From: "You cannot conquer a free man, a man whose mind is free. The most you can do is kill him.  08-Sep-1993 1013" <yerazunis@aidev.enet.dec.com>
Date: Wed, 8 Sep 93 07:16:57 PDT
To: cypherpunks@toad.com
Subject: Spread Spectrum- how it works
Message-ID: <9309081410.AA00883@enet-gw.pa.dec.com>
MIME-Version: 1.0
Content-Type: text/plain


From:	US3RMC::"clark@metal.psu.edu" "Clark Reynard"  8-SEP-1993 01:59:18.22

>Then the receptionist returned, and told me that the person from
>the engineering department who took care of the phones had indicated
>that not even the government had the technology to monitor these
>phones.
>
>Upon asking how and why the government might do this, I received
>a rather chilly notification that the engineering department,
>was, of course, unwilling to reveal these secrets.  Well, it was
>worth a try.

Actually, they aren't telling you, but SS techniques are published widely
in the technical literature.  For a relatively accessible and understandable
introduction, try the ARRL's book "Spread Spectrum Sourcebook", which 
describes not only the theory but also the results of the ARRL's 
experimentation with spread-spectrum technology for radio communications.
It's about $30 from any reputable ham radio supply house, and you 
can mail-order it.

[very succintly, SS works by adding a pseudorandom modulation to the
transmitter carrier that modulates the signal far far MORE than the
actual informational modulation.  For example, a 16-bit CRC register
feeding back on itself can be used.  The output of the CRC register 
(or any other pseudo-random-number-generator (PRNG) can be used as a 
modulator in two ways:

	1) Frequency hopping: the bits in the CRC or PRNG determine (via 
	   a lookup table ("hop set") the new center frequency that the 
	   transmitter will send on.  This freqency may hop a hundred 
	   times or more per second.

		a) ease of detection: easy- you hear a "click" whenever the
		   transmitter hops onto the freqency you're monitoring
		b) ease of interception: very hard- if there are a 
		   few thousand such signals around, you have to splice
		   together 10 millisecond slices from a thousand different
		   sources- and that's a combinatorially prohibitive 
		   problem.  You need to know the "hop set" and the 
		   particular polynomial or psuedorandom sequence to 
		   easily recover the signal.

	2) Direct Sequence: the single low-order bit in the CRC or PRNG
	   determines whether the output signal from the transmitter's
	   primary oscillator (already modulated with the user's voice)
	   is inverted or not.  This translates to massive phase modulation.  
	   If the CRC is clocked at a reasonable rate (say, 1 MHz) then 
	   the output signal ends up with a bandwidth of about twice 
	   the clocking freqency.  
	
		a) ease of detection: difficult- the SS signal shows
		   up in a conventional reciever as broadband noise- easy
		   to not notice.
           	b) ease of interception: very difficult- I haven't the 
		   foggiest about how to go about it.

In either case, to demodulate the signal, one recieves the entire bandwidth,
then either hops their first-stage local oscillator (for frequency hopping) 
or phase-inverts (for direct sequence) the incoming signal.  The result is
a second-stage signal that can be demodulated by conventional means.  The 
only big trick is to synchronize the PRNG on the reciever to the PRNG on
the transmitter.

Another advantage to SS is that it tends to "ignore" strong signals in the
band- any signal that does not correllate against the PRNG modulation is
"spread out" over the entire band by the demodulation operation, while the
correct signal energy is concentrated into a small channel.  This gives
what's called "process gain" and allows a weak spread-spectrum signal to
work even in channels that may be dominated by strong conventionally-modulated
signals.

The ARRL did find that if they knew the bandwidth of the signal they were
looking for they _could_ direction-find on it, using wideband recievers
and notch filters to remove known conventionally-modulated signals from
the signal; once they were close enough to be in the "near field" of the
transmitter standard direction-finding techniques were adequate to DF,
even if they couldn't understand what was being transmitted, they could
find the source. (this was the basis for the FCC's OKing of the use of
SS modulation by hams on the 440 and higher bands- that some form of
accountability was being preserved).

-----

Note that if the PRNG in a direct-sequence SS is replaced by a true 
random number source, we have the equivalent of a one-time pad and 
(I believe) complete security.  However, since the typical demands 
of a direct-sequence system for phase information are in the megabits 
per second, the logistics of "key management" may be utterly impractical.

-----

So, if CM was using either modulation method, and used some reasonable
PRNG (i.e. one with remappings and hopsets determined by user-genned random
numbers) then it is quite possible that the government does not have the
technology _deployed_ in the field to intercept them.  But if they 
need it, I'm sure they will figure out how to do it.  

	-Bill