized, the data modulation

format also contributes to the system’s confidentiality. On–offkeying (OOK) is proved to be vulnerable to eavesdropping,since the energy levels of bit “1” and “0” are different and canbe easily distinguished using a photodetector even without a de-coder [1]. To overcome this problem, both coherent and inco-herent OCDMA codes can adopt two-code-keying modulation,which uses two different codes to represent bit “1” and “0,” re-spectively, to make the energy levels equal for all bits. -arymodulation can further increase the system’s confidentiality per-formance by increasing the number . This is because each ofthe codes represents bit of information, which canbe kept secret to the adversary when becomes large.Research has been done extensively on the confidentiality

performance of both SPE codes and WHTS codes. First, it hasbeen shown that when there is only a single user on the channel(no matter if OOK or two-code keying is used), it is easy for theeavesdropper to detect the signal information [40]–[42]. There-fore, the OCDMA system has its confidentiality advantage inmultiple access channels when multiple codes exist simultane-ously in the communication channel.In amultiuser system, SPE codes present a stronger resistance

to attacks than WHTS codes, because the complete set of phasecoding information needs to be compromised to successfully de-tect the code. For example, if a decoder is used to detect an SPEcode with eight phase chips, even when seven phase chips areset correctly, an auto-correlation peak will still not be generated.This is because if not all the spectral components are in phase atthe receiver, coherent noise will prevent the generation of a clearautocorrelation peak at the receiver [37]. However, when usingSPE codes, all the codes have to be strictly orthogonal in orderto prevent the generation of coherent noise at the system andresults in performance degradation. Therefore, SPE codes havea limited cardinality, which makes it less difficult for the adver-sary to find the orthogonal code set in use. In contrast, WHTScodes do not have to be strictly orthogonal as long as the au-tocorrelation peak-to-cross-correlation peak ratio is kept abovecertain detection threshold. Therefore, WHTS codes have largercode cardinality than SPE codes and provide more code selec-tion obscurity.To overcome the SPE code cardinality limitation, Menendez

et al. proposed and demonstrated code translation to enlarge thecode cardinality [43]. By translating a normal SPE code set, theHadamard code, which is represented by a Hadamard matrix

, a new orthogonal code set can be obtained by a matrixmultiplication

730 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

Fig. 4. Simulated temporal profiles. (a) Control 1 with PRBS pattern; (b) control with first eight bits as initial input (as shown in the blue rectangular box) andthe rest as XOR feedback; (c) final XOR output.

where is a diagonal matrix with the on-diagonal elementsbeing arbitrary phase shift where and

.Different selection of phase shifts provides different orthog-

onal code sets. As an example, if , is one of the fourvalues: 0, , , . The code cardinality now is enlarged to. Therefore, it becomes impractical for the adversary to find

the code set using brute force attacks.At the system level, code scramblers are placed between SPE

code subnetworks (called secure islands). Inside the secureislands the communications are protected to be secure. TheSPE codes transmitted to other secure islands will go throughthe code scrambler that performs the code translation describedabove. Therefore, the transmission confidentiality betweendifferent secure islands is enhanced by code translation. Atthe destination secure islands, the scrambled SPE codes areconverted back using a scrambler so that the receiver node canreceive the data using the original SPE decoder.Although an SPE system with code translation is protected

from brute force attack, it is still vulnerable to other attackssuch as the known plaintext attack (KPA) [44]. To overcomethis problem, Etemad et al. proposed to add purely random datain the transmission. Since the random data is unknown to ev-eryone before it is received at the desired destination, the plain-text cannot be known to the adversary [37], making KPA im-possible.For aWHTS system,Wang et al. analyzed the security perfor-

mance of WHTS codes in a multiuser two-code-keying system[45], and concluded that an ordinary WHTS system itself doesnot provide enough confidentiality. The main reason lies in thefact that each chip of a WHTS codes carries all the data infor-mation of one WHTS code. The chips of WHTS codes do notmix sufficiently in the temporal and the spectral domains, andcan be separated individually. Fig. 5 shows an example of anattack on a WHTS system, by using wavelength filters and timegates. The chips of each WHTS code can be separated and thedata can be intercepted by detection of each chip.Approaches to improve theWHTS code security include code

conversion and switching, additional encryption on top of theWHTS system, and utilizing -ary modulation [39]. WHTScode conversion was demonstrated in both the temporal [39]and wavelength domain [22]. Fig. 6 shows an example of codeconversion using wavelength conversion in periodically poledlithium niobate waveguide. A strong pump is used to generatethe new code while bandpass filters are used to remove the pump

Fig. 5. One way to attack a WHTS system by separating the chips in the tem-poral and spectral domain.

