Self-Synchronized Encryption for Physical Layer in Gigabit Ethernet Optical Links

In this work a new self-synchronized symmetric encryption solution for high speed communication systems necessary to preserve the format of the plaintext is proposed, developed and tested. This new encryption mechanism is based on the block cipher operation mode called PSCFB (Pipelined Statistical Cipher Feedback) and the modulo operation. The conﬁdentiality of this mode is analyzed in terms of its IND-CPA (Indistinguishability under Chosen-Plaintext Attack) advantage, concluding that it can be considered secure in the same way as traditional modes are. The encryption system has been integrated in the physical layer of a 1000Base-X Gigabit Ethernet Interface, where the 8b/10b symbol ﬂow is encrypted at line rate. Moreover, an implementation of the proposed system has been carried out in an FPGA (Field Programmable Gate Array) device. Finally, an encrypted optical link has been tested with real Ethernet frames, getting maximum throughput and protecting the data trafﬁc from passive eavesdroppers.


I. INTRODUCTION
In recent decades, we have witnessed the rise of broadband networks, mainly thanks to the advance of communication standards in physical media such as optical fiber. Thanks to them it is possible to provide the high data bandwidth demanded by the customers and the market [1]. To achieve information confidentiality maintaining the information throughput, high speed encryption systems must be used.
Encryption methods can be implemented at different levels of a communication system, for example MACsec [2] or IPsec [3], for layer 2 and layer 3, respectively. Regarding to physical level (layer 1), different solutions have been proposed depending on the transmission medium, such as [4], [5] or [6]. In the particular case of optical networks, physical layer it is considered critical to guarantee secure communications [7], [8], [9].
There are several encryption mechanisms for optical networks at physical layer. Some of them are focused on photonics technologies [9], [10], [11], while others are based on the protocols of the optical system such as in [12], where OTN (Optical Transport Network) frame payloads are encrypted at bit level. Other examples have been shown for 1 Gbps and The associate editor coordinating the review of this manuscript and approving it for publication was Mostafa M. Fouda . 10 Gbps optical Ethernet standards, where several proposals have been developed for 64b/66b [13] and 8b/10b [14] physical encodings. For the particular case of Gigabit Ethernet, the encryption is performed in the PCS (Physical Coding Sublayer) layer before the 8b/10b encoder. In this way it is possible to preserve the coding properties such as the transition density and short run length, that are necessary to facilitate the operation of the remote CDR (Clock and Data Recovery) circuits [15] at the physical layer. In addition, to preserve the coding properties it is necessary to perform a kind of encryption able to preserve the format of the plaintext, in this case the 8b/10b symbol flow.
This kind of encryption is usually called FPE (Format Preserving Encryption), and although many solutions have been proposed about it [16], the only ones approved by the NIST (National Institute of Standards and Technology) are the FF1 and FF3 modes of operation [17].
As far as the authors are concerned, there are no standardized solutions for FPE self-synchronized stream ciphers, but some proposals have been made. For example in [18], where the self-synchronized PSCFB operation mode was proposed to be used with the underlying FPE block cipher in [14]. An important issue regarded with symmetric encryption stream ciphers is that these must synchronize their keystreams before starting the encryption session. Furthermore, in case of missing the synchronization in the middle of a session, VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ an ad-hoc mechanism or protocol must be implemented to recover it. With the use of self-synchronized stream ciphers it is possible to dispense with these extra communication processes. Unfortunately, self-synchronized solution in [18] uses internally the recommended FF3 scheme that is based on a non-binary Feistel structure, which is formed by several processing stages where an AES (Advanced Encryption Standard) block is required in each one of them. This scheme increases the hardware complexity of the resulting FPE self-synchronized solution with respect to other non-FPE ciphers.
On the other hand, the PSCFB mode has an encryption efficiency that can be inherently less than 100% [19]. If E K is an underlying block cipher working in PSCFB mode, the encryption efficiency represents the number of ciphertext bits that can be produced in PSCFB mode relative to the number of output bits produced by E K working in a basic CTR (Counter) mode. As consequence of having an efficiency lower than 100% it is necessary to use input and output queues in the PSCFB structure, which increases the latency introduced by the encryption system [19].
In order to reduce the hardware complexity of possible selfsynchronous FPE stream ciphers, in this work a new structure able to preserve the format of the plaintext is proposed. It is based on a recommended block cipher working in an operation mode that is a synergic combination of PSCFB and CTR-MOD [20] modes. We have called it PSCFB-MOD.
Since this new proposed operation mode uses as underlying block cipher a recommended binary block cipher instead of an FPE one, as in [14] and [18], it is possible to reduce the hardware complexity introduced by the Feistel structure. In addition, with this new encryption scheme the input and output queues are not needed, which reduces the latency introduced by the encryption system. By using a recommended underlying block cipher, for instance AES, it is possible to develop a formal security proof, in the same way as in traditional confidentiality-only operation modes, such as CTR or CBC (Cipher Block Chaining). The formal security proof consists of the IND-CPA (Indistinguishability under Chosen Plaintext Attack) advantage expression of any adversary attacking this scheme.
Although PSCFB mode has been previously implemented in Ethernet communications, as in [13], it is important to remark that it has been done for 10 Gigabit Ethernet links using the 64b/66b encoding, different to 8b/10b, which is used in this work. Therefore, the application of PSCFB-MOD in this work entails an architecture different to the used in [13], that is able to preserve the format of gigabit Ethernet symbols and needs a different IND-CPA analysis.
The paper is divided in five sections. In Section II an introduction about Gigabit Ethernet standard, CTR-MOD mode and self-synchronized encryption is given. Section III presents the security analysis and the hardware implementation of the proposed PSCFB-MOD scheme and their comparison with the traditional CTR. Subsequently, Section IV deals with the set-up and encryption results. Finally, in Section V conclusions are given.

