50

CHAPTER NO. 6
MULTIPLE ACCESS TECHNIQUES FOR MOBILE COMMUNICATION

Frequency Division Multiple Access (FDMA)
Time Division Multiple Access (TDMA)
Code Division Multiple Access (CDMA)










These multiple access systems have very different approaches to the bandwidth problem.

6.1: FREQUENCY DIVISION MULTIPLE ACCESS (FDMA)
Each FDMA subscriber is assigned a specific frequency channel (Fig. 6.1). No one
else in the same cell or a neighboring cell can use the frequency channel while it is
assigned to a user. This reduces interference, but severely limits the number of users.

FIG. NO. 6.1 FREQUENCY DIVISION MULTIPLE ACCESS (FDMA)

51
Frequency-division multiplexing (FDM) advantage of the fact that the useful bandwidth of
the medium exceeds the required bandwidth of a given signal

6.2: TIME DIVISION MULTIPLE ACCESS (TDMA)
TDMA users share a common frequency channel (Fig. 6.2), but use the channel for
only a very short time. They are each given a time slot and only allowed to transmit during
that time slot. When all available time slots in a given frequency are used, the next user
must be assigned a time slot on another frequency. These time slices are so small that the
human ear does not perceive the time slicing



FIG. NO. 6.2: TIME DIVISION MULTIPLE ACCESS (TDMA)


Time-division multiplexing (TDM) takes advantage of the fact that the achievable bit rate
of the medium exceeds the required data rate of a digital signal

6.3: CODE DIVISION MULTIPLE ACCESS (CDMA)
Code-Division Multiple Access (CDMA) is one of the most important concepts to
any cellular telephone system is that of multiple access. A large number of users share a
common pool of radio channels and any user can gain access to any channel. In other
words CDMA is a form of multiplexing, which allows numerous signals to occupy a single
transmission channel, optimizing the use of available bandwidth. Though CDMAs
application in cellular telephone is relatively new, but it is not a new technology. CDMA
has been used in many military applications, such as anti-jamming (because of the spread
52
signal In March 1992, the TIA (Telecommunications Industry Association) established the
TR-45.5 subcommittee with the charter of developing a spread spectrum digital cellular
standard. In July of 1993, the TIA gave its approval for the CDMA Technology standard .A
CDMA call starts with a standard rate of 9.6 Kbps. This is then spread to a transmitted rate of
about 1.23 Mbps. The CDMA channel is nominal 1.23 MHz Wide CDMA is compatible
with other cellular technologies











CDMA users share a common frequency channel (Fig 6.3). All users are on the
same frequency at the same time. However, each pair of users is assigned a special code
that reduces interference while increasing privacy.



FIG. NO. 6.3: CODE DIVISION MULTIPLE ACCESS (CDMA)
2 MBps 3G CDMA 2000

64 Kps - 140 Kps 2.5G CDMA (IS-95B)

56 Kps 2G GSM

34 Kps 1G AMPS

Data transmission capacity Generation Cellular
technology
53
6.4: GENERATING A CDMA SIGNAL
There are five steps in generating a CDMA signal (Fig. 6.4).
I. Analog to digital conversion
II. Vocoding
III. Encoding and interleaving
IV. Channelizing the signals
V. Conversion of the digital signal to a Radio Frequency (RF) signal
The use of codes is a key part of this process.



FIG. NO. 6.4: GENERATING A CDMA SIGNAL

(I) ANALOG TO DIGITAL CONVERSION
The first step of CDMA signal generation is analog to digital conversion,
sometimes called A/D conversion. CDMA uses a technique called Pulse
Code Modulation (PCM) to accomplish A/D conversion.

(II) VOCODING (or Voice Compression)
The second step of CDMA signal generation is voice compression. CDMA
uses a device called a vocoder to accomplish voice compression (Fig. 6.5).
The term "vocoder" is a contraction of the words "voice" and "code."
Vocoders are located at the BSC and in the phone. A CDMA vocoder varies
compression of the voice signal into one of four data rates based on the rate
of the user's speech activity. The four rates are: Full, 1/2, 1/4 and 1/8. The
54
vocoder uses its full rate when a person is talking very fast. It uses the 1/8
rate when the person is silent or nearly so.



FIG. NO. 6.5: GENERATING AN A/D COMPRESSED SIGNAL


(III) ENCODING AND INTERLEAVING

Encoders and interleavers are built into the BTS and the phones. The
purpose of the encoding and interleaving is to build redundancy into the
signal so that information lost in transmission can be recovered. The type of
encoding done at this stage is called "convolutional encoding." A simplified
encoding scheme is shown here. A digital message consists of four bits (A,
B, C, D) of vocoded data. Each bit is repeated three times. These encoded
bits are called symbols. The decoder at the receiver uses a majority logic
rule. Thus, if an error occurs, the redundancy can help recover the lost
information.
EXAMPLE:
BURST ERROR: A burst error is a type of error in received digital
telephone signals. Burst errors occur in clumps of adjacent symbols. These
errors are caused by fading and interference. Encoding and interleaving
reduce the effects of burst errors. Interleaving is a simple but powerful
method of reducing the effects of burst errors and recovering lost bits. In the
55
example shown in the Fig. 6.6, the symbols from each group are interleaved
(or scrambled) in a pattern that the receiver knows. De-interleaving at the
receiver unscrambles the bits, spreading any burst errors that occur during
transmission.



FIG. NO. 6.6: ENCODING AND INTERLEAVING


(IV) CHANNELIZING

The encoded voice data is further encoded to separate it from other encoded
voice data. The encoded symbols are then spread over the entire bandwidth
of the CDMA channel. This process is called channelization.
The receiver knows the code and uses it to recover the voice data.
KINDS OF CODES: CDMA uses two important types of codes to
channelize users.
(a) Walsh codes channelize users on the forward link (BTS to mobile).
Walsh codes provide a means to uniquely identify each user on the
forward link. Walsh codes have a unique mathematical property,
that is, they are "orthogonal." In other words, Walsh codes are
unique enough that a receiver applying the same Walsh code can only
recover the voice data. All other signals are discarded as
background noise.

56
(a) Pseudorandom Noise (PN) codes channelize users on the reverse link
(mobile to BTS). Pseudorandom Noise (PN) codes uniquely identify
users on the reverse link. A PN code is one that appears to be random,
but isn't. The PN codes used in CDMA yield about 4.4 trillion
combinations of code. This is a key reason why CDMA is so secure.

(IV) CONVERSION OF DIGITAL TO RADIO FREQUENCY (RF) SIGNAL
The BTS combines channelized data from all calls into one signal. It then
converts the digital signal to a Radio Frequency (RF) signal for
transmission.

6.5: CODE CHANNELS USED IN CDMA
A code channel is a stream of data designated for a specific use or person. This
channel may be voice data or overhead control data. Channels are separated by codes. The
forward and reverse links use different types of channels.
(I) FORWARD LINK CHANNELS: uses four types of channels to transmit voice
and control data to the mobile. The types of forward link channels are:
i. Pilot
ii. Sync
iii. Paging
iv. Traffic


FIG. NO. 6.7: FORWARD LINK CHANNELS

57
(i) PILOT CHANNEL
The BTS constantly transmits the pilot channel. The mobile uses the pilot signal
to acquire the system. It then uses the pilot signal to monitor and adjust the power
needed in order to transmit back to the BTS.