Fig. 6. WHTS code conversion in the wavelength domain using nonlinear crys-tals [22].

and the original signal. Code conversion can be made to be dy-namic to improve the system’s resistance against the adversary’sattacks. This can be achieved simply by switching between twocodes based on a key that is only shared by the transmitter andthe desired receiver.Wada et al. demonstrated the improvement of security using

coherent time-spreading OCDMA code, where the confiden-tiality benefits mainly from -ary modulation format. In thisOCDMA system, a whole set of orthogonal codes can be gener-ated and decoded by one single multiport encoder/decoder [46].Kodama et al. proposed to use 16-ary OCDMA code to pro-vide optical layer confidentiality [47] and additional electronicXOR encryption to form a multilayer confidential system. Thesystem’s confidentiality is further improved by increasing thenumber [48].Digital signal processing (DSP) techniques have received

considerable attention in recent optical communications lit-erature [49], [50]. The recent development of DSP makes itpossible to apply CDMA codes used in wireless communica-tions in optical transmission. Wang et al. proposed to utilize

FOK et al.: OPTICAL LAYER SECURITY IN FIBER-OPTIC NETWORKS 731

Fig. 7. Schematic diagram of generating multiplexed signals encoded by en-crypted CDMA codes.

Fig. 8. Experimental eye diagrams of the decoded and descrambled Hadamardcodes. (a)With correct descrambler; (b) with partially correct descrambler (7 outof 8 correct) [37].

encrypted wireless CDMA codes to build a single-user secureoptical transmission link [51], as illustrated in Fig. 7. The basicprinciple is to divide the original data stream into multiplesubstreams, each encoded by one encrypted CDMA code. Themultiple encoded substreams combined together to modulatethe optical carrier. Since the CDMA code is encrypted offlineby advanced encryption methods (e.g., AES), the adversarycannot find the CDMA code in use and decode the transmittedsignal. The receiver captures the transmitted signal waveformand decodes the signal with the same encrypted CDMA codes.The data encoding/decoding and code encryption are all im-plemented through DSP techniques, providing a cost-effectivesolution for a secure single-user link.

IV. OPTICAL LAYER SECURITY: AUTHENTICATION

Although intensive research has not been carried out onauthentication in the physical layer of an optical network,OCDMA codes have promising potential for improving au-thentication in the optical network owing to their unique codingcharacteristics. Taking an SPE code as an example [37], thereceiver can detect the signal only if the complete set of phasecoding information is compromised, i.e., the phases of all thechips are correctly encoded and decoded. Fig. 8 [37] showsthe received eye diagrams of a Hadamard code with codescrambling. By descrambling the code with absolutely correctphase chips, an open eye diagram is obtained as shown inFig. 8(a). The descrambled eye diagram is completely closedeven if only one out of the eight phase chips is incorrect, asshown in Fig. 8(b).

From the above example, one can use the uniqueness ofOCDMA codes as the identity between desired users. Signalsfrom unauthorized users cannot be received because of the lackof knowledge of the code. More research is ongoing to developimprovements in authentication.

V. OPTICAL LAYER SECURITY: AVAILABILITY

A. Survivable Ring

To provide high survivability and ensure service availability,self-healing ring architectures are a good candidate comparedto other architectures [19]. As discussed in Section IV, the largecode cardinality of OCDMA not only increases the difficulty inchannel-detection by brute-force, it also enhances service avail-ability while minimizing the use of bandwidth. Thus, the useof an OCDMA-based backup channel to implement a band-width-efficient bidirectional OCDMA ring network has beenproposed [13]. With large cardinality, a survivable ring net-work can be built such that there is no need to reserve sepa-rate bandwidth or a separate path for link failure. Conventionalbackup paths require the permanent reservation of all or partof their bandwidth. The reserved bandwidth is wasted unlessfailure occurs. One unique characteristic of incoherent OCDMAnetworks is “soft blocking” [1]. Soft blocking means that thenumber of simultaneous transmissions can be added or removedfreely without modifying existing hardware. Unlike WDM orTDM, it is not strictly limited by the number of wavelengths ortime slots. OCDMA provides greater scalability and spectral ef-ficiency than conventional optical multiplexing techniques suchas WDM or TDM [52]. Using the same number of wavelengths,OCDMA can support many more optical channels than WDM.Instead, the increase in transmissions in the network simply de-grades its performance gracefully. Another characteristic of in-coherent OCDMA is allowing heterogeneous data types to co-exist in the same link. To maximize the quality of service in thenetwork, two paths in the ring can carry data with different rates.The primary path carries high priority traffic and the “back-up”path carries lower priority traffic. Due to the soft blocking ca-pability of OCDMA, traffic can be aggregated with only slightperformance degradation. Thus, there is no need to reserve sep-arate bandwidth or a separate backup path for link failure. Bothlinks can carry traffic during normal service. Every node canadd and drop signals in both west and east links, as shown inFig. 9. One way to maximize the quality of service is to put thetraffic with high data rates on one link and low data rates on theother link. During a temporary link break down, both west andeast links are rerouted and the traffic on both links is aggregatedtogether. Despite the slight degradation in performance, there isno interruption of service during link failure and the bandwidthof the fiber can be utilized the whole time.The design of the add/drop node is presented in Fig. 10. The

proposed add/drop node consists of electronic circuits that mon-itor link connection, while the all-optical add/drop multiplexersare used to establish transmission between nodes. The protec-tion-monitoring electronic circuit has two functions: It controls

732 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

Fig. 9. Two-fiber bidirectional OCDMA ring network.