II. IMPORTANT CONCEPTS A. OPTICAL GIGABIT ETHERNET ENCRYPTION
Although there are no standardized solutions for FPE stream ciphers, its usage could be relevant in communications where a high encryption rate is necessary, as in physical layer 1000Base-X for optical Gigabit Ethernet systems [14].
In [14] encryption is carried out in the PCS sublayer where the 8b/10b encoding is performed. Since the 8b/10b encoding is used to provide important properties to the bitstream, it is necessary to preserve the format of the 8b/10b symbols. Therefore, the encryption of a gigabit Ethernet symbol must give as result another valid symbol that must be within the group of symbols supported by the standard, which means to perform an FPE encryption.
Encryption and decryption modules are located in the physical layer datapath as shown in Fig. 1, before the 8b/10b encoder/decoder. In this figure an Ethernet Interface is shown. It is composed of the MAC (Medium Access Control) and PHY layers. PHY module includes PCS, PMA (Physical Medium Attachment) and PMD (Physical Medium Dependant) sublayers.
Inside the ENCRYPT module, FPE encryption is performed as shown in Fig. 2. If S is the possible number of different 8b/10b symbols, using the MAP block, each symbol is mapped to an integer value in the range {0, . . . , S − 1} to get a plaintext in radix S. The plaintext is added modulo-S to a keystream, which is also in radix S, to obtain the ciphertext. ENCRYPT and DECRYPT modules perform the format preserving encryption/decryption of 8b/10b symbols at the PCS sublayer. TX_SERIAL and RX_SERIAL are the serializer/deserializer modules that transmit and receive the bitstream from the optical link. Finally This ciphertext is reverse mapped in the DEMAP module to get the final 8b/10b encrypted flow. The ciphered 8b/10b symbols will be encoded to 10-bit values and sent to the serializer.

B. CTR-MOD OPERATION MODE
CTR-MOD mode can be considered a kind-of counter mode where the counter is in binary radix with a length of l CTR−MOD bits while the keystream output is a stream of symbols in radix S, which is generated thanks a function called F K _MOD. The ciphertext is obtained thanks to the modulo-S addition between the keystream and the plaintext. This mode next to the traditional CTR are shown Fig. 3a and Fig. 3b, respectively.
F K _MOD can be considered a PRF (Pseudo Random Function) such that F K _MOD: K× {0, 1} l CTR−MOD → {0, . . . ,S − 1}. It is configured with a random key K taken from the keyspace K (K K). F K _MOD is built thanks to a block cipher E K as shown in Fig. 3a. In this figure the block cipher is modelled as a PRF such that E: K× {0, 1} l CTR−MOD → {0, 1} l CTR−MOD , where l CTR−MOD (the counter length in bits) is also its block size. Its least significant L output bits are taken as input of a modulo-S operation, which is the same as performing the modulo-2 L operation at the output of E K . Finally we can represent F K _MOD(x) in terms of E K , such that F K _MOD(x) = (E K (x) mod2 L )modS.

C. SELF-SYNCHRONIZED ENCRYPTION
Several mechanisms have been proposed for selfsynchronized encryption. On the one hand, there are some proposals based on ad-hoc self-synchronized stream ciphers such as those proposed in eSTREAM project: SSS and Mosquito [21]. However, they were dismissed due to their vulnerabilities [22], [23]. On the other hand self-synchronized stream ciphers can be built thanks to block ciphers working in certain operation modes such as CFB (Cipher Feedback), OCFB (Optimized Cipher Feedback) [24], SCFB (Statistical Cipher Feedback) [25] or PSCFB (Pipeline Statistical Cipher Feedback) [19]. Among them, PSCFB can be considered the best in terms of encryption throughput, as it can reach a value near to 100%.
The PSCFB operation mode is shown in Fig. 4. It is considered a combination of two NIST recommended operation modes, CTR and CFB. The underlying block cipher E K has a block size of l bits and its structure is a pipelined architecture with P stages. It works initially in CTR mode, while the ciphertext is scanned to find a special n-bit sequence called synchronization pattern. As it is possible to assume that the output values of E K working in CTR mode are random and independent, the resulting ciphertext can be considered a random stream after performing the XOR operation between the keystream and the plaintext.
Due to the randomness of the ciphered values, the sync pattern is detected at a statistical random point in the ciphertext. When the pattern is detected, the underlying block cipher E K does not increment its counter. Instead, it captures the next l ciphertext bits after the sync pattern and uses them as IV (Initialization Vector) to feed back the counter value at the block cipher input. This operation is equivalent to that made by a block cipher working in CFB mode. Moreover, as the block cipher has a pipeline architecture with P stages, it is necessary to disable the sync pattern scanning since the IV is captured until E K (IV ) is available as new keystream block, P cycles later. This interval is called the blackout period and FIGURE 4. Structure of PSCFB mode for encryption and decryption. The block cipher E K (·) has a block size of l bits, and is implemented using P internal stages. CNT block represents the counter of this mode.  it is formed by the IV captured after sync pattern and the next P-1 ciphered b locks of l bits. The complete synchronization cycle is shown in Fig. 5a.
After the counter CNT of Fig. 4 is momentarily loaded with the new IV, it continues with its normal operation, which means a continuous increment (as in CTR mode) until a new sync pattern is found in the ciphertext. In that case, the load operation of the IV is produced again and a new synchronization period starts.
Let us name W to the random bit-length of the scan period and L IV to the length of the IV, then, as mentioned in [19], the average size in bits of a complete sync period u is formed by the length of the sync pattern, L sp = n, the blackout period, L bp = L IV + l · (P − 1), and the average of the scan period length, L scan = EW , until next sync pattern. Therefore, u can be expressed as: since L IV = l bits.