FIG. NO. 6.8: PILOT CHANNEL

(ii) SYNC CHANNEL
The BTS constantly transmits over the sync channel so the mobile can synchronize with
the BTS. It provides the mobile with the system time and the identification number of
the cell site. The mobile ignores the sync channel after it is synchronized.

FIG. NO. 6.9: SYNC CHANNEL

58
(III) PAGING CHANNEL
CDMA uses up to seven paging channels. The paging channel transmits overhead
information such as commands and pages to the mobile. The paging channel also
sends commands and traffic channel assignment during call set-up. The mobile
ignores the paging channel after a traffic channel is established.


FIG. NO. 6.10: PAGING CHANNEL

(IV) FORWARD LINK TRAFFIC CHANNEL
CDMA uses between fifty-five and sixty-one forward traffic channels to send both
voice and overhead control data during a call. Once the call is completed, the
mobile tunes back in to the paging channel for commands and pages.

FIG. NO. 6.11: TRAFFIC CHANNEL

59
(II) REVERSE LINK CHANNELS: uses two types of channels to transmit voice and
control data to BTS. The types of reverse link channels are:
i. Access
ii. Traffic

FIG. NO. 6.12: REVERSE LINK CHANNELS

(i) ACCESS CHANNEL
The mobile uses the access channel when not assigned to a traffic channel. The
mobile uses the access channel to:
Register with the network
Originate calls
Respond to pages and commands from the base station
Transmit overhead messages to the base station

FIG. NO. 6.13: ACCESS CHANNEL
60
(II) REVERSE LINK TRAFFIC CHANNEL
The reverse traffic channel is only used when there is a call. The reverse traffic
channel transmits voice data to the BTS. It also transmits the overhead control
information during the call.



FIG. NO. 6.14: REVERSE LINK TRAFFIC CHANNNEL


6.6: CALL PROCESSING STAGES IN CDMA
There are four stages or modes in CDMA call processing (Fig. 6.15):
Initialization mode
Idle mode
Access mode
Traffic mode.

(I) INITIALIZATION MODE: During initialization, the mobile acquires the system
via the Pilot code channel synchronizes with the system via the Sync code channel
(II) IDLE MODE: The mobile is not involved in a call during idle mode, but it must
stay in communication with the base station. The mobile and the base station
communicate over the access and paging code channels. The mobile obtains
overhead information via the paging code channel.


61


FIG. NO. 6.15: CALL PROCESSING STAGES IN CDMA


(III) ACCESS MODE: The mobile accesses the network via the Access code
channel during call origination. The Access channel and Paging channel carry
the required call set-up communication between the mobile phone and the BTS
until a traffic channel is established.
(IV) TRAFFIC MODE: During a land to mobile (LTM) call: The mobile receives a
page on the paging channel. The mobile responds on the access channel. The
traffic channel is established and maintained throughout the call.
During a mobile to land call (MTL): The call is placed using the Access channel.
The base station responds on the paging channel. The traffic channel is
established and maintained throughout the call.
Call processing (messages): During the call overhead messaging continues on
the traffic channel in a limited fashion. This messaging uses "Dim and Burst"
or "Blank and Burst" signaling, which replaces part of the voice traffic with
system messages. The user does not detect this signaling, however, due to the
strong data recovery schemes inherent to CDMA.

62


FIG. NO. 6.16: MOBILE CALL PROCESSING

6.7: FEATURES OF CDMA
CDMA has several unique features that make it a cost-effective, high quality
wireless solution. The following features are unique to CDMA technology:
(a) Universal frequency reuse
(b) Fast and accurate power control
(c) Different types of handoff
(a) FREQUENCY REUSE: The frequency spectrum is a limited resource.
Therefore, wireless telephony, like radio, must reuse frequency assignments.
Each BTS in a CDMA network can use all available frequencies. Adjacent
cells can transmit at the same frequency because users are separated by code
channels, not frequency channels. This feature of CDMA, called "frequency
reuse of one," eliminates the need for frequency planning

63


FIG. NO. 6.17: POWER CONTROL

(b) POWER CONTROL: Power control is a CDMA feature that enables mobiles
to adjust the power at which they transmit. This ensures that the base station
receives all signals at the appropriate power. The CDMA network
independently controls the power at which each mobile transmits. Both forward
and reverse links use power control techniques.
Reverse link power control: Reverse link power control consists of two
processes:
Open loop power control: Open loop is the mobile's estimate of the
power at which it should transmit. The open loop estimate is based
on the strength of the pilot signal the mobile receives. As the pilot
signal gets weaker or stronger, the mobile adjusts its transmission
strength upwards or downwards. Open loop is used any time the
mobile transmits.
Closed loop power control: In closed loop, the BTS sends a command
to the mobile to increase or decrease the strength at which it is
transmitting. The BTS determines this command based on the quality
of the signal it receives from the mobile. Closed loop is only used
during a call. Closed loop commands are sent on the forward traffic
channel.

64

(C) HANDOFF IN CDMA: Handoff is the process of transferring a call from one
cell to another. This is necessary to continue the call as the phone travels.
CDMA is unique in how it handles handoff.
TYPES OF CDMA HANDOFF: CDMA has three primary types of
handoff:
i. SOFT
ii. HARD
iii. IDLE
(i) SOFT HANDOFF
A soft handoff establishes a connection with the new BTS prior to breaking the
connection with the old one. This is possible because CDMA cells use the same
frequency and because the mobile uses a rake receiver.



FIG. NO. 6.18: SOFT HANDOFF
Variations of the soft handoff: There are two variations of soft handoffs involving
handoffs between sectors within a BTS:
Softer
Soft-softer
The softer handoff: occurs between two sectors of the same BTS. The BTS decodes and
combines the voice signal from each sector and forwards the combined voice frame to the
65
BSC. The soft-softer handoff is combination handoff involving multiple cells and multiple
sectors within one of the cells.