Fig. 10. Design of the OCDMA add/drop nodes with protection monitoringcircuit and optical add/drop multiplexers on both links. SW: Switch. LD: Laserdiode. OADM: Optical add/drop multiplexer.

the laser diodes that produce the monitoring signal, and it con-trols the switches that route the flow of traffic. To avoid inter-ference with the data, the monitoring signal is designed to bea low-power constant CW light at 1300 nm. This monitoringsignal is filtered before the OCDMA add/drop multiplexers andis directed to the detector in the monitoring circuit. In the caseof a link failure between any two nodes on the east link, the fol-lowing procedure is executed (a similar procedure is executedfor a west link failure):1) The monitoring circuit turns ON the alarm for east linkfailure.

2) The laser diode for the west link is turned OFF to notify thefollowing node of the link failure.

3) The switch on the west link is connected to the east linkand routes the traffic on the two links together.

In case of failure, the traffic from the failed path is routedto the working path. Instead of blocking the traffic, the signalonly degrades as shown in Fig. 11. The curve of blue-cross datapoints shows the degradation for the primary path during linkfailure, and the curve of red-star data points shows the degrada-tion for the backup. Under the circumstance that both primarypath and backup path are carrying maximum capacity, the per-formance for primary path would be degraded to BERand backup path would be degraded to BER during linkfailure.

Fig. 11. Error probabilities of a survivable ring network before and after linkfailure.

B. Anti-Jamming

Passive networks (e.g., rings, buses, stars) are vulnerable todenial of service by the injection of a strong optical signal up-stream at any access point. The strong optical signal can createerrors at the receiver side or the worse case, saturate the opticalreceiver and prevent the user from receiving any information.Thanks to the broadband property of optical fiber (tens of tera-hertz), optical signals in a jammed channel can be transmittedby completely moving the optical signal wavelength out of thejammed waveband. As a result, anti-jamming can be achievedand the communication channel can be established again. Theanti-jamming principle is illustrated in Fig. 12. Before jamming,the signals are transmitting using the waveband in the middle,as shown on the left-hand side of Fig. 12. Once there is jam-ming at that particular waveband, the whole signal can be eitherup-converted or down-converted to the waveband that is avail-able for use.Waveband conversion can be achieved through multiple

wavelength conversions, this has been demonstrated usingfour-wave mixing in a 35-cm highly nonlinear bismuth-oxidefiber. The conversion process requires a strong CW pumpsignal for wave mixing such that the new waveband is shiftedby the amount that is equals to the optical frequency (wave-length) difference between the original signal and the CWpump. Fig. 13 shows an experimental example of the process.Fig. 13(a) is the input signal consists of four wavelengths,by launching the signal to the nonlinear fiber together witha strong CW pump at 1547.8 nm, new wavelength compo-nents are generated as shown in Fig. 13(b). The center strongwavelength spike corresponds to the CW pump, while thefour wavelengths on the shorter wavelength side are the newlygenerated wavelengths. The up-converted signal is filtered outusing an optical bandpass filter and is ready for transmission,as shown in Fig. 13(c). Down conversion of the waveband iseasily obtained by placing the CW pump on the right-hand sideof the original signal (1556 nm), as shown in Fig. 13(d). It isworth noticing that a wider conversion range can be achievedusing two CW pumps [53].

FOK et al.: OPTICAL LAYER SECURITY IN FIBER-OPTIC NETWORKS 733

Fig. 12. Schematic illustration of anti-jamming through waveband up-conversion or down-conversion.

Fig. 13. Optical spectra of the waveband conversion process. (a) Originalsignal. (b) FWM output with CW pump light at 1547.8 nm, up-conversion isachieved. (c) Signal in new waveband. (d) FWM output with CW pump lightat 1556.0 nm.

VI. PRINCIPLE OF OPTICAL LAYER SECURITY: PRIVACY

Steganography is one way to improve the privacy of a signalby hiding the stealth signal underneath the public transmissionand noise level. Although steganography does not completelyensure signal privacy, it does provide it with an additional layerof protection. Optical steganography was first proposed byWu et al. [2] and the performance of the stealth channel wastheoretically analyzed. [54], [55]. Experimental investigationsof optical steganography illustrate that optical steganographyhas good compatibility with various types of public channels.Examples include transmitted SPE encoded stealth signal in anRZ-OOK public channel [56], RZ-OOK stealth signal undera NRZ-OOK public channel [57], WHTS encoded OCDMAstealth signal through another WHTS public channel [58], andRZ-OOK stealth signal transmission through a NRZ-DPSKpublic channel [59]. Optical steganography is particularly suit-able where the signals are not filtered or digitally regeneratedat nodes, which is the case of many of today’s passive opticalnetworks (e.g., FIOS).As described in Section II-C, optical steganography is

achieved based on temporal stretching of a short optical pulseusing group velocity dispersion (GVD). The use of standard