III. PSCFB-MOD OPERATION MODE A. PSCFB-MOD DESCRIPTION
To achieve self-synchronization in the encryption/decryption of a plaintext in radix S, the first approach could be applying PSCFB operation mode using an FPE block cipher instead of a traditional one in binary radix, such as AES. Both PSCFB structures, in binary and non-binary radix, are shown in Fig. 6a and Fig. 6b, respectively. On the one hand, the block cipher E K in Fig. 6a has to be substituted by an FPE block cipher F K , such as the FF3 structure built in [14]. On the other hand, the XOR operation in Fig. 6a must be replaced by a modulo-S addition to generate the ciphertext in radix S. These modifications in Fig. 6a results in the structure of Fig. 6b, and it corresponds with the PSCFB mode in radix S that was firstly proposed in [18].
In both solutions, after the sync pattern is detected, the IV is captured and used to refresh the counter value. This IV has a length equals to the input block size l and the same radix as the ciphertext and plaintext.
In this work, to reduce the hardware complexity and latency of this first approach, PSCFB-MOD mode is proposed. Instead of using a block cipher, with the same width and radix for its input and output, a PRF F K _MOD as described in Section II-B has been used, such that The resulting structure is shown in Fig. 6c.
The main difference between this mode and the previous of Fig. 6a and Fig. 6b is that the width and radix at the input of the underlying encryption function F K _MOD is different to its output. While its input has a binary radix and an l-bit length the output is in radix S and it only has a length of one symbol. For this reason, if the captured IV in PSCFB-MOD mode has a length of L IV symbols in radix S, it must be transformed to an IV with length of l-bits, which means the same size and radix as the counter and the input of F K _MOD.
Let us name the captured Initialization Vector in radix S as IV S , then the IV used to refresh the l-bit counter should be FIGURE 6. Structure of (a) PSCFB mode in binary radix, (b) PSCFB mode in radix S, and (c) PSCFB-MOD mode. E K represents the block cipher in binary radix and a block size of l bits. F K represents the FPE block cipher in radix S and a block size of l symbols. Symbols in cases (b) and (c) are in radix S. obtained from IV S thanks a function T(·), such that: The IV S can be represented by a vector of L IV symbols in radix S such that IV S = IV S0 ,IV S1 , . . . ,IV SL IV −1 . The transformation function T(·) has consisted on two steps. Firstly, the numeral string IV S in radix S is converted to its binary radix representation with the function NUM(·), secondly the result from this conversion is truncated to its least significant l bits to get the IV of length l. Therefore T(·) can be expressed as: Other issue that has to be taken into account is the length of the sync pattern. In the case of PSCFB in binary radix in Fig. 6a, this pattern is n-bit length. However, in PSCFB schemes for Fig. 6b and Fig. 6c, as the radix is S, the sync pattern will have a length of n symbols. This length will influence in the desired SRD (Synchronization Recovery Delay) for the PSCFB encryption scheme [26], as we discuss in Subsection III-F.
The structure of a synchronization period of PSCFB-MOD is shown in Fig. 5b. As the output block size of F K _MOD is one symbol the blackout period will be formed by the L IV symbols captured after sync pattern and the next P-1 ciphered symbols. According to this, the average length in symbols of a complete sync period u is shown in (4) in a similar way as in (1).
where W is the random length in symbols of the scan period.

B. IND-CPA SECURITY IN CTR AND PSCFB MODES
Usually the security of the confidentiality-only operation modes for block ciphers is studied in the sense of IND-CPA (Indistinguishability under Chosen-Plaintext Attack) security [27]. A metric called adversary advantage is obtained thanks to a game between an active adversary A and an encryption oracle performing the target encryption scheme Sε. This encryption scheme Sε is configured with a key and an experiment bit b, which the adversary tries to guess.
During the game the adversary sends to the oracle a sequence of p pair of messages ( To measure the success of the adversary in breaking a symmetric encryption scheme Sε, the adversary advantage is defined in [28] as in the following equation: is the IND-CPA advantage of the adversary A over the encryption scheme Sε, and Pr b = b is the probability of the adversary A of guessing the correct value of configuration bit b. The advantage of A can be understood as the excess of this probability over 1/2. When the 'guess' probability is almost 1/2 and then the adversary advantage is negligible, the encryption scheme Sε can be considered secure.
It is demonstrated in [29] that an adversary B attacking the PRF security of the underlying block cipher E K of Sε can be built thanks to the adversary A, and their advantages are related as follows: is the prf-advantage of any adversary B over E K as defined in [27].
In the formal security proofs of CTR and PSCFB modes, expression in (6) can be particularized changing SE term by CTR and PSCB names, respectively: where  [29], [13]. It allows to reach the final advantage expression of both operation modes.
In [29] it is proven that: where P Sε (col) is the probability of a collision among the counter values used during the adversary game, it means the probability of a counter value repetition. According to this, (7) and (8) can be rewritten as: where P CTR (col) and P PSCFB (col) are the counter collision probability for CTR and PSCFB, respectively. Since in CTR mode the counter is incremented in each encryption step and it is never repeated, the probability of collision is zero: P CTR (col) = 0. However, during the VOLUME 8, 2020 IND-CPA game for PSCFB mode it is possible for the counter to be fed with a new IV value when the sync pattern is detected randomly at some point of the ciphertext. As this new counter value is a random one, this and the subsequent values of the counter during the next synchronization cycle could produce a collision with the values of the counter in previous cycles, then P PSCFB (col) = 0. According to this, in [29] and [13] P SE (col) is obtained, giving rise to the following expressions: For the specific case of PSCFB the second term P PSCFB (col) is not zero. This term depends on some parameters that define the architecture of the PSCFB scheme, such as the block size l and the number of pipeline stages P of the block cipher E K , and also on the quantity of information bits µ encrypted by the oracle during the adversary game. From (12) and (13) it is possible to conclude that CTR mode, although it does not have the self-synchronous property, it is inherently more secure than PSCFB when using the same underlying block cipher E K . Although the first term ADV PRF E K in both expressions is the same, the second one in CTR is zero, which makes IND-CPA advantage be lower in CTR than in PSCFB mode.
In the same way as in PSCFB, it is possible to obtain an IND-CPA advantage expression for PSCFB-MOD, in terms of some parameters of its encryption scheme. The idea in this work is to stablish the bounds for these parameters, under which the resulting structure of PSCFB-MOD is better in terms of IND-CPA advantage than an operation mode taken as reference. Particularly, the mode used as reference has been CTR, since, in general, it can be considered the best to achieve confidentiality-only encryption [30].
The expression of the IND-CPA security for PSCFB-MOD mode is given in Subsection III-C, while its proof is shown in Appendix A. The comparison analysis between PSCFB-MOD and CTR is explained in Subsection III-D.