FIG. NO. 6.19: SOFTER HANDOFF


(ii) HARD HANDOFF
A hard handoff requires the mobile to break the connection with the old BTS prior
to making the connection with the new one. CDMA phones use a hard handoff
when moving from a CDMA system to an analog system because soft handoffs are
not possible in analog systems. A Pilot Beacon Unit (PBU) at the analog cell site
alerts the phone that it is reaching the edge of CDMA coverage. The phone
switches from digital to analog mode as during the hard handoff.
Hard handoff may also be used when moving to a different:
- RF channel
- MTSO
- Carrier
- Market
(iii) IDLE HANDOFF
An idle handoff occurs when the phone is in idle mode. The mobile will detect a
pilot signal that is stronger than the current pilot. The mobile is always searching
for the pilots from any neighboring BTS. When it finds a stronger signal, the mobile
simply begins attending to the new pilot.
66
6.8: ADVANTAGES OF CDMA
CDMA technology has numerous advantages including:
i. COVERAGE
ii. CAPACITY
iii. CLARITY
iv. COST
v. COMPATIBILITY
vi. CUSTOMER SATISFACTION
(i) COVERAGE
CDMA's features result in coverage that is between 1.7 and 3 times that of TDMA.
Power control helps the network dynamically expand the coverage area. Coding
and interleaving provide the ability to cover a larger area for the same amount of
available power used in other systems.
(II) CAPACITY
CDMA capacity is ten to twenty times that of analog systems, and it's up to four
times that of TDMA.
Reasons for this include:
CDMA's universal frequency reuse
CDMA users are separated by codes, not frequencies
Power control minimizes interference, resulting in maximized capacity.
CDMA's soft handoff also helps increase capacity. This is because a soft handoff requires
less power.


FIG. NO. 6.20: ADVANTAGES OF CDMA

67


(iii) CLARITY
Often CDMA systems can achieve "wire line" clarity because of CDMA's strong
digital processing. Specifically:
The rake receiver reduces errors
The variable rate vocoder reduces the amount of data transmitted per
person, reducing interference.
The soft handoff also reduces power requirements and interference.
Power control reduces errors by keeping power at an optimal level.
CDMA's wide band signal reduces fading. Encoding and interleaving reduce
errors that result from fading.
(iv) COST
CDMA's better coverage and capacity result in cost benefits:
Increased coverage per BTS means fewer are needed to cover a given area.
This reduces infrastructure costs for the providers.
Increased capacity increases the service provider's revenue potential.
A CDMA cost per subscriber has steadily declined since 1995 for both
cellular and PCS applications.



FIG. NO. 6.21: COST OF CDMA


68
(v) COMPATIBILITY
CDMA phones are usually dual mode. This means they can work in both CDMAs
systems and analog cellular systems. Some CDMA phones are dual band as well
as dual mode. They can work in CDMA mode in the PCS band, CDMA mode in
the cellular band, or analog mode in an analog cellular network.
(vi) CUSTOMER SATISFACTION
CDMA results in greater customer satisfaction because CDMA provides better:
Voice quality
Longer battery life due to reduced power requirements
No cross-talk because of CDMA's unique coding
Privacy--again, because of coding

FIG. NO. 6.22 CDMA CUSTOMER SATISFACTION

6.8: ARCHITECTURE OF THE CDMA NETWORK
A CDMA network is composed of several functional entities, whose functions and
interfaces are specified. The CDMA network can be divided into three broad parts. The
Mobile Station is carried by the subscriber. The Base Station Subsystem controls the radio
link with the Mobile Station. The Network Subsystem, the main part of which is the
Mobile services Switching Center (MSC), performs the switching of calls between the
mobile users, and between mobile and fixed network users. The MSC also handles the
mobility management operations. Not shown is the Operations and Maintenance Center,
which oversees the proper operation and setup of the network. The Mobile Station and the
Base Station Subsystem communicate across the Um interface, also known as the air interface
69
or radio link. The Base Station Subsystem communicates with the Mobile services Switching
Center across the A interface.



FIG. NO. 6.23 GENERAL ARCHITECTURE OF A CDMA NETWORK

(I) MOBILE STATION
The mobile station (MS) consists of the mobile equipment. The mobile equipment
is uniquely identified by the International Mobile Equipment Identity (IMEI).



FIG. NO. 6.24: MOBILE EQUIPMENTS

(II) BASE STATION SUBSYSTEM
The Base Station Subsystem is composed of two parts:
(a) The Base Transceiver Station (BTS)
(b) The Base Station Controller (BSC).
70
These communicate across the standardized Abis interface, allowing operation between
components made by different suppliers.











FIG. NO. 6.25: BASE STATION SUBSYSTEM

(a) The Base Transceiver Station (BTS) houses the radio transceivers that define a
cell and handles the radio-link protocols with the Mobile Station. In a large urban area,
there will potentially be a large number of BTSs deployed, thus the requirements for a BTS
are ruggedness, reliability, portability, and minimum cost.
The base station is under direction of a base station controller so traffic gets sent
there first. The base station controller gathers the calls from many base stations and passes
them on to a mobile telephone switch. From that switch come and go the calls from the
regular telephone network.
(b) The Base Station Controller (BSC) manages the radio resources for one or
more BTSs. It handles radio-channel setup, frequency hopping, and handovers, as
described below. The BSC is the connection between the mobile station and the Mobile
service Switching Center (MSC). Another difference between conventional cellular and
CDMA is the base station controller. It's an intermediate step between the base station
transceiver and the mobile switch. This a better approach for high-density cellular
networks. As If every base station talked directly to the MSC, traffic would become too
congested. To ensure quality communications via traffic management, the wireless
infrastructure network uses Base Station Controllers as a way to segment the network
and control congestion. The result is that MSCs route their circuits to BSCs which in turn
are responsible for connectivity and routing of calls for 50 to 100 wireless base stations."
71








FIG. NO. 6.26: BASE STATION CONTROLLER

BSC functions includes:
Performs vocoding of the voice signal
Routes calls to the MTSO
Handles call control processes
Maintains a database of subscribers
Maintains records of calls for billing
The voice coders or vocoders are built into the handsets a cellular carrier
distributes. They're the circuitry that turns speech into digital. The carrier specifies which
rate they want traffic compressed, either a great deal or just a little. The cellular system is
designed this way, with handset vocoders working in league with the equipment of the base
station subsystem.
(III) THE MOBILE SWITCHING CENTER
The central component of the Network Subsystem is the Mobile services
Switching Center (MSC).








FIG. NO. 6.27: THE MOBILE SWITCHING CENTER
72
It acts like a normal switching node of the PSTN or ISDN, and additionally
provides all the functionality needed to handle a mobile subscriber, such as registration,
authentication, location updating, handovers, and call routing to a roaming subscriber.
These services are provided in conjunction with several functional entities, which together
form the Network Subsystem. The MSC provides the connection to the fixed networks
(such as the PSTN or ISDN). Signaling between functional entities in the Network
Subsystem uses Signaling System Number 7 (SS7), used for trunk signaling in ISDN and
widely used in current public networks.

(IV) HOME LOCATION REGISTER (HLR) & VISITED LOCATION REGISTER (VLR)
The Home Location Register (HLR) and Visitor Location Register (VLR), together
with the MSC, provide the call routing and roaming capabilities. The HLR contains all the
administrative information of each subscriber registered in the network, along with the
current location of the mobile. The location of the mobile is typically in the form of the
signaling address of the VLR associated with the mobile station. The Visitor Location
Register (VLR) contains selected administrative information from the HLR, necessary for
call control and provision of the subscribed services, for each mobile currently located in
the geographical area controlled by the VLR. Most often these two directories are located
in the same place. The HLR and VLR are big databases maintained on computers called
servers, often UNIX workstations. To operate its nationwide cellular system, iDEN,
Motorola uses over 60 HLRs nationwide.