single-mode fiber (SMF) is a natural way to obtain GVD,while pulse restoration at the receiver is achieved using disper-sion-compensating fibers (DCF). SMF and DCF have a widebandwidth over the whole transmission band, but the dispersioncoefficient is limited. Since the dispersion coefficient of SMFis 17 ps/nm/km, an SMF with length of 10 km is normallyrequired to obtain a sufficient amount of GVD, which yields along latency and is not practical. To address this problem, Foket al. proposed the use of chirped fiber Bragg-grating (CFBG)to replace the SMF and DCF as the dispersion device [9].Although a CFBG do not have a wide bandwidth as in SMF, butthe GVD can be made to be very high using a very short pieceof fiber. For example, dispersion of 130 ps/nm is achievedusing 5 cm of fiber, resulting in total dispersion of 390 psfor 3 nm wide signal. Thus CFBG provides a compact andlow latency solution for optical steganography. Moreover, thedispersion profile of CFBG can be customized which providesmore flexibility in practical implementation than SMFs andDCFs.Recently Hong et al. introduced temporal phase coding de-

vices to realize the stealth signal stretching [60]. The phasecoding devices in the demonstrated system are super-structuredfiber-Bragg gratings (SSFBG), which can also achieve stealthpulse stretching through temporal phase modulation.Previous results demonstrated that it is difficult to know the

existence of stealth signal in the presence of public signals byobserving either the temporal and/or spectral profiles of thetransmitted signals. However, if the adversary suspects there isa certain type of hidden signal, one may try different approachesto see if any sign of the hidden signal can be obtained. Onereasonable trial is to use a tunable dispersion-compensatingdevice to see if there is any sign of the hidden signal. Once theadversary sees a trace of the hidden signal, he can just fine-tunethe dispersion to fully recover the stealth signal. The privacy ofthe stealth transmission is not ensured under such attacks. Toaddress this potential threat, Wang et al. proposed to apply tem-poral phase modulation onto the stretched stealth signal beforesending it into the network to improve the privacy of stealthtransmission [10]. As shown in Fig. 14, after a temporal phasemask is imposed on the spread stealth signal, different portionsof the spread pulse experience different phase shifts. In orderto recover the stealth pulses, the corresponding phase recoveryis required at the receiver in addition to the matched disper-sion compensation, as shown in the stealth channel receiverin Fig. 14. Without phase recovery, the eavesdropper cannotfully recover the stealth signal even with the right dispersioncompensation, and will obtain a much worse signal than thestealth channel receiver, as illustrated in the eavesdropper case

734 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

Fig. 14. Diagram of temporal phase modulation on spread stealth pulses toimprove stealth transmission privacy.

in Fig. 14. Further analysis shows that it is very difficult todetect the existence of the stealth channel or fully recover thestealth channel when the chip order of the phase mask is large(e.g., 32 chips) [10]. The approach consists of an asynchronousdetection system with a commercial clock-data recovery (CDR)module [10], allowing detection of the recovered stealth signalwithout using clock synchronization.

VII. SUMMARY AND DISCUSSION

In this survey paper, we discuss the vulnerability of op-tical networks towards various types of security threats thatcould appear in the optical layer of a network, and present anoverview of various optical techniques for defending againstthe corresponding security threats. With the use of optical tech-niques, real-time signal processing is realized to improve thesecurity of optical networks. In this paper, we discussed opticalencryption to enhance confidentiality at line rates, while posingless side-channel risk than its electrical counterparts. Varioustypes of optical XOR gates with and without feedback have beenbuilt experimentally. These techniques enable the generationof long key streams from smaller keys or for processing reg-isters used in the process of encipherment by Vernam ciphersto enable a secure optical encryption. Due to the broadbandoperation of fiber optics, anti-jamming through optical fre-quency conversion is achieved to transmit signals outside ofthe jamming band, as well as to improve network availability.The broad spectrum that is inherently obtained from opticalpulses allows optical steganography to be achieved easilythrough temporal stretching based on group velocity dispersionin fibers, or compact fiber Bragg gratings. An optical phasemask can be added to the stealth signal to further improve itssecurity. Although steganography does not completely ensuresignal privacy, it does provide it with an additional layer of pro-tection. We also discuss the use of OCDMA coding to enhancethe availability and confidentiality of the optical network byemploying survivable optical ring architecture and orthogonalcoding for obscurity. OCDMA also provides authenticationcapability to the signal due to its unique coding scheme. Weplan to continue to address this topic in future research.

ACKNOWLEDGMENT

The authors dedicate this paper to their dear friend and col-laborator Ron Menendez.

REFERENCES

[1] P. R. Prucnal, Optical Code Division Multiple Access: Fundamentalsand Applications. New York: Taylor & Francis, 2006.

[2] B. B. Wu and E. E. Narimanov, “A method for secure communicationsover a public fiber-optical network,” Opt. Express, vol. 14, no. 9, pp.3738–3751, May 2006.