C. IND-CPA SECURITY IN PSCFB-MOD MODE
It is possible to express the IND-CPA security of PSCFB-MOD mode according to the following theorem: . . ,S − 1} be the underlying function of the encryption scheme SE that corresponds with PSCFB-MOD symmetric encryption mode. Let A be an adversary attacking the IND-CPA security of SE that asks at most p queries formed each one for a pair of messages (M 0 i , M 1 i ) with a length of m i symbols of radix S. The p message queries will produce a total number of q encrypted symbols, which means that q = i=p i=1 m i . Then, it is possible to express the IND-CPA advantage of A over the PSCFB-MOD scheme in terms of the prf-advantage of any adversary over the block cipher E K that is part of the F K _MOD function, such that: where ADV PRF E K (B) is the prf-advantage of any adversary B over E K , E K corresponds to the block cipher that is part of the F K _MOD function, P is the total number of pipeline stages in F K _MOD, L IV is the length of the IV S used in PSCFB-MOD scheme and I is the difference between L (the input bit length of modulo-S operation in F K _MOD) and T , with T = log 2 S.
As soon as L ≥ 128 + log 2 (1 + 2S) the term P max r i can be expressed as: where l is the block size of E K . The proof of Theorem 1 is developed in Appendix A.

D. SECURITY ANALYSIS: PSCFB-MOD VS CTR
Although usually block ciphers are analyzed as PRFs, PRPs (Pseudo Random Permutations) are what best models them. Thanks to the PRF-PRP switching lemma [31] it is possible to relate the PRF and PRP advantages of an adversary against a block cipher as shown in (16).
where ADV PRF E K (A) and ADV PRP E K (A) are the prf-advantage and prp-advantage of adversary A against block cipher E K , respectively. The block size is l and the number of encryption queries performed by the adversary during the prf-advantage game is q.
According to (16), IND-CPA advantages for CTR and PSCFB-MOD in (12) and (14) can be rewritten as: where E K is the underlying block cipher, l CTR and l PSCFB−MOD are the block sizes of E K in CTR and PSCFB-MOD, respectively, and q CTR and q PSCFB−MOD are the number of encrypted blocks and symbols during the IND-CPA games of each mode. For each encrypted block, CTR mode encrypts l CTR information bits, while for each encrypted symbol PSCFB-MOD encrypts T information bits (T = log 2 S). Therefore, the total number of encrypted bits in each mode during the IND-CPA game are µ CTR = q CTR · l CTR for CTR mode and µ PSCFB−MOD = q PSCFB−MOD · T in PSCFB-MOD mode, respectively. According to this, it is possible to express the advantages of (17) and (18) in terms of the encrypted bits and compare them with the IND-CPA advantages of other well-known operation modes, as shown in Table 1.
We want to parametrize the structure of PSCFB-MOD to get a security at least better than the CTR mode when encrypting the same amount of information. It means to obtain the constraints needed to meet condition (19).
We assume that in both modes it is used a secure underlying block cipher E K that can be considered a good PRP, which means that the term ADV PRP E K is negligible in both expressions, (17) and (18). According to this, it is only necessary to compare the second term of both advantage expressions to meet (19), as shown in (20).
Let us name l PSCFB−MOD as l. Since (20) can be rewritten as: where Assuming what is mentioned in Theorem 1, as soon as L ≥ 128+log 2 (1 + 2S), condition P max r i ≤ 1/2 l +1/S L IV is met. Then by substituting P max r i expression in (21) and doing some transformations we get (22) and (23).
As µ ≥ 1 bit and P ≥ 1, if (23) is met for µ = 1 it is met for every µ, and the same happens with P. Then (23) can be rewritten giving rise to the final condition: Equation (24) is the final condition necessary to fix the values of the PSCFB-MOD parameters such as l, L and L IV . Note that also condition mentioned in Theorem 1 must be met, then it has also been included in (24). According to this, we can conclude that if the underlying block ciphers used in CTR and PSCFB-MOD modes are good PRPs and have a negligible ADV PRP E K term, it is possible to obtain a PSCFB-MOD configuration to achieve the same or better IND-CPA security than CTR when encrypting the same amount of information. The parameters of PSCFB-MOD scheme l, L, and L IV will depend on the block size l CTR of the CTR mode taken as reference and the radix S of the plaintext, as T = log 2 S. Expression in (24) will be the constraint necessary to achieve condition (19).