(V) EQUIPMENT IDENTITY REGISTER (EIR)
The other two registers are used for authentication and security purposes. The
Equipment Identity Register (EIR) is a database that contains a list of all valid mobile
equipment on the network, where each mobile station is identified by its International
Mobile Equipment Identity (IMEI). An IMEI is marked as invalid if it has been reported
stolen or is not type approved.

(Vi) THE INTERFACES
Cellular radio's most cryptic terms belong to these names: A, Um, Abis, and Ater.
A telecom interface means many things. It can be a mechanical or electrical link connecting
equipment together. Or a boundary between systems, such as between the base station
system and the network subsystem. Interfaces are standardized methods for passing
73
information back and forth. The transmission media isn't important. Whether copper or
fiber optic cable or microwave radio, an interface insists that signals go back and forth in
the same way, in the same format. With this approach different equipment from any
manufacturer will work together.
A-bis " is a French term meaning 'the second A Interface. In most cases the
actual span or physical connection is made on an E1 line. But regardless of the material
used, the transmission media, it is the signaling protocol that is most important.
Although the interface is unlabeled, the mobile switch communicates with the
telephone network using Signaling System Seven, an internationally agreed upon
standard. More specifically, it uses ISUP over SS7. "ISUP defines the protocol and
procedures used to set-up, manage, and release trunk circuits that carry voice and data calls
over the public switched telephone network (PSTN). ISUP is used for both ISDN and
non-ISDN calls."

6.9: COMPARISON OF MULTIPLE ACCESS SYSTEMS
The table summarizes in Fig.6.28 shows some of the technical aspects of the multiple
access technologies. The technology used determines the channel's capacity. TDMA triples
the capacity of FDMA, but CDMA capacity can be up to seven times that of TDMA.



FIG. NO. 6.28: COMPARISON OF MULTIPLE ACCESS SYSTEMS
********
CDMA Tutorial


Copyright 2002 Charan Langton www.complextoreal.com
1
Code Division Multiple Access (CDMA)
The Concept of signal spreading and its uses in communications

Lets take a stright forward binary signal of symbol rate 2.



Figure 1 A binary information signal

To modulate this signal, we would multiply this sequence with a sinusoid and its
spectrum would look like as In figure 2. The main lobe of its spectrum is 2 Hz wide. The
larger the symbol rate the larger the bandwidth of the signal.


Figure 2 Spectrum of a binary signal of rate 2 bps

Now we take an another binary sequence of data rate 8 times larger than of sequence
shown in Fig. 1.
Page 1 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
2


Figure 3 A new binary sequence which will be used to modulate the information
sequence

Instead of modulating with a sinusoid, we will modulate the sequence 1 with this new
binary sequence which we will call the code sequence for sequence 1. The resulting
signal looks like Fig. 4.

Since the bit rate is larger now, we can guess that the spectrum of this sequence will have
a larger main lobe.


Figure 4 Each bit of sequence 1 is replaced by the code sequence

The spectrum of this signal has now spread over a larger bandwidth. The main lobe
bandwidth is 16 Hz instead of 2 Hz it was before spreading. The process of multiplying
the information sequence with the code sequence has caused the information sequence to
inherit the spectrum of the code sequence (also called the spreading sequence).


Figure 5 The spectrum of the spread signal is as wide as the code sequence

The spectrum has spread from 2 Hz to 16 Hz, by a factor of 8. This number is called the
the spreading factor or the processing gain (in dBs) of the system. This process can also
Page 2 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
3
be called a form of binary modulation. Both the Data signal and the modulating sequence
in this case are binary signals.

If original signal is x(t) of power P
s
, and the code sequence is given by g(t), the resultant
modulated signal is

) ( ) ( 2 ) ( t g t d P t s
s
=

The multiplication of the data sequence with the spreading sequence is the first
modulation. Then the signal is multiplied by the carrier which is the second modulation.
The carrier here is analog.

) 2 sin( ) ( ) ( 2 ) ( t f t g t d P t s
c s
=

On the receive side, we multiply this signal again with the carrier. What we get is this.

) 2 ( sin ) ( ) ( 2 ) (
2
t f t g t d P t rcv
c s
=

By the trigonometric identity

) 4 cos( 1 ) 2 ( sin
2
t f t f
c c
=

we get




Where the underlined part is the double frequency extraneous term, which we filter out
and we are left with just the signal.

) ( ) ( 2 ) ( t g t d P t rcv
s
=

Now we multiply this remaining signal with g(t), the code sequence and we get

) ( ) ( ) ( 2 ) ( t g t g t d P t rcv
s
=

Now from having used a very special kind of sequence, we say that correlatation of g(t)
with itself (only when perfectly aligned) is a certain scalar number which can be
removed, and we get the original signal back.

) ( 2 ) ( t d P t rcv
s
=

( ) 2 ( ) ( )(1 cos(4 ))
s c
rcv t P d t g t f t =
Page 3 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
4
In CDMA we do modulation twice. First with a binary sequence g(t), the properties of
which we will discuss below and then by a carrier. The binary sequence modulation
ahead of the carrier modulation accomplishes two functions, 1. It spread the signal and 2.
It introduces a form of encryption because the same sequence is needed at the receiver to
demodulate the signal.

In IS-95 and CDMA 2000 we do this three times, once with a code called Walsh, then
with a code called Short Code and then with one called Long code.


Properties of spreading codes

Multiplication with the code sequence which is of a higher bit rate, results in a much
wider spectrum. The ratio of the code rate to the information bit rate is called both the
spreading factor and the processing gain of the CDMA system. In IS-95, the chipping
rate is 1.2288 and the spreading factor is 64. Processing gain is usually given in dBs.

To distinguish the information bit rate from the code rate, we call the code rate, chipping
rate. In effect, we take each data bit and convert it into k chips, which is the code
sequence. We call it the chipping rate because the code sequence applied to each bit is as
you can imagine it chipping the original bit into many smaller bits.

For CDMA spreading code, we need a random sequence that passes certain quality
criterion for randomness. These criterion are

1. The number of runs of 0s and 1s is equal. We want equal number of two 0s and
1s, a length of three 0s and 1s and four 0s and 1s etc. This property gives us a
perfectly random sequence.
2. There are equal number of runs of 0s and 1s. This ensures that the sequence is
balanced.
3. The periodic autocorrelation function (ACF) is nearly two valued with peaks at 0
shift and is zero elsewhere. This allows us to encrypt the signal effectively and
using the ACF peak to demodulate quicklt.

Binary sequences that can meet these properties are called optimal binary sequences, or
pseudo-random sequences. There are many classes of sequences that mostly meet these
requirements, with m-sequences the only ones that meet all three requirements strictly.
These sequences can be created using a shift-registers with feedback-taps. By using a
single shift-register, maximum length sequences can be created and called often by
their shorter name of m-sequence, where m stands for maximum.
m-sequences and the Linear Feed Shift-Register

Page 4 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
5
1 2 3


3 stage LFSR generating m-sequence of period 7., using taps 1 and 3.

