[Cryptography] about subtractive dither, for audio and other use (also scientific)

Sampo Syreeni decoy at iki.fi
Fri Nov 19 18:22:57 EST 2021

Hi. As many of you may know, there are two different means dithering a 
signal: subtractive and additive. The first requires you to know the 
precise dither signal put in the A/D stage when doing D/A, which makes 
it difficult to apply. As such additive dithering is nowadays used, 
because it works single-ended, and is good enough for most work.

I would like to combine the advantages of each approach, but hit a snag 
some years back. I'd like to return to the subject, and solicit some 

Additive dither works for audio applications because it can be shown 
that adding a squarely distributed 1 LSB peak-to-peak zero centered 
noise signal before a quantizer decouples the mean of the quantization 
error from the utility signal, and adding each successive one decouples 
an extra statistical moment. Crucially, two such noise signals added 
lead to decoupling not only of the long term average, but also variance, 
meaning power. As such, at the lowest levels, audible noise modulation 
(coupling of the error signal to average power) goes away at precisely 
two such signals added.

(Adding independent white noises of given statistical distribution to 
each other, leads to the resulting noise having a distribution the 
convolution of the formers'. As such, adding two squarely distributed 
noises leads to a triangularly distributed outcome; the TPDF dither we 
so often use when rounding down from higher word widths. "That 

Things are much better on the subtractive side: if you know the dither 
signal from the start, adding and then subtracting a single independent 
noise channel, rectangularly distributed (RDPF) will decouple *all* of 
the statistical moments from the error signal at the same time. It's as 
good as it gets, from the get-go. It's also easy to simulate, so go 
about it: 6dB extra on the voltage, 3dB extra on power, and whatever the 
units are on the higher moments; it's *very* much audible when you get 

The trouble is, then, how to transmit the subtractive dithering signal 
to the receiver side. Obviously, you can't use a full side channel. But 
in the digital domain you *can* use pseudo-random number generators. 
Those whom are known to have nice statistical and computational 
properties. The side channel to indicate a particular one is lean, and 
with the cryptographically secure ones, only needs something like 128 
bits in order to be indistinguishable from white noise. So, when that 
side channel is available, why not tag an (audio?) signal as having been 
dithered with the optimum subtractive dither?

Which in fact isn't in this case the RPDF kind, but the TPDF one. 
Because absent the metadata -- often the case with running digital from 
disparate sources -- you'd be left with just an additive RPDF dither, 
which is not enough to make the power-coupling of the noise signal to go 
away. So instead, you should do subtractive TPDF dithering, so that the 
overall signal stays well-enough dithered to second degree (and the ear) 
even if you don't know enough to do the subtraction. That's easy 
fail-over. (If you get to do it, it's free from statistical error to all 
degrees, again.) And still, if you can do subtractive, it makes *very* 
little difference if the subtractee is RPDF or TPDF; everything still 
cancels out. (The only problem being that sqrt(2) difference at the 
edges of the A/D/A range, which ought to have some margin anyways. 
Hitting the rails, and all that, is not much of a problem in multibit 
converters, which we are talking about here.)

So in NASA kind of work, this suggests a simple configuration: an agreed 
upon configuration of a pseudo random number generator which feeds a 
dither D/A, or maybe some side data to give its seed. This is 
particularly easy to implement if rounding down in the digital domain -- 
such as in the audio work we do and which inspired this post -- but of 
course, it's the same from say 22 bit sensor values down to 8 bit 
telemetry, in a space probe. Also, it *can* be done so-so even for 
analog signals before the first round of digitization, and has been 

Next in my line of thought is, how about if we *can't* confer that 
metadata reliably. And herein is the cinch I'd like some help with...

How do you reliably detect from streaming audio (signal) content, that 
this sort of coding (which subtractive dither very much is, changing the 
signal as it is) has been applied? Without out-of-band metadata? Well 
the metadata has to be in-band by definition, so that it will have to 
somewhat disturb the signal. It also has to be able to be detected from 
the encoded signal with reasonable effort in both software and hardware, 
yet not skew the signal statistically, even if it has to leave *some* 
recognizable mark.

To date my best architecture works as follows:

1) I XOR all of the bits of a sample together, on the theory that there 
is going to be some randomizing noise in there, and so some entropy and 
independence in the resulting bits per sample.

   1a) This is useful because you can do the operation over bit stuffed
   words, the optimum way of embedding stuff into words of wider width.
   If the less significant bits are set to zero, all of the entropy of
   the higher order ones will work all the same. That is especially
   significant in audio work, because it's always 8-18-24 bits in
   exchange, and often passed over channels which do not declare the
   accuracy. In the digital domain, those extra zero cease to have any
   meaning, by design.

2) This is because I 1) want to synchronize against what my subtractive
    coder is doing if bits are lost, and in the longer run, be able to
    correlate against running data even at the analog level. This is
    after all about synchronous decoding, and its usual gain.

   2a) If I'm given a certain running stream of bits, with bit errors and
       then synchronization errors in it, I want to be able to
       resynchronize. The typical way to do this would be to run a
       continuous convolution, detecting a signature. But that's *very*
       ineffient. Instead I do it stochastically, flagging a small stream
       of bits from my above XOR circuit, in a running shift register.
       Then I compare it (after some processing) with a fixed, hashed
       value. That is very efficient in hardware, and I already know
       much doable by precomputation even in 8-bit software (cf. how CRC
       table calculation goes; only using linear polynomial stuff here,
       so it can be accelerated in hardware via the crypto-krimitives as

   2b) I run the bit stream over an inverse comma-code decoder as well.
       This is a poor-mans's version of doing a matched filtering operation,
       because such a decode of such a code essentially stops there and only
       there, where there isn't an overlapping match. I use a short much
       like that as my first latch, so that the second, heavier
       comparison doesn't have to be engaged as often.

3) So the idea is that every now and then, if my machinery has been told
    it's to do subtractive dithering, it'll a) do what it does by
    metadata, 1) going along as it has from the beginning, or 2)
    sometimes falling out of sync, so that it searches for the next
    pseudo-stochastic syncho point, and resynchs then, digitally.

   3a) If it loses synch, it'd be able to tell within which interval,
       even if kind of unpredictable by design.

   3b) The machinery would always leave behind in its subtractive
       dithering a well defined, well-spread out tract, which would be
       detectable in more intensive analysis. And sO, the signature could
       once again be deterministically subtracted out, to arrive at
       almost pristine signal.

   3c) The coding theory principle here is that if you only reserve one
       signal out of the billiards available within even a second of
       speech band communication, or a 2400 Baud modem thingy, it's one over
       billiard. Reserving that sort of minimum bandwidth, with proper
       coding, is unnoticeable. Which is what I'm doing here, with the
       continuous, deterministic noise introduced for dithering
       purposes. What I'm introducing here is a couple of bits of
       information, in the form of on-and-off low level noise.

So finally... Help me! I haven't been able to make this work quite like 
the theory above went. When I use the most performant algorithms and 
circuits I know for the above, it always comes back to a linear feedback 
shift register network, and even nonlinearity doesn't naively help. This 
project of mine is basically stalled because of that. So, please help me 
1) latch on right for occasional acquisition without synchroneity or 
metadata, 2) do low computational complexity and high 
statistical homogeneity serial random number generation, and e.g. 3) 
help me extend the approach towards the analog domain, e.g. in space 
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3751464, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2

More information about the cryptography mailing list