[3] M. P. Fok, K. Kravtsov, Y. Deng, Z. Wang, T. Wang, and P. R.Prucnal, “Securing data networks using optical signal processing,” inProc. Int. Conf. Photonics in Switching, Sapporo, Japan, Aug. 2008,Invited paper S-03-5.

[4] Y. K. Huang, B. Wu, I. Glesk, E. E. Narimanov, T. Wang, and P. R.Prucnal, “Combining cryptographic and steganographic security withself-wrapped optical code division multiplexing techniques,” Electron.Lett., vol. 43, no. 25, pp. 1449–1451, Dec. 2007.

[5] J. M. Castro, I. B. Djordjevic, and D. F. Geraghty, “Novel super struc-tured Bragg gratings for optical encryption,” J. Lightw. Technol., vol.24, no. 4, pp. 1875–1885, Apr. 2006.

[6] K. Vahala, R. Paiella, and G. Hunziker, “Ultrafast WDM logic,” IEEEJ. Sel. Topics Quantum Electron., vol. 3, no. 2, pp. 698–701, Apr. 1997.

[7] B. Wu and E. E. Narimanov, “A method for secure communica-tions over a public fiber-optical network,” Opt. Express, vol. 14, pp.3738–3751, 2006.

[8] K. Kravtsov, B.Wu, I. Glesk, P. R. Prucnal, and E. Narimanov, “Stealthtransmission over a WDM network with detection based on an all-optical thresholder,” in Proc. IEEE/LEOS Annual Meeting 2007, pp.480–481, Paper WH2.

[9] M. P. Fok and P. R. Prucnal, “A compact and low-latency scheme foroptical steganography using chirped fiber Bragg gratings,” Electron.Lett., vol. 45, pp. 179–180, 2009.

[10] Z. Wang, M. P. Fok, L. Xu, J. Chang, and P. R. Prucnal, “Improvingthe privacy of optical steganography with temporal phase masks,”Opt.Express, vol. 18, no. 6, pp. 6079–6088, 2010.

[11] Maier , A. Pattavina, S. De Patre, and M. Martinelli, “Optical networksurvivability: Protection techniques in the WDM layer,” Photon. Netw.Commun., vol. 4, no. 3–4, pp. 251–269, 2002.

[12] D. Zhou and S. Subramaniam, “Survivability in optical networks,”IEEE Network, vol. 14, no. 6, pp. 16–23, Nov/Dec. 2000.

[13] Y. Deng, Z. Wang, K. Kravtsov, J. Chang, C. Hartzell, M. P. Fok, andP. R. Prucnal, “Demonstration and analysis of asynchronous and sur-vivable optical CDMA ring networks,” J. Opt. Commun. Netw., vol. 2,pp. 159–165, Apr. 2010.

[14] K. Shaneman and S. Gray, “Optical network security: Technical anal-ysis of fiber tapping mechanisms and methods for detection & pre-vention,” in Proc. IEEE Military Communications Conf. (MILCOM),2004, vol. 2, pp. 711–716.

[15] M. Furdek, N. Skorin-Kapov, M. Bosiljevac, and Z. Sipus, “Analysisof crosstalk in optical couplers and associated vulnerabilities,” in Proc.33rd Int. Convention (MIPRO), May 2010, pp. 461–466.

[16] A. Stok and E. H. Sargent, “The role of optical CDMA in access net-works,” IEEE Commun. Mag., vol. 40, no. 9, pp. 83–87, Sep. 2002.

[17] P. R. Prucnal, M. P. Fok, K. Kravtsov, and Z.Wang, “Optical steganog-raphy for data hiding in optical networks,” presented at the 16th Int.Conf. Digital Signal Processing (DSP 2009), Santorini, Greece, Jul.2009, Paper T3B.4.

[18] T. Wu and A. K. Somani, “Cross-talk attack monitoring and localiza-tion in all-optical networks,” IEEE/ACM Trans. Netw., vol. 13, no. 6,pp. 1390–1401, Dec. 2005.

[19] M. R. Wilson, “The quantitative impact of survivable network archi-tectures on service availability,” IEEE Comm. Mag., vol. 36, no. 5, pp.122–126, May 1998.

[20] V. Alwayn, Optical Network Design and Implementation. Indi-anapolis, IN: Cisco Press, 2004.

[21] M. P. Fok and P. R. Prucnal, “Low-latency nonlinear fiber-based ap-proach for data encryption and anti-jamming in optical network,” pre-sented at the 2008 IEEE/LEOS Annual Meeting, Newport Beach, U.S.,Nov. 2008, Paper ThG 3.

[22] Z. Wang, A. Chowdhury, and P. R. Prucnal, “Optical CDMA codewavelength conversion using PPLN to improve transmission security,”IEEE Photon. Technol. Lett., vol. 21, no. 6, pp. 383–385,Mar. 15, 2009.