1 2 3


Another 3 stage LFSR generating m-sequence of period 7, using taps 2 and 3

Figure 6 The structure of linear feedback registers (LFSR) from which m-sequences
can be created

msequences are created using linear feedback registers (LFSR). Figure 6 shows a
three register LFSR with two different tap connection arrangements. The tap connections
are based on primitive polynomials on the order of the number of registers and unless the
polynomial is irreducible, the sequence will not be a m-sequence and will not have the
desired properties.

Each configuration of N registers produces one sequence of length 2
N
. If taps are
changed, a new sequence is produced of the same length. There are only a limited
number of m-sequences of a particular size.

The cross correlation between an m-sequences and noise is low which is very useful in
filtering out noise at the receiver. The cross correlation between any two different m-
sequences is also low and is useful in providing both encryption and spreading. The low
amount of cross-correlation is used by the receiver to discriminate among user signals
generated by different m-sequences.

Think of m-sequence as a code applied to each message. Each letter (bit) of the message
is changed by the code sequence. The spreading quality of the sequence is an added
dimensionality and benefit in CDMA systems.

Gold sequences

Combining two m-sequences creates Gold codes. These codes are used in asynchronous
CDMA systems.

Page 5 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
6
Gold sequences are an important class of sequences that allow construction of long
sequences with three valued Auto Correlation Function ACFs. Gold sequences are
constructed from pairs of preferred m-sequences by modulo-2 addition of two maximal
sequences of the same length.
Gold sequences are in useful in non-orthogonal CDMA. (CDMA 2000 is mostly an
orthogonal CDMA system) Gold sequences have only three cross-correlation peaks,
which tend to get less important as the length of the code increases. They also have a
single auto-correlation peak at zero, just like ordinary PN sequences.
The use of Gold sequences permits the transmission to be asynchronous. The receiver can
synchronize using the auto-correlation property of the Gold sequence.
.
1 2 3
1 2 3
EX-OR

Figure 7 Generating Gold codes by combining two preferred pairs of m-sequences

More codes

IS-95 and IS-2000 use two particular codes that are really m-sequences but have special
names and uses. These are called long codes and short codes.

Long code

The Long Codes are 2
42
bits (created from a LFSR of 42 registers) long and run at 1.2288
Mb/s. The time it takes to recycle this length of code at this speed is 41.2 days. It is used
to both spread the signal and to encrypt it. A cyclically shifted version of the long code is
generated by the cell phone during call setup. The shift is called the Long Code Mask
and is unique to each phone call. CDMA networks have a security protocol called CAVE
that requires a 64-bit authentication key, called A-key and the unique ESN (Electronic
Serial Number, assigned to mobile based on the phone number). The network uses both
of these to create a random number that is then used to create a mask for the long code
used to encrypt and spread each phone call. This number, the long code mask is not fixed
but changes each time a connection is created.
Page 6 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
7

There is a Public long code and a Private long code. The Public long code is used by the
mobile to communicate with the base during the call setup phase. The private long code
is one generated for each call then abandoned after the call is completed.

Short code

The short code used in CDMA system is based on a m-sequence (created from a LFSR of
15 registers) of length 2
15
1 =32,767 codes. These codes are used for synchronization in
the forward and reverse links and for cell/base station identification in the forward link
The short code repeats every 26.666 milliseconds. The sequences repeat exactly 75 times
in every 2 seconds. We want this sequence to be fairly short because during call setup,
the mobile is looking for a short code and needs to be able find it fairly quickly. Two
seconds is the maximum time that a mobile will need to find a base station, if one is
present because in 2 seconds the mobile has checked each of the allowed base stations in
its database against the network signal it is receiving.

Each base station is assigned one of these codes. Since short code is only one sequence,
how do we assign it to all the stations? We cyclically shift it. Each station gets the same
sequence but it is shifted.

From properties of the m-sequences, the shifted version of a m-sequences has a very
small cross correlation and so each shifted code is an independent code. For CDMA this
shift is 512 chips for each adjacent station. Different cells and cell sectors all use the
same short code, but use different phases or shifts, which is how the mobile
differentiates one base station from another. The phase shift is known as the PN Offset.
The moment when the Short code wraps around and begins again is called a PN Roll.
If I call the word please a short code, then I can assign, leasep to one user, easepl
to another and so on. The shift by one letter would be my PN Offset. So if I say your ID
is 3, then you would use the code aseple.

A mobile is assigned a short code PN offset by the base station to which it is transmitting.
The mobile adds the short code at the specified PN offset to its traffic message, so that
the base station in the region knows that the particular message is meant for it and not to
the adjacent base station. This is essentially the way the primary base station is identified
in a phone call. The base station maintains a list of nearby base stations and during
handoff, the mobile is notified of the change in the short code.

There are actually two short codes per base station. One for each I and Q channels to be
used in the quadrature spreading and despreading of CDMA signals.

Walsh codes

In addition to the above two codes, another special code, called Walsh is also used in
CDMA. Walsh codes do not have the properties of m-sequences regarding cross
correlation.. IS-95 uses 64 Walsh codes and these allow the creation of 64 channels from
Page 7 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
8
the base station. In other words, a base station can talk to a maximum of 64 (this number
is actually only 54 because some codes are used for pilot and synch channels) mobiles at
the same time. CDMA 2000 used 256 of these codes.

Walsh codes are created out of Haddamard matrices and Transform. Haddamard is the
matrix type from which Walsh created these codes. Walsh codes have just one
outstanding quality. In a family of Walsh codes, all codes are orthogonal to each other
and are used to create channelization within the 1.25 MHz band.

Here are first four Hadamard matrices. The code length is the size of the matrix. Each
row is one Walsh code of size N. The first matrix gives us two codes; 00, 01. The second
matrix gives: 0000, 0101, 0011, 0110 and so on.

=
1 0
0 0
1 H

=
0 1 1 0
1 1 0 0
1 0 1 0
0 0 0 0
2 H

=
1 0 0 1 0 1 1 0
0 0 1 1 1 1 0 0
0 1 0 1 1 0 1 0
1 1 1 1 0 0 0 0
0 1 1 0 0 1 1 0
1 1 0 0 1 1 0 0
1 0 1 0 1 0 1 0
0 0 0 0 0 0 0 0
3 H

In general each higher level of Hadamard matrix is generated from the previous by the
Hadamard transform

=
+
N N
N N
N
H H
H H
H
1


Where
N
H is the inverse of
N
H .

Page 8 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
9
Their main purpose of Walsh codes in CDMA is to provide orthogonality among all the
users in a cell. Each user traffic channel is assigned a different Walsh code by the base
station. IS-95 has capability to use 64 codes, whereas CDMA 2000 can use up to 256
such codes. Walsh code 0 (which is itself all 0s) is reserved for pilot channels, 1 to 7 for
synch and paging channels and rest for traffic channels. They are also used to create an
orthogonal modulation on the forward link and are used for modulation and spreading on
the reverse channel.