E. PSCFB-MOD HARDWARE IMPLEMENTATION FOR 1000BASE-X
As we have mentioned in Section I the PSCFB-MOD encryption system has been adapted to work in the 1000Base-X physical layer for Gigabit Ethernet standard. In this standard only 267 possible symbols are valid in the 8b/10b encoding, which means that S = 267.
On the other hand, we assume that we want to achieve at least a better IND-CPA security than a standard and recommended block cipher, such as AES, working in CTR mode with a standard block size of l CTR = 128 bits. According to this, (24) can be rewritten as: where T = log 2 S ∼ = 8.06 and I = L − T . In this work, we have used the same structure for F K _MOD than in [20], letting parameters l and L as fixed values such that l = 192 and L = 149. Therefore to accomplish with (25) it is also necessary that L IV ≥ 17.
If we substitute the keystream generator of Fig. 6c in the generic structure of Fig. 2, and set the PSCFB-MOD parameters as l = 192, L = 149 and L IV = 17 then it is possible to get the final encryption scheme for PCS sublayer in 1000Base-X standard as shown in Fig.7.
In the same way as in [20], to get a block size l = 192, we have used as underlying block cipher E K a Rijndael structure configured with 192 bit block size and 128 bit key length. For modulo operation functions, the block MOD_2 149 of Fig. 7 is simply to take the 149 least significant bits VOLUME 8, 2020 Overall structure for PSCFB-MOD mode in a physical layer with 8b/10b encoding. Decryption will be as encryption but using a modulo-267 subtraction instead of an addition.
of the Rijndael output, while MOD_267 module uses more resources as 267 is not a power of two. Its implementation has been based on [32], which presents a high-speed hardware structure for a generic operation 'x mod z'.
The PSCFB-MOD structure shown in Fig. 7 has been synthetized in a Xilinx Virtex 7 FPGA (Field Programmable Gate Array) and the hardware resources used by this solution are shown in Table 2 in terms of LUTs (Look-Up Tables), registers and block RAMs. In this table PSCFB-MOD implementation is compared with other FPE implementations [33], [20], showing that this work entails a good Encryption_Rate/resource ratio. Although in this work the mode PSCFB-MOD entails more hardware resources than CTR-MOD [20], it is at expense of adding the self-synchronization property.
Regarding the comparison with the other PSCFB solution in radix S [18], another benefit of this work is that it does not need input and output queues, which makes it better in terms of encryption latency. While in [18] latency introduced in the PCS datapath is 648 ns, in this work it is only 48 ns.
As mentioned in the Introduction, in the original PSCFB specification [19] input and output queues are needed to store information temporarily during periods of resynchronization, where partial block cipher outputs are used to encrypt data due to the fact that the sync pattern is not aligned with the end of the block cipher output. It makes PSCFB mode inherently to have an encryption efficiency that can be less than 100%, which makes necessary the usage of input and output encryption queues increasing its overall latency as in [18].
However, in PSCFB-MOD the sync pattern (formed by n symbols) is always aligned with the output block size of F K _MOD as it is only one symbol length. It means that no queue is needed in this encryption scheme, which makes the encryption throughput be 100% and reduces substantially the overall latency.
The test set-up for the complete Gigabit Ethernet interface and the encryption results are shown in Section IV.

F. SYNCHRONIZATION RECOVERY DELAY DISCUSSION
The SRD (Synchronization Recovery Delay) is the metric used to examine the resynchronization properties of SCFB and PSCFB modes [26]. It is defined as the expected number of bits following a sync loss before synchronization is reestablished. According to [19], upper and lower bounds for SRD depend on the block size of the underlying block cipher, the number of pipelines P and the size of the synchronization pattern n.
As shown in Fig. 5, a sync cycle is composed of fixed length data such as the sync pattern and blackout period, and a variable length data formed by the scan period with a length of W bits or symbols. In [25] and [19] it is shown that W follows a probability distribution that can be approximated by a geometric distribution such as: where n is the length of the sync pattern in bits and p = 1/2 n . When the radix of the symbols is S instead of 2, as in this work or in [18], it is possible to reach the same conclusion, but using p = 1/S n . According to this, the expressions for the first and second moment of the distribution of W will be as in [25] and [19], but using S as radix: As in (1), we can express, in a generic way, the average sync cycle size in symbols instead of bits. It is the sum of the sync pattern, blackout period and scan period: where u is the average sync cycle size in symbols, l is the output block size of the underlying encryption function in 89734 VOLUME 8, 2020 symbols, L IV is the size of the IV after the sync pattern and P is the pipeline stages. The same reasoning in [19] relative to the bit slips and misalignments can be made for [18] and this work, but using symbols in radix S instead of bits. Thank to this, the lower bound of SRD can be express in the same way as in [19]: If we call m = n + L IV + l · (P − 1), then, as in [19], but using radix S instead of binary radix, it is possible to express the upper bound as: With both equations, (29) and (30), we can get the theoretical upper and lower bounds for SRD in PSCFB modes with radix S.
As in [25] and [19], with small values of n, better SRD are obtained. Indeed, with the parameters used in this work for S, P, L and L IV the values for SRD become huge when n > 1. Then, for a feasible solution n has been set to the minimum n = 1.
As the symbol cycle lasts 8 ns in 1000Base-X standard, the upper bound for SRD will be approximately 12.94 µs and 3.56 µs for PSCFB in [18] and PSCFB-MOD in this work, respectively.