FOK et al.: OPTICAL LAYER SECURITY IN FIBER-OPTIC NETWORKS 735

[23] K. Chan, C. K. Chan, L. K. Chen, and F. Tong, “Demonstration of20-Gb/s all-optical XOR gate by four-wave mixing in semiconductoroptical amplifier with RZ-DPSK modulated inputs,” IEEE Photon.Technol. Lett., vol. 16, no. 3, pp. 897–899, Mar. 2004.

[24] M. P. Fok and C. Shu, “Exclusive-OR gate for RZ-DPSK signalsusing four-wave mixing in a highly nonlinear bismuth-oxide fiber,”presented at the 2007 Eur. Conf. Lasers and Electro-Optics and theInternational Quantum Electronics Conference (CLEO/Europe-IQEC),Munich, Germany, Jun. 2007, Paper CD6-3-WED.

[25] K. Vahala, R. Paiella, and G. Hunziker, “Ultrafast WDM logic,” IEEEJ. Sel. Topics Quantum Electron., vol. 3, no. 2, pp. 698–701, Apr. 1997.

[26] M. P. Fok and P. R. Prucnal, “Polarization effect on optical XOR per-formance based on four wave mixing,” IEEE Photon. Technol. Lett.,vol. 22, no. 15, pp. 1096–1098, Aug. 1, 2010.

[27] T. Fjelde, D. Wolfson, A. Kloch, B. Dagens, A. Coquelin, I. Guillemot,F. Gaborit, F. Poingt, and M. Renaud, “Demonstration of 20 Gbit/s all-optical logic XOR in integrated SOA-based interferometric wavelengthconverter,” Electron. Lett., vol. 36, no. 22, pp. 1863–1864, Oct. 26,2000.

[28] M. Jinno and T. Matsumoto, “Ultrafast all-optical logic operations ina nonlinear Sagnac interferometer with two control beams,” Opt. Lett.,vol. 16, pp. 220–222, Feb. 1991.

[29] H. Soto, D. Erasme, and G. Guekos, “5-Gb/s XOR optical gatebased on cross-polarization modulation in semiconductor opticalamplifiers,” IEEE Photon. Technol. Lett., vol. 13, no. 4, pp.335–337, Apr. 2001.

[30] J. H. Kim, Y. M. Jhon, Y. T. Byun, S. Lee, D. H. Woo, and S. H. Kim,“All optical XOR gate using semiconductor optical amplifiers withoutadditional input beam,” IEEE Photon. Technol. Lett., vol. 14, no. 10,pp. 1436–1438, Oct. 2002.

[31] A. Bogoni, X. Wu, I. Fazal, and A. E. Willner, “160 Gb/s time-domainchannel extraction/insertion and all-optical logic operations exploitinga single PPLN waveguide,” J. Lightw. Technol., vol. 27, no. 19, pp.4221–4227, Oct. 1, 2009.

[32] W. Trappe and L. C. Washington, Introduction to Cryptography WithCoding Theory, 2nd ed. Englewood Cliffs, NJ: Prentice-Hall, Jul.2005.

[33] A. J. Poustie, K. J. Blow, R. J. Manning, and A. E. Kelly, “All-opticalpseudorandom number generator,” Opt. Commun., vol. 159, no. 4–6,pp. 208–214, Jan. 1999.

[34] J. M. Martinez, J. Herrera, F. Ramos, and J. Marti, “All-optical corre-lation employing single logic XOR gate with feedback,” Electron. Lett.,vol. 42, pp. 1170–1171, Sep. 2006.

[35] M. P. Fok and P. R. Prucnal, “All-optical XOR gate with optical feed-back using highly Ge-doped nonlinear fiber and a TOAD,” Appl. Opt.,submitted for publication.

[36] M. P. Fok and P. R. Prucnal, “All-optical encryption based on inter-leaved waveband switching modulation for optical network security,”Opt. Lett., vol. 34, pp. 1315–1317, Apr. 2009.

[37] S. Etemad, A. Agarwal, T. Banwell, J. Jackel, R. Menendez, andP. Toliver, “OCDM-based photonic layer ‘security’ scalable to 100Gbits/s for existing WDM networks [Invited],” J. Opt. Netw., vol. 6,pp. 948–967, 2007.

[38] W. Cong, C. Yang, R. P. Scott, V. J. Hernandez, N. K. Fontaine, B.H. Kolner, J. P. Heritage, and S. J. B. Yoo, “Demonstration of 160-and320-Gb/s SPECTSO-CDMAnetwork testbed,” IEEEPhoton. Technol.Lett., vol. 18, no. 15, pp. 1567–1569, Aug. 1, 2006.

[39] C. S. Brès, Y.-K. Huang, I. Glesk, and P. R. Prucnal, “Scalable asyn-chronous incoherent optical CDMA [Invited],” J. Opt. Netw., vol. 6,pp. 599–615, 2007.

[40] T. H. Shake, “Confidentiality performance of spectral-phase-encodedoptical CDMA,” J. Lightw. Technol., vol. 23, no. 4, pp. 1652–1663,Apr. 2005.

[41] T. H. Shake, “Security performance of optical CDMA against eaves-dropping,” J. Lightw. Technol., vol. 23, no. 2, pp. 655–670, Feb. 2005.