Orthogonal means that cross correlation between Walsh codes is zero when aligned.
However, the auto-correlation of Walsh-Hadamard codewords does not have good
characteristics. It can have more than one peak and this makes it difficult for the receiver
to detect the beginning of the codeword without an external synchronization. The partial
sequence cross correlation can also be non-zero and un-synchronized users can interfere
with each other particularly as the multipath environment will differentially delay the
sequences. This is why Walsh-Hadamard codes are only used in synchronous CDMA and
only by the base station which can maintain orthogonality between signals for its users.



User 1
Walsh
code No.
WS 1 Mask 1 BS 1 SC
Long
code
Short
code
User 2
WS 2 Mask 2 BS 1 SC
User 3
WS 3 Mask 3 BS 1 SC
User 1
Walsh
code No.
WS 1 Mask 1 BS2 SC
Long
code
Short
code
User 2
WS 2 Mask 2 BS 1 SC
User 3
WS 3 Mask 3 BS 3 SC
Base
Station1
BaseStation
2
BaseStation
3
Channel with
distortions
Channel with
distortions


Figure 8 Relationship codes used in CDMA


The above is simplified look at the use of these codes. Assume there are three users in
one cell. Each is trying to talk to someone else. User 1 wants to talk to someone who is
outside its cell and is in cell 2. User 3 wants to talk to someone in cell 3.

Lets take User 1. Its data is first covered by a channel Wash code, which is any Walsh
code from 8 to 63. It is assigned to the user by the base station 1 in whose cell the mobile
is located. The Base Station has also assigned different Walsh codes to users 2 and 3. All
three of these are different are assigned by base station 1 and are orthogonal to each
other. This keeps the data apart at the base station. Now based on the random number
assigned by the BS, the mobile generates a long code mask (which is just the starting
point of the long code sequence and is a scalar number). It now multiplies the signal by
Page 9 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
10
this long code starting at the mask ID. Now it multiplies it by the short code of the base
station to whom it is directing the signal.

When the base station receives this signal, it can read the long code and see that the
message needs to be routed to base station 2. So it strips off 1st short code and adds on
the short code of base station 2 which is then broadcast by the BS 1 to BS 2 or sent by
landlines. BS2 then broadcasts this signal along to all mobiles in its cell. The users who is
located in this cell, now does the reverse. It multiplies the signal by the BS 2 short code
(it knows nothing about BS 1 where the message generated) then it multiplies the signal
by the same long code as the generating mobile. How? During the call paging, the mobile
was given the same random number from which it creates the same long code mask.
After that it multiplies it by the Walsh code sequence (also relayed during call setup).

So thats about it with some additional bells and whistles, which we shall get to shortly.

Channel waveform properties

The communications between the mobile and the base station takes place using specific
channels. Figure below shows the architecture of these channels.
The forward channel (from base station to mobile) is made up of the following channels:
Pilot channel (always uses Walsh code W0) (Beacon Signals)
Paging channel(s) (use Walsh codes W1-W7)
Sync channel (always uses Walsh code W32)
Traffic channels (use Walsh codes W8-W31 and W33-W63)
The reverse channel (from mobile to base station) is made up of the following channels:
Access channel
Traffic channel

Figure 9 Forward channel

Forward Channel description

Page 10 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
11
A base station can communicate on up to 64 channels. It has one pilot signal, one synch
channel and 8 paging channels. The remaining are used for traffic with individual
mobiles.

Walsh 0
Long
Code
1 to 64
Decimator
Paging channel
mask
Convolutional
Encoder
r =1/2
Symbol
Repetition
Interleaver
Walsh 32
All 0's
Pilot Channel
Synch data
at 1.2kb/s
Sync Channel
4.8kb/s
Convolutional
Encoder
r =1/2
Symbol
Repetition
Interleaver
Walsh 1-7
Paging
a mobile
Paging Channel
19.2kb/s
Long
Code
1 to 64
Decimator
Traffic Channel
mask
Convolutional
Encoder
r =1/2
Symbol
Repetition
Interleaver Data
mobile
Power
Control Bits
MUX
Walsh x
Base Station
Short Code for
I channel
Base Station
Short Code for
Q channel
LPF
LPF
Cos(t)
Sin(t)
Traffic Channel
I
Q

Figure 10 Forward channel is the transmission of all traffic from the base station within
its cell. All data is sent simultaneously.
Page 11 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
12

Pilot Channel

Lets start with how the base station establishes contact with the mobiles within its cell. It
is continually transmitting an all zero signal, which is covered by a Walsh code 0, a all
0s code. So what we have here is a one very long bit of all zeros. For this reason, the
pilot channel has very good SNR making it easy for mobiles to find it. This all zero signal
is then multiplied by the base stations short code, which if you recall is the same short
code that all base station use, but each with different PN offset. Pilot PN Offsets are
always assigned to stations in multiples of 64 chips, giving a total of 512 possible
assignments. The 9-bit number that identifies the pilot phase assignment is called the
Pilot Offset.

This signal is real so it only goes out on the I channel, and is up-converted to the carrier
frequency which in the US is 845 MHz.

On the receive side, the mobile picks up this signal and notes the base station that is
transmitting it. Here is a question, if the short code is cyclical, how does the receiver
know what the phase offset is. Do not all the signals from all the other nearby base
stations look the same? Yes, and the mobile at this point does not know which base
station it is talking to, only that it has found the network. To determine of all the possible
base station and there can 256 of them, each using a 512 chip shifted short code, the
network uses the GPS signal and timing.

The zero offset base station aligns its pilot transmission with every even second time tick
of GPS. So lets say that your mobile is in the cell belonging to a base station with PN
offset ID of 10. That means that is will start its transmission 10 x 512 chip =5120 chips
after every even second time tick. So when the mobile wakes up and looks at it time, it
knows exactly where each base station short code should be. Then all it has to do is to do
a correlation of the bits it is seeing with each of the 256 possible sequences. Of course, it
tries the base station where it was last but if it has been moved then theoretical it will
have to go through all 256 correlations to figure out where it is. But it does do it and at
the end of the process, it knows exactly which of the base stations it is hearing.

100101110 100101110 100101110 100101110 100101110 100101110
100101110 100101110 100101110 100101110 100101110 100101110
100101110 100101110 100101110 100101110 100101110 100101110
100101110 100101110 100101110 100101110 100101110 100101110
100101110 100101110 100101110 100101110 100101110 100101110
100101110 100101110 100101110 100101110 100101110 100101110

Page 12 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
13
Figure 11 The mobile looks for the code that aligns with GPS timing. It picks off the
code received at this time, does a correlation with stored data and knows which base
station it has found.

Synch Channel

The Synch channel information includes the pilot offset of the pilot the mobile has
acquired. This information allows the mobile to know where to search for the pilots in the
neighbor list. It also includes system time, the time of day, based on Global Positioning
Satellite (GPS) time. The system time is used to synchronize system functions. For
instance, the PN generators on the reverse link use zero offset relative to the even
numbered seconds in GPS time. However, the mobiles only know system time at the base
stations plus an uncertainty due to the propagation delay from its base station to the
mobile's location. The state of the long code generator at system time is also sent to the
mobile in the Synchronization message. This allows the mobile to initialize and run its
long code generator very closely in time synchronism with the long code generators in
the base stations. The Synchronization message also notifies the mobile of the paging
channel data rate, which may be either 4800 or 9600 bits/sec. The data rate of this
channel is always 1200 bps.