A. ENCRYPTION SET-UP
The KEYSTREAM GENERATOR and CIPHER OPER-ATION modules in Fig. 7 have been integrated in the ENCRYPT and DECRYPT modules of the Ethernet Interface described in Fig. 1, which has been implemented in a Xilinx Virtex 7 FPGA. On the one hand, the Ethernet Interface is connected to an SFP (Small Form-Factor Pluggable) module capable of transmitting at a rate of 1.25 Gbps. On the other hand, it is attached to an Ethernet Frame Generator able to generate and analyze real Ethernet traffic flows composed by data frames. The test set-up is shown in Fig. 8 and Fig. 9, where two FPGA eval boards are faced to test an encrypted optical link.

B. ENCRYPTION THROUTHPUT AND LATENCY
Several conclusions can be drawn from simulation and hardware debugging. On the one hand, it is possible to conclude that encryption/decryption is performed correctly and synchronously achieving the 100% of the encryption throughput.  In particular, bursts of 1024-byte length frames were tested with a duration of 10 7 frames transmitted using the maximum possible bandwidth of 98%, according to the minimum standard IFG (Inter Frame Gap). Another advantage is that the proposed encryption system only introduces a total extra latency of 48 ns in the PCS datapath, which includes the overall latency of PSCFB-MOD mode without queues.
These advantages of performing encryption at physical layer contrasts with encryption techniques at other layers [34] [35], which introduces overhead on data frames and reduce the overall data bandwidth. For example, in IPsec the encryption overhead can reduce the overall throughput between 20% and 90% of the maximum achievable [36]. In addition, regarding to the previously mentioned latency we can conclude that this work can perform encryption with comparable latency figures to those achieved by other physical layer techniques such as in OTN encryption [12], where latency is in the range of hundreds of nanoseconds [37].

C. TRAFFIC PATTERN ENCRYPTION
One of the benefits of this kind of encryption, as mentioned in [14], is that it is possible to mask data patterns and hide the presence of transmitted frames, for example by making unrecognizable their beginning and end, and also their complete headers, therefore hiding statistical traffic features, which could improve the overall security. As in [14], to prove this capability SE (Shannon Entropy) has been measured as shown in (31) for different encrypted and non-encrypted data traffic patterns. The 8b/10b symbol stream for each traffic pattern, mapped between 0 and S − 1, has been grouped in tuples of t symbols called β t , and the probability for each tuple, P(β t ), has been calculated. Particularly, SE has been measured for values of t from 1 to 3.
SE result is given in bits/symbol. Ideally, if every t-tuple (β t ) is equally likely with probability P (β t ) = p = S −t the value of Shannon Entropy for every t should be as in (32).
· S t · p · log 2 p = log 2 S = log 2 267 ∼ = 8.0606 (32) Owing to the limited memory in FPGA hardware resources, measurements for each pattern have been calculated at simulation stage. The results for SE values has been shown in Table 3. In this table it is possible to note that encrypted flows (values in column 'E') achieve the maximum entropy value while non encrypted flows (values in column 'NE') achieve a value different for each traffic pattern and lower than the maximum in (32). This fact shows that the different traffic patterns are indistinguishable when encryption is active, which proves the masking property of the proposed scheme.

V. CONCLUSIONS
In this work the authors have presented a new selfsynchronous symmetric encryption scheme able to cipher data preserving its format. The security analysis has been carried out concluding that it is possible to get at least the same or better security than classical CTR mode structures using 128-bit block size ciphers. In addition, as the underlying block cipher in the proposed mode can be a recommended one in binary radix, the hardware complexity is reduced in regards to the typical FPE modes, such as FF1 or FF3. The proposed solution has been parametrized to work in an optical Ethernet Interface with encryption capabilities. It has been tested with real Ethernet traffic proving its masking property at physical layer. The implementation results also give a better Encryption_Rate/Slice ratio than other existing implementations for FPE solutions. Moreover, the proposed self-synchronous encryption structure does not need input and output queues, which contrasts with typical PSCFB schemes, reducing the latency introduced in the encryption datapath.