[42] Z. Jiang, D. E. Leaird, and A. M. Weiner, “Experimental investigationof security issues in O-CDMA,” J. Lightw. Technol., vol. 24, no. 11,pp. 4228–4234, Nov. 2006.

[43] R. C. Menendez, P. Toliver, S. Galli, A. Agarwal, J. Jackel, J. Young,S. Etemad, A. Agarwal, and T. Banwell, “Network applications ofcascaded passive code translation for WDM-compatible spectrallyphase-encoded optical CDMA,” J. Lightw. Technol., vol. 23, no. 10,pp. 3219–3231, Oct. 2005.

[44] S. Goldberg, R. Menendez, and P. Prucnal, “Towards a cryptanalysisof spectral-phase encoded optical CDMA with phase-scrambling,”in Proc. Optical Fiber Communication Conf., Anaheim, CA,Mar. 2007.

[45] Z.Wang, J. Chang, and P. R. Prucnal, “Theoretical analysis and experi-mental investigation on the security performance of incoherent opticalCDMA Code,” J. Lightw. Technol., vol. 28, no. 12, pp. 1761–1769,Jun. 15, 2010.

[46] N. Wada, G. Cincotti, S. Yoshima, N. Kataoka, and K. Kitayama,“Characterization of a full encoder/decoder in the AWG configurationfor code-based photonic routers-Part II: Experiments and applica-tions,” J. Lightw. Technol., vol. 24, no. 1, pp. 113–121, Jan. 2006.

[47] T. Kodama et al., “Secure 2.5 Gbit/s, 16-ary OCDM block-cipheringwith XOR using a single multi-port en/decoder and its transmission ex-periment with true clock recovery,” in Proc. OFC, 2009, Paper OThI3.

[48] T. Kodama et al., “High-security 2.5 Gbps, polarization multiplexed256-ary OCDM using a single multi-port encoder/decoder,” Opt. Ex-press, vol. 18, pp. 21376–21385, 2010.

[49] E. Ip, A. P. Lau, D. J. Barros, and J. M. Kahn, “Coherent detec-tion in optical fiber systems: Erratum,” Opt. Express, vol. 16, pp.21943–21943, 2008.

[50] S. J. Savory, G. Gavioli, R. I. Killey, and P. Bayvel, “Electronic com-pensation of chromatic dispersion using a digital coherent receiver,”Opt. Express, vol. 15, pp. 2120–2126, 2007.

[51] Z. Wang, L. Xu, T. Wang, and P. R. Prucnal, “Secure optical transmis-sion in a point-to-point link with encrypted wireless CDMA codes,”IEEE Photon. Technol. Lett., vol. 22, no. 19, pp. 1410–1412, Oct. 1,2010.

[52] V. Baby, I. Glesk, R. J. Runser, R. Fischer, Y. K. Huang, C. S.Brès, W. C. Kwong, T. H. Curtis, and P. R. Prucnal, “Experimentaldemonstration and scalability analysis of a four-node 102-Gchip/s fastfrequency-hopping time-spreading optical CDMA network,” IEEEPhoton. Technol. Lett., vol. 17, no. 1, pp. 253–255, Jan. 2005.

[53] M. P. Fok, C. Shu, and D. J. Blumenthal, “Dual-pump four-wavemixing in bismuth-oxide highly nonlinear fiber for wide-band DPSKwavelength conversion,” presented at the 2007 Optical Fiber Commu-nication Conf. and Exposition and the National Fiber Optic EngineersConf. (OFC/NFOEC 2007), Anaheim, CA, Mar. 2007, Paper JThA52.

[54] B. B. Wu and E. E. Narimanov, “Analysis of stealth communica-tions over a public fiber-optical network,” Opt. Express, vol. 15, pp.289–301, 2007.

[55] B. Wu, P. R. Prucnal, and E. E. Narimanov, “Secure transmission overan existing public WDM lightwave network,” IEEE Photon. Technol.Lett., vol. 18, no. 17, pp. 1870–1872, Sep. 1, 2006.

[56] B. Wu, A. Agrawal, I. Glesk, E. Narimanov, S. Etemad, and P.Prucnal, “Steganographic fiber-optic transmission using coherent spec-tral-phase-encoded optical CDMA,” presented at the CLEO/QELS,San Jose, CA, 2008, Paper CFF5.

[57] K. Kravtsov, B.Wu, I. Glesk, P. R. Prucnal, and E. Narimanov, “Stealthtransmission over a WDM network with detection based on an all-op-tical thresholder,” in Proc. 20th Ann. Meeting of the IEEE LEOS, 2007,pp. 480–481.

[58] Y.-K. Huang, B. Wu, I. Glesk, E. E. Narimanov, T. Wang, and P. R.Prucnal, “Combining cryptographic and steganographic security withself-wrapped optical code division multiplexing techniques,” Electron.Lett., vol. 43, pp. 1449–1451, 2007.