Paging Channel

Now the mobile flashes the name of the network on its screen and is ready to receive and
make calls. Your paging channel may now be full of data. It may include a ring tone or a
voicemail received message. The data on the paging channel sent by the base station,
includes mobileElectronic Serial Identification Number (ESIN), and is covered by a
long code. How does the mobile figure out what this long code is? At the paging level,
the system uses a public long code. This is because it is not talking to a specific mobile, it
is paging and needs to reach all mobiles. When the correct mobile responds, a new
private long code will be assigned at that time before the call will be connected. The
mobile while scanning the paging channel recognizes its phone number and responds by
ringing. When you pick up the call, an access message goes back to the base station.

The mobile using Qualcomm CDMA generatse a 18-bit code. The mobile sends this
authentication sequence to the base station during the sync part of the messaging
protocol. The base station checks the authentication code before allowing call setup. It
then issues a random number to the mobile, which the mobile uses in the CAVE
algorithm to generate a call specific long code mask. At the same time, the base station,
will also do exactly that. The two now have the same long code with which to cover the
messages.

Traffic Channel

The base station can transmit traffic data to as many as 54 mobiles at the same time. It
keeps these channel separate by using Walsh codes. This is a code division multiplexing
rather than a frequency based channelization. Walsh codes are used only by the base
Page 13 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
14
station and in this fashion, it is a synchronous CDMA on the forward link, whereas on
the return link it is asynchronous CDMA, because there is no attempted separation
between the various users. But the use of m-sequences for spreading, the quality of
orthogonality although not perfect is very very good.

The traffic channel construct starts with baseband data at 4.8 kbps. It is then
convolutionally encoded at rate of , so the data rate now doubles to 9.6 kbps. Symbol
repetition is used to get the data rate up to 19.2 kbps. All information rates are sub-
multiples of this rate. Data is then interleaved. The interleaving does not change the data
rate, only that the bits are reordered to provide protection against burst errors. Now at
this point, we multiply the resulting data sequences with the long code, which starts at the
point determined by the private random number generated by both the base station and
the mobile jointly. This start point is call-based and changes every time. Mobiles do not
have a fixed long code assigned to them. Reverse CDMA Channel can have up to 2
42
-1
logical channels or the total number of calls that can be served are 17179869184.

Now the data is multiplied by a specific Walsh codes which is the nth call that the base
station is involved in. Mobile already knows this number from the paging channel.

The base station then combines all its traffic channels (each covered by a different Walsh
code) and all paging channels (just 8) and the one pilot channel and one synch channel
adds them up, does serial to parallel conversion to I and Q channels. Each is then covered
by a I and a Q short code and is QPSK modulated up to carrier frequencies and then
transmitted in the cell.

Reverse Channels

In IS-95, there are just two channels on which the mobile transmits, and even that never
simultaneously. It is either on the access channel or it is transmitting traffic. The channel
structure is similar but simpler to the forward channel, with the addition of 64-ary
modulation.

Page 14 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
15
Convolutional
Encoder
r =1/3
Symbol
Repetition
Interleaver Data
mobile
64-ary
Modulation
Traffic Channel
Burst
randomizer
Convolutional
Encoder
r =1/3
Symbol
Repetition
Interleaver
64-ary
Modulation
Access Channel
A
T
Long Code Traffic Mask
From Base Station
Access Channel
Traffic Channel
Long Code
Generator
Base Station
Short Code for
Q channel
LPF
LPF
Sin(t)
I
Q
Half
Sym
delay
Cos(t)
Base Station
Short Code for
I channel
Access Channel
Traffic Channel

Figure 12 Reverse Channel - from mobile to base station communication

64-ary modulation

This block takes a group of six incoming bits (which makes 2
6
=64 different bit
sequences of 6 bits) and assigns a particular Walsh code to each. We know that each
Walsh code sequence is orthogonal to all the others so in this way, a form of spreading
has been forced on the arbitrarily created symbols of 6 bits. And this spreading also
forces the symbols to be orthogonal. It is not really a modulation but is more of a
spreading function because we still have not up converted this signal to the carrier
frequency. After this, a randomization function is employed to make sure we do not get
too many 0s or 1s in a row. This is because certain Walsh codes have a lot of
consecutive 0s.

Next comes multiplication with the long code starting at a particular private start point.
Then comes serial to parallel conversion, and application of baseband filtering which can
be a Gaussian or a root cosine shaping.

Then the Q channel (or I, it makes no difference) is delayed by half a symbol, as shown
below. The reason this is done is to turn this into an offset QPSK modulated signal. The
Page 15 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
16
offset modulated signal has a lower non-linearity susceptibility and is better suitable to
being transmitted by a class C amplifier such as may be used in a CDMA cell phone.

From there, each I and Q channel is multiplied by the rf carrier, (a sine and a cosine of
frequency f
c
) and off the signal goes to the base station.

On the demodulation side, the most notable item is the Rake receiver. Due to the
presence of multipath, Rake receivers which allow maximal combining of delayed and
attenuated signal, make the whole thing work within reasonable power requirements.
Without Rake receivers, your cell phone would not be as small as it is.

Power control

Assume that there is only one user of the system. The carrier power

C =SNR =E
b
/T
b
=R E
b


If we define the transmit power equal to W and signal bandwidth equal to B, then the
Interference power at the receiver is equal to

I =W N
0


Now we can write

0
0
/
/
b b
R E E N C
I W N W R
= =

The quantity W/R is the processing gain of the system. Now lets call M the number of
users in this system. The total interference power is equal to

( 1) I C M =

Substituting this in the above equation, we get,

1
( 1) 1
C C
I C M M
= =



and with one more substitution we get


0
0
/ 1
/ 1
1
1
/
b
b
E N C
I W R M
W
M M
R E N
= =

=


Page 16 / 18
CDMA Tutorial



Copyright 2002 Charan Langton www.complextoreal.com
17
So we conclude that the system capacity is a direct function of the processing gain for a
given Eb/N0. What you may not have noticed is that we made an assumption that all
users have similar power level so the interferences are additive. No one user overwhelms
all the others. If the power levels of all users are not equal then the system capacity is
compromised and the C/I expression above is not valid.

The CDMA systems manage the power levels of all mobiles so that the power level of
each mobile is below a certain required level and is about the same whether the mobile is
very close to the base station or far at the edge of the cell. Multipath and fading also
attenuate power levels so the system maintains a power control loop.