APPENDIX A PROOF OF THEOREM 1
By taking into account that the underlying encryption function of PSCFB-MOD is F K _MOD instead of E K , it is possible to express directly its IND-CPA advantage expression in the same way as with PSCFB in (11), such that: where ADV IND−CPA PSCFB−MOD is the advantage of A attacking the PSCFB-MOD scheme when its underlying function is the PRF F K _MOD, ADV PRF F K _MOD is the prf-advantage over F K _MOD and P PSCFB−MOD (col) is the collision probability of the counter during the IND-CPA game for PSCFB-MOD.
According to the following two lemmas it is possible to proof Theorem 1.
Lemma 1: Let F K _MOD: K× {0, 1} l → {0, . . . ,S − 1} be a PRF, such that F K _MOD(x) = E K (x) mod2 L modS, as defined in Section II-B, where S is not a power of two, E K is a block cipher with block size l and L is an integer number smaller than l. Then, according to [20], any adversary A making q oracle queries when attacking the prf-security of F K _MOD will obtain an advantage bounded by the following expression: where I = L − T , T = log 2 S and ADV PRF E K (B) is the prf-advantage of any adversary over E K . Note that in the definition of the prf-advantage ADV PRF F K of any adversary over a generic PRF F K [27], the adversary sends q blocks of data to an oracle able to perform that PRF. Then the oracle answers to the adversary with the q encrypted blocks. In the case of the advantage over F K _MOD, as it has an input size of l-bits and an output size of one symbol in radix S, the q queries performed by the adversary will correspond with q encrypted symbols instead of q blocks of l-bit width.
Lemma 2: Let F K _MOD: K× {0, 1} l → {0, . . . ,S − 1} be a PRF, such that F K _MOD(x) = E K (x) mod 2 L mod S, where S is not a power of two, E K is a block cipher with block size l and L is an integer number smaller than l. Then the term ADV PRF F K _MOD can be considered lower than the prf-advantage over a generic block cipher with block size l REF bits as soon as L ≥ l REF + log 2 (1 + 2S). Lemma 3: Let SE be a PSCFB-MOD scheme with an underlying encryption function F K _MOD such that where L IV is the length of the IV S used in the PSCFB-MOD scheme, P is the number of pipeline stages for F K _MOD and q is the number of encrypted symbols during the p message queries performed in the IND-CPA adversary game against this encryption mode. Then the probability of collision P SE (col) of any counter value during the p queries is bounded by the following expression: where P max r i ≤ 1/2 l + 1/S L IV as soon as the parametrization of F K _MOD makes it be a good PRF when comparing it with a recommended block cipher with a 128 bit block size, as specified in Lemma 2. It means that L must meet the condition L ≥ 128 + log 2 (1 + 2S).
By substituting the terms ADV PRF F K _MOD (A) and P PSCFB−MOD (col) of equations (34) and (35) in (33) it is possible to get as result equation (14) which proves Theorem 1.
Expression of Lemma 1 is already proven in [20]. For clarity purposes proofs of Lemma 2 and Lemma 3 are included in Appendices B and C, respectively.

APPENDIX B PROOF OF LEMMA 2
In the proof of Lemma 2 it is necessary to take into account that the underlying encryption function in PSCFB must be a good PRF. In this way it is possible to consider that its output values are random and independent. As F K _MOD is the underlying function in PSCFB-MOD then it is necessary to know under what condition we can consider it as a good PRF.
According to [27] when a random function works as the underlying function in a counter scheme, successive values of the counter makes the output values of the function be random and independent. When the underlying function is not a random one, but a PRF, then if the prf-advantage of any adversary over this function is low enough we can consider that the PRF is undistinguishable from a random function and its output values also can be considered random and independent.
In general, recommended block ciphers can be considered good enough to generate random values as keystream in counter schemes such as CTR or PSCFB. The idea of this proof is to compare the prf-advantages of a recommended block cipher and the function F K _MOD. Let be E K _REF the block cipher used as reference with a block size of l REF bits. Let be F K _MOD a PRF such that F K _MOD(x) = E K (x) mod 2 L mod S, where E K is a block cipher with block size l and L is an integer number smaller than l.
Then their prf-advantages should be related as in (36).
According to Lemma 1 [20] prf-advantage of F K _MOD is bouded by the following expression: where q is the number of queries performed during the prfadvantage game and I = L − T .
On the other hand, thanks to PRF-PRP switching lemma expression (16) it is possible to rewrite prf-advantages of F K _MOD and E K _REF as: where q REF are the number of queries performed during the prf-advantage game of E K _REF . By taking into account (38) and assuming that we want to get a better bound for the prf-advantage with F K _MOD than with E K _REF when performing the same number of queries in the prf-game, which means q REF = q, then (36) can be expressed as: We assume that in both cases secure underlying block cipher E K and E K _REF are used. As block ciphers can be considered good PRPs it means that the term ADV PRP E K is negligible in both sides of the condition in (39). According to this, it is only necessary to compare the second term of both advantage expressions to meet (39).
As q ≥ 1 the left side of (40) is maximum with q = 1. Then if (40) meets for q = 1 it will met for every q. Therefore: As L ≤ l, let be d = l − L. Since I = L − T , then: By doing some transformations in (42) we get: As d ≥ 0 the right side in (43) will be maximum with d = 0.
In addition T = log 2 S. Therefore (43) can be rewritten as: Equation (44) will be the condition to meet (36) and consider that F K _MOD is a better PRF than a block cipher with block size l REF , which proves Lemma 2. VOLUME 8, 2020