[59] Z.Wang and P. R. Prucnal, “Optical steganography over a public DPSKchannel with asynchronous detection,” IEEE Photon. Technol. Lett.,vol. 23, no. 1, pp. 48–50, Jan. 1, 2011.

[60] X. Hong, D. Wang, L. Xu, and S. He, “Demonstration of opticalsteganography transmission using temporal phase coded opticalsignals with spectral notch filtering,” Opt. Express, vol. 18, pp.12415–12420, 2010.

Mable P. Fok (S’02–M’08) received the B.Eng.,M.Phil., and Ph.D. degrees in electronic engineeringfrom the Chinese University of Hong Kong (CUHK),Hong Kong, in 2002, 2004, and 2007, respectively.She was a Visiting Researcher at the University of

California, Los Angeles (UCLA) and the Universityof California, Santa Barbara (UCSB) during 2005and 2006, respectively, where she was engaged inresearch on supercontinuum generation in nonlinearfibers with the former and all-optical processingof advanced modulation format signals with the

later. Currently, Mable is an associate research scholar in the Departmentof Electrical Engineering at Princeton University. She has published over120 journal and conference papers. Her recent research interest is on hybridanalog/digital processing of optical signals based on neuromorphic algorithmand developing new techniques to enhance physical layer information securityin optical communications network.

736 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

Dr. Fok is the recipient of the Special Merit in 2008 Hong Kong Institution ofScience Young Scientist Awards, First Prize in 2007 IEEE Hong Kong SectionPostgraduate Student Paper Contest, the 2006 Optical Society of AmericaIncubic/Milton Chang Student Travel Grant Award, the 2005 IEEE Lasersand Electro-Optics Society Graduate Student Fellowship Award, and the 2005Thomas HC Cheung Postgraduate Scholarship in Science and Engineeringfrom the Hong Kong Association of University Women.

Zhenxing Wang (S’09) received the B.S. degree inelectronics from Peking University, Beijing, China,in 2006. He is currently working toward the Ph.D.degree in the Department of Electrical Engineering,Princeton University, Princeton, NJ.His research focuses on various types of technolo-

gies on optical signal processing.

Yanhua Deng (S’07) received the B.Eng. degree inelectrical engineering from Cooper Union for the Ad-vancement of Science and Art, New York, in 2006.She is currently working toward the Ph.D. degree inthe Department of Electrical Engineering, PrincetonUniversity, Princeton, NJ.Her graduate research involves all-optical net-

works and network system design based upon opticalCDMA technologies.

Paul R. Prucnal (S’75–M’79–SM’90–F’92) re-ceived the A.B. degree from Bowdoin College(summa cum laude), with Highest Honors in Mathand Physics, where he was elected to Phi BetaKappa. He then received the M.S., M.Phil., andPh.D. degrees from Columbia University, where hewas elected to the Sigma Xi honor society.He was an Assistant and then tenured Associate

Professor at Columbia from 1979 until 1988, when hejoined Princeton University, Princeton, NJ, as a Pro-fessor of Electrical Engineering. He has held visiting

faculty positions at the University of Tokyo andUniversity of Parma. From 1990to 1992, he served as the Founding Director of Princeton’s Center for Photonicsand OptoelectronicMaterials, and is currently the Director of the Center for Net-work Science and Applications. He is widely recognized as the inventor of the“Terahertz Optical Asymmetric Demultiplexer,” an ultrafast all-optical switch,and has done seminal research in the areas of all-optical networks and photonicswitching. His pioneering research on optical CDMA in the mid-1980s initiateda new research field where more than 1000 papers have now been publishedworldwide.With support from the Defense Advanced Research Projects Agencyin the 1990s, his group was the first to demonstrate an all-optical 100-Gb/s pho-tonic packet switching node and optical multiprocessor interconnect. His recentwork includes the investigation of linear and nonlinear optical signal processingtechniques to provide high-speed data confidentiality in communications net-works. He has published over 250 archival journal papers and holds 17 patents.Prof. Prucnal is an Area Editor of the IEEE TRANSACTIONS ON

COMMUNICATIONS for optical networks, and was Technical Chair andGeneral Chair of the IEEE Topical Meeting on Photonics in Switching in 1997and 1999, respectively. He is a Fellow of IEEE with reference to his work onoptical networks and photonic switching, a Fellow of the OSA, and a recipientof the Rudolf Kingslake Medal from the SPIE, cited for his seminal paper onphotonic switching. In 2006, he was awarded the Gold Medal from the Facultyof Physics, Mathematics and Optics from Comenius University in Slovakia, forhis contributions to research in photonics. In 2004, 2006, and 2008, he receivedPrinceton Engineering Council Awards for Excellence in Teaching, in 2006 hereceived the University Graduate Mentoring Award, and in 2009 the WalterCurtis Johnson Prize for Teaching Excellence in Electrical Engineering, as wellas the Distinguished Teacher Award from Princeton’s School of Engineeringand Applied Science. He is editor of the book, “Optical Code Division MultipleAccess: Fundamentals and Applications,” published by Taylor and Francis in2006.