IS-95 has a open-loop and a closed loop power management system. The open loop is a
quicker way to manage power levels. The forward and reverse links are at different
frequencies so they fade differently and open loop power control allows the mobile to
adjust its power without consulting with the base station. In closed loop power control the
base station measures the power level of the access channel signal sent by the mobile and
then commands with 1 in the synch channel if the power needs to be raised and with 0 if
it is to be reduced by 1 dB at a time. The closed loop power control also uses an outer
loop power control. This method measures the Frame Error Rate (FER) both by the
mobile and the base station and then adjusts the power according to whether the FER is
acceptable.


CDMA 2000

This is an evolution and extension of capabilities and builds on the IS-95 standard. One
of the big ways in which CDMA 2000 differs from IS-95 is that it includes beam
forming. Each base station cell is now divided in three sectors such that frequency is
reused. This increases the gain at the mobile and allows better SNR and a larger number
of users. The other significant way that IS-2000 differs from IS-95 is that it allows
additional forward and reverse channels. Some of these channels are the same as IS-95
and others are new. Spreading codes are also changed to allow larger data rates. The 1.25
MHz channel with the 1.2288 mbps spreading rate called 1X can now be 3X 93 x 1.2288
mbs) or 5X (5 x 1.2288 mbps)






Page 17 / 18
CDMA 1xRTT Security OverView August, 2002
Q U A L C O M M I N C O R P O R A T E D 3
2. Security CDMA Networks
The security protocols with CDMA-IS-41 networks are among the best in the industry. By
design, CDMA technology makes eavesdropping very difficult, whether intentional or accidental.
Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called Long
Code to scramble voice and data. On the forward link (network to mobile), data is scrambled at a
rate of 19.2 Kilo symbols per second (Ksps) and on the reverse link, data is scrambled at a rate of
1.2288 Mega chips per second (Mcps).
CDMA network security protocols rely on a 64-bit authentication key (A-Key) and the
Electronic Serial Number (ESN) of the mobile. A random binary number called RANDSSD,
which is generated in the HLR/AC, also plays a role in the authentication procedures. The A-Key
is programmed into the mobile and is stored in the Authentication Center (AC) of the network. In
addition to authentication, the A-Key is used to generate the sub-keys for voice privacy and
message encryption.
CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption)
algorithm to generate a 128-bit sub-key called the Shared Secret Data (SSD). The A-Key, the
ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates SSD. The
SSD has two parts: SSD_A (64 bit), for creating authentication signatures and SSD_B (64 bit), for
generating keys to encrypt voice and signaling messages. The SSD can be shared with roaming
service providers to allow local authentication. A fresh SSD can be generated when a mobile
returns to the home network or roams to a different system.
2.1. Authentication

In CDMA networks, the mobile uses the SSD_A and the broadcast RAND
*
as inputs to the
CAVE algorithm to generate an 18-bit authentication signature (AUTH_SIGNATURE), and sends
it to the base station. This signature is then used by the base station to verify that the subscriber is
legitimate. Both Global Challenge (where all mobiles are challenged with same random number)
and Unique Challenge (where a specific RAND is used for each requesting mobile) procedures are
available to the operators for authentication. The Global Challenge method allows very rapid
authentication. Also, both the mobile and the network track the Call History Count (a 6-bit
counter). This provides a way to detect cloning, as the operator gets alerted if there is a mismatch.

* Broadcast RAND, generated in the MSC, should not be confused with the RANDSSD from the HLR
*
CDMA 1xRTT Security OverView August, 2002
Q U A L C O M M I N C O R P O R A T E D 4
The A-Key is re-programmable, but both the mobile and the network Authentication Center
must be updated. A-Keys may be programmed by one of the following: a) The factory b). The
dealer at the point of sale c) Subscribers via telephone d) OTASP (over the air service
provisioning). OTASP transactions utilize a 512-bit Diffie-Hellman key agreement algorithm,
making them well suited for this function. The A-Key in the mobile can be changed via OTASP,
providing an easy way to quickly cut off service to a cloned mobile or initiate new services to a
legitimate subscriber. Security of the A-Key is the most important component of CDMA system.
2.2. Voice, Signaling, and Data Privacy
The mobile uses the SSD_B and the CAVE algorithm to generate a Private Long Code Mask
(derived from an intermediate value called Voice Privacy Mask, which was used in legacy TDMA
systems), a Cellular Message Encryption Algorithm (CMEA) key (64 bits), and a Data Key (32
bits). The Private Long Code Mask is utilized in both the mobile and the network to change the
characteristics of a Long code. This modified Long code is used for voice scrambling, which adds
an extra level of privacy over the CDMA air interface. The Private Long Code Mask doesnt
encrypt information, it simply replaces the well-known value used in the encoding of a CDMA
signal with a private value known only to both the mobile and the network. It is therefore
extremely difficult to eavesdrop on conversations without knowing the Private Long Code Mask.
Additionally, the mobile and the network use the CMEA key with the Enhanced CMEA (E-
CMEA) algorithm to encrypt signaling messages sent over the air and to decrypt the information
received. A separate data key, and an encryption algorithm called ORYX, are used by the mobile
and the network to encrypt and decrypt data traffic on the CDMA channels. Figure 3 illustrates
the CDMA authentication and encryption mechanism.
FIGURE 3:
CDMA 1xRTT Security OverView August, 2002
Q U A L C O M M I N C O R P O R A T E D 5
By design, all CDMA phones use a unique PN (Pseudo-random Noise) code for spreading the
signal, which makes it difficult for the signal to be intercepted.
2.3. Anonymity
CDMA systems support the assignment of a Temporary Mobile Station Identifier (TMSI) to a
mobile to represent communications to and from a certain mobile in over the air transmissions.
This feature makes it more difficult to correlate a mobile users transmission to a mobile user.
CDMA 1xRTT Security OverView August, 2002
Q U A L C O M M I N C O R P O R A T E D 6
3. 3g CDMA 2000 Security
Third Generation technologies add more security protocols, including the use of 128-bit
privacy and authentication keys. For CDMA2000 networks, new algorithms such as Secure
Hashing Algorithm-1 (SHA-1) are being used for hashing and integrity, and the Advanced
Encryption Standard, AES (Rijndael) algorithm for message encryption. The AKA
(Authentication and Key Agreement) protocol will be used for all releases following CDMA2000
Release C. The AKA protocol will also be used in WCDMA-MAP networks, along with the
Kasumi algorithm for encryption and message integrity.
CDMA 1xRTT Security OverView August, 2002
Q U A L C O M M I N C O R P O R A T E D 8
Appendix: Glossary
AC (AuC) Authentication Center
AES Advanced Encryption Standard
AKA Authentication and Key Agreement
CAVE Cellular Authentication and Voice Encryption
CDMA Code Division Multiple Access
CMEA Cellular Message Encryption Algorithm
ESN Electronic Serial Number
HLR Home Location Register
IDC International Data Corporation
IS Interim Standard
MAP Mobile Applications Part
MSC Mobile Switching Center
OTASP Over The Air Service Provisioning
RAND RANDom challenge
SHA-1 Secure Hash Algorithm -1
SSD Shared Secret Data
TDMA Time Division Multiple Access
TMSI Temporary Mobile Station Identifier