PROOF OF LEMMA 3
The generic expression for the collision probability P SE (col) of the counter values during the IND-CPA game against counter based encryption schemes SE is given in [29]. Particularly, traditional CTR and CTR$ modes are analyzed. In CTR mode the counter values are never repeated while in CTR$ the counter is reset to a random value at the beginning of a message query, which means that some repetition can happen between the counter values used to encrypt different messages.
As mentioned in Section III-B each message query in the IND-CPA game is formed by a pair of messages (M 0 i , M 1 i ) with a length of m i blocks of data. The p message queries will produce a total number of q encrypted blocks, which means that q = i=p i=1 m i . These blocks of data have the same length and radix as the output of the underlying encryption function. In the case of PSCFB-MOD these blocks are formed by one symbol in radix S, as F K _MOD output.
For the case of CTR$, the underlying encryption function is the block cipher E K , with an input and output that are l-bit length. The l-bit length counter values along the game are represented in the following i , M 1 i ) with length m i . At the beginning of each query a random counter value r i is generated. As the counter is incremented in each encryption step and the message has a length of m i data blocks the last value of the counter in each row will be r i + m i .
In [29] it is demonstrated that the collision probability between any counter value in the i-th row and the previous row counters is limited by: where col i is the event where there is a collision in the first i rows of the table, and no_col i−1 the event where there is no collision in the first i-1 rows. Nchoices(r i ) are the number of choices of r i that can produce a collision and 1/2 l is the probability for r i to be equal to any of these choices. We call this probability P r i (x) = P (r i = x), with x any l-bit length value in Nchoices(r i ). As r i is generated randomly we can consider it has a uniform random distribution such that P r i (y) = P r i = 1/2 l for any i and y ∈ [0, 2 l − 1]. It means that P r i (x) is equal to 1/2 l for any x ∈ Nchoices(r i ).
Finally, given (46), in [29] it is shown that P SE (col) for CTR$, the collision probability along the counter table in (45), can be expressed as: For the particular case of PSCFB, in [13] it is shown that the encryption session can be divided into different sync cycles as the shown in Fig. 5. In each sync cycle the counter is reset to a random IV value as mentioned in Section II-C. Let us assume that N sync cycles happen during the IND-CPA game between the adversary and the oracle. Then, the counter values during the session can be represented as in the following table: where k i is the length in blocks of data of the i-th sync cycle. The subsequent counters from r i in advance will be incremented up to r i + k i − 1. According to [13], by using the same reasoning than in [29], P PSCFB (col) can be expressed as in (47), in terms of P r i : In PSCFB mode, as in CTR$, the counter is an l-bit length value. It is reset to the IV at the beginning of each sync cycle and it can be considered random and uniformly distributed. Therefore, in (47) P r i = 1/2 l for any i and x ∈ [0, 2 l − 1]. In the case of PSCFB-MOD mode, as the encryption game can be also divided in N sync cycles the same expression as (49) could be applied to obtain P PSCFB−MOD (col).
However, as explained in Section III-A, the l-bit length IV is not taken directly from the ciphertext, but its value is obtained from the L IV -symbol length value IV S , such that IV = T (IV S ). As the ciphertext, in radix S, can be considered random and uniformly distributed, the same happens with IV S , as it is taken from the L IV symbols after the sync pattern detection. Therefore, IV S can be considered a uniform random value in the range [0, S L IV −1]. Particularly the transformation T (·) as been chosen such that IV = T (IV S ) = NUM (IV S ) mod 2 l as shown in (3).
IV S and its binary representation, NUM(IV S ), can be considered random and uniformly distributed as soon as F K _MOD output is considered also random, which means that parameter L in F K _MOD must meet condition in Lemma 2. However, IV is obtained by truncating NUM(IV S ) to its least l significant bits. Therefore, IV cannot be considered random and uniformly distributed as a bias is introduced due to modulo-2 l operation. Owing to this, r i counter values at the beginning of each sync cycle will not be uniformly distributed and special considerations must be taken into account to obtain P r i (x) as it will not be constant and equal to 1/2 l . Let assume P max r i as the maximum probability in the probability density function P r i (x), then if we particularize (49) to PSCFB-MOD mode we can get an upper bound for the following collision probability such that: In addition, as the output block size in PSCFB-MOD is one symbol with radix S, then k i = q i , where q i is the number of symbols with radix S encrypted in the i-th sync cycle, then: where q is the total number of symbols encrypted during the IND-CPA game and N max the maximum possible number of sync cycles produced during the game. It is possible to express this value as N max = q/C min , where C min is the minimum size of any sync cycle in symbols. As shown in Fig. 5b the generic sync cycle length in PSCFB-MOD can be expressed as u = n + L IV + P − 1 + W symbols, where n, L IV and P are constant, while W is variable. The minimum value for this cycle length could be considered with W = 0, then u min = n + L IV + P − 1, where P is the pipeline size of the underlying block cipher and n the sync pattern size. If we call w = P − 1 + L IV then N max = q/u min ≤ q/w, therefore: which is the same as equation (35) in Lemma 3. The last step to prove Lemma 3 is to demonstrate that P max r i ≤ 1/2 l + 1/S L IV , which is proved in the following paragraphs.
Let us name NUM (IV S ) as v i and IV as r i . Then v i and r i will be two random variables such that r i = v i mod 2 l , where v i ∈ [0, M − 1], r i ∈ [0, 2 l − 1] and M is not a multiple of 2 l . If F K _MOD meets Lemma 2 its captured output v i will be random and uniformly distributed, then P(v i = x) = 1/M , where P(v i = x) is the probability that v i is equal to x and x ∈ [0, M − 1]. In Fig. 10 the way of mapping values from the domain {0, . . . ,M − 1} to 0, . . . , 2 l − 1 thanks to modulo-2 l operation is shown. The remainder R of the division between M and 2 l can be written as: where d is the quotient of the division, which means that d = M /2 l . After modulo-2 l operation, as R is different to zero, a bias is introduced in the resulting distribution of values of r i in the range 0, . . . , 2 l − 1 . v i values that are in the range d2 l , . . . , d2 l + R − 1 will generate one more occurrence in the resulting range {0, . . . ,R − 1} after modulo operation. Therefore, the probability distribution after modulo-2 l will be: The maximum value for the probability of P (r i = x) will be: As d = M /2 l then: As we have called v i = NUM (IV S ) then v i ∈ [0, M − 1] → v i ∈ [0, S L IV − 1], which means that M = S L IV and P max r i can be expressed as: The final expression for P PSCFB−MOD (col) in (52) next to the condition in (57) proves Lemma 3.