Upload
irfan-ullah
View
223
Download
0
Embed Size (px)
Citation preview
8/3/2019 05502415
http://slidepdf.com/reader/full/05502415 1/5
On the Secure Multimedia Distribution Scheme
Based on Partial Encryption
Shiguo Liana, Xi Chen b, Yuan Dongc, Haila Wangd aHCI Lab, France Telecom R&D (Orange Labs) Beijing, Beijing 100080, China
E-mail: [email protected] bDepartment of E-Commerce, Nanjing University, Nanjing 210093, China
E-mail: [email protected] University of Posts and Telecommunications, Beijing 100876, China
E-mail: [email protected] Telecom R&D (Orange Labs) Beijing, Beijing 100080, China
Abstract —Some joint fingerprinting and decryption schemes
were reported recently for secure multimedia distribution.
However, most of them need to be investigated before practical
applications. In this paper, the secure distribution schemeproposed by Lemma et al. is investigated and improved. Since
this scheme aims to distribute multimedia content by encryption
and watermarking, some important performances determine its
practicability, including the perceptual security of the encryption
operation, the imperceptibility of the embedded watermark and
the robustness of the embedded watermark. Some flaws are
found in the scheme, such as the low encryption strength, the
data overflow caused by encryption/decryption and the low
correlation value caused by collusion, which degrade its
performances greatly. To improve the scheme, some means are
proposed, including media preprocessing, media encryption
based on module addition and collusion-resistant fingerprint
encoding. Comparative experiments show that better
performances are obtained by the improved means. The analysismethod proposed in this paper can be used to investigate some
other joint fingerprinting and decryption schemes.1
Keywords-digital fingerprinting; video encryption; digital rights
management; digital watermarking; multimedia communication
I. I NTRODUCTION
Secure multimedia distribution [1-6] is becoming more andmore urgent for practical applications, which transmitsmultimedia content from the sender to different receivers in asecure manner. Generally, two properties of multimediacontent need to be protected, including the confidentiality and
traitor tracing. The confidentiality can be protected bymultimedia encryption [1][3], while the traitor tracing is often protected by digital fingerprinting [5][7][8]. Digitalfingerprinting [5][7][8] is the technique that embeds the uniquecustomer information (e.g., customer ID) into media contentwith watermarking [4][6]. If an illegal media copy is found, theunique information can be extracted from the media copy andused to tell the traitor who distributes the media copy to other unauthorized customers. A good fingerprinting algorithm
1 This work was partially supported by the Crypto and Invenio projectslaunched by France Telecom.
should be secure against collusion attack [8] that produces anew copy by combining several copies.
Till now, some secure multimedia distribution schemeshave been proposed, which can be classified into three types.The first one [9][10] embeds customer information into mediadata and then encrypts the fingerprinted media data at sender side. The second one [11] embeds customer information intomedia data by the middle-level nodes in the network. The thirdone [12] embeds the receiver information into the mediacontent at receiver side. Generally, there is a security issue inthe third scheme: If the media content is firstly decrypted thenfingerprinted, the plain content may be leaked out from the gap
between decryption and fingerprint embedding.
To strengthen the third type of distribution scheme, somemeans have been proposed to combine decryption and
fingerprint embedding. In Chamleon scheme [13], the image isencrypted with a codebook at sender side, and decrypted withdifferent new codebooks at receiver side. In Lian et al.'sscheme [14], the variable-length codes of MPEG2 video areencrypted by codeword scrambling at sender side, and they aredecrypted into the adjacent variable-length codes under thecontrol of both the decryption key and fingerprinting key. InKundur's scheme [5], the signs of DCT coefficients in an imageare encrypted at sender side, and only part of the signs aredecrypted at receiver side. The positions of the undecryptedsigns, together with the signs themselves, determine thecustomer information. In Lemma et al's scheme [15], the videocontent is encrypted with additive operation under the controlof a key sequence, and decrypted by subtraction operation
under the control of both key sequence and fingerprintsequence. Due to the combinations, these schemes have moreor less weakness in the security, imperceptibility or robustness.
In this paper, taking Lemma et al's scheme for example, weinvestigate its security, imperceptibility and robustness, pointout the flaws caused by the additive encryption andfingerprinting, propose some improvement means, andcompare the improved scheme with the original one. The restof the paper is arranged as follows. In Section 2, Lemma et al'sscheme is briefly introduced. Its performances includingsecurity, imperceptibility and robustness are analyzed in
978-1-4244-6404-3/10/$26.00 ©2010 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings
8/3/2019 05502415
http://slidepdf.com/reader/full/05502415 2/5
Section 3. In Section 4, some means are proposed to improvethe scheme. The comparison between Lemma et al's schemeand the improved scheme is presented in Section 5. Finally, inSection 6, conclusions are drawn, and future work is given.
II. BRIEF I NTRODUCTION TO LEMMA ET AL'S SCHEME
In Lemma et al's scheme [15], the DCs of DCT blocks in
MPEG2 video are encrypted by adding a random sequence,named encryption sequence, and decrypted by adding another random sequence, named decryption sequence. The encryptionsequence changes DCs and degrades video quality greatly. Thedecryption sequence contains both encryption sequence andwatermark sequence, and can mark the media copy uniquely.As shown in Fig. 1, the original media P = p0 , p1 , …, pn-1 (0≤ pi<L, i=0,1,…,n-1, n>0, L is the maximal amplitude of media pixel) is encrypted into C =c0 , c1 , …, cn-1 (0≤ ci<L, i=0,1,…,n-1, n>0) with additive operation at the server side,and decrypted into P' = p' 0 , p' 1 , …, p' n-1 (0≤ p' i<L, i=0,1,…,n-1,n>0) with additive operation at the customer side. Theencryption and decryption operations are defined as
( )
i i i
i i i i
c p m
p c w mα
= +⎧⎨′ = + −⎩
. (1)
Here, M=m0 , m1 , …, mn-1 (-l/2≤ mi<l/2, i=0,1,…,n-1, l is themaximal amplitude) is the encryption sequence, W =w0 , w1 , …,wn-1 (-s/2≤ wi<s/2, i=0,1,…,n-1, s is the maximal amplitude) isthe fingerprint sequence, and α is the adjustment factor for fingerprint embedding. Generally, M 's amplitude is big enoughto change the content of the plain media P , while W 's amplitudeis small enough to keep the embedded fingerprint sequenceimperceptible.
The fingerprint sequence is detected by computing thecorrelation between P' and W according to
1 12
0 0
, ( ) / ( )n n
i i i
i i
P W p w w− −
= =
′ ′< > = ∑ ∑ . (2)
If the correlation value is big than the predetermined thresholdT , the fingerprint sequence exists in the copy, otherwise not.
pi
mi
αwi-mi
ci=pi+mi
p'i=pi+αwi
Sender Receiver
Parameter
Selection (DC)
Media
Content
Fig. 1. Lemma's method for multimedia distribution.
This scheme realizes both media content encryption andwatermarking. It is recommended to be used in secure mediadistribution that sends different copies to different customersand is able to trace illegal redistributors. In this case, thewatermarking is also named fingerprinting. Thus, for thisscheme, such performances should be investigated, e.g., thesecurity of encryption, the imperceptibility of watermarking,and the robustness of the fingerprinting.
III. PERFORMANCE EVALUATION OF THE SECURE
EMBEDDING SCHEME
A. Perceptual Security against Ciphertext-Only Attack
In this scheme, the changes of DCs will affect videocompression efficiency. In order to reduce the effect, l , themaximal amplitude of M is often kept small, e.g., no more than32 in [15]. In this case, the media content is degraded slightly,
which gives the opportunity to a ciphertext-only attack [16] based on data filtering. The data filtering based attack isdescribed as follows:
Firstly, get the DC sequence D from the encrypted mediacontent. Secondly, apply a filtering operation to the DCsequence D according to
D D F ′ = ⊗ (3)
Here, D' is the filtered DC sequence, the filter F may beGaussian filter, averaging or median filter, and ⊗ is the
convolution operation. Thirdly, return the DCs in the filteredDC sequence D' to the DCT blocks, and decode the mediacontent. Taking 3x3 median filtering [18] for example, the
media copies encrypted with different amplitudes are recovered by the above filtering method. The Peak Signal-to-Noise Ratios(PSNRs) of the encrypted media and recovered media aretested, as shown in Table 1. Here, the media sequences areForeman (CIF) and Tempete (CIF), and the compressionefficiency is 1Mbps. Fig. 2(b) shows the Tempete's copycorresponding to l =32. As can be seen, the media content'squality can be greatly improved when the encryptionsequence's amplitude is no bigger than 32. Furthermore, thefiltering operation can be iteratively applied to the recoveredmedia content [19], and the media content's quality can befurther improved. Thus, the scheme is not secure enough.
Additionally, the encryption scheme may be broken by the
replacement attack [17] that replaces some of the encrypteddata with others. For Lemma et al's scheme, the encrypted DCof each DCT block can be replaced with certain value, e.g.,196. As shown in Fig. 2(c), the recovered media content
becomes intelligible, although there are some gray covers. Italso shows that the replacement attack is really easy to break Lemma et al's scheme.
TABLE I.
QUALITY COMPARISON OF THE ENCRYPTED MEDIA AND RECOVERED MEDIA
Encryption
strength l
Foreman, CIF Tempete, CIF
Encrypted
(dB)
Recovered
(dB)
Encrypted
(dB)
Recovered
(dB)
16 31.35 33.11 27.23 29.95
32 27.92 30.46 26.12 29.28
64 23.22 25.27 22.88 24.81
128 17.57 17.68 18.17 18.21
B. Data Overflow in Implementation
Suppose the media pixel of P or C lies in the range of [0, L-1], the encryption process follows
[ ]round
1,
, 0
0, 0
i i
i i i i i i i
i i
L p m L
c p m p m p m L
p m
− + ≥⎧⎪
= + = + ≤ + <⎨⎪ + <⎩
. (4)
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings
8/3/2019 05502415
http://slidepdf.com/reader/full/05502415 3/5
As can be seen, the encrypted media pixel in C is cut off whenthe summation of the pixels in P and M exceeds the range [0, L-1]. Thus, the decryption and watermarking scheme follows.
(a) Encrypted media (b) Recovered by filtering (l =32)
(c) Recovered by replacement attack
Fig. 2. Example of the encrypted media and recovered media.
[ ]round
( )
1, ( )
( ), 0 ( )
0, ( ) 0
i i i i
i i i
i i i i i i
i i i
p c w m
L c w m L
c w m c w m L
c w m
α
α
α α
α
′ = + −
− + − ≥⎧⎪
= + − ≤ + − <⎨⎪ + − <⎩
(5)
According to Eq. (5), the decrypted and watermarked media pixel P' may be cut off, it will be different from the original pixel P . Furthermore, the difference may be large enough to
degrade the marked media content's quality greatly. Accordingto Eq. (4), there are three cases to be considered. In the firstcase of 1ic L= − (
i i p m L+ ≥ ), the decrypted media copy is
[ ] [ ]round round
( ) 1
1, 1
1 , 0 1
0, 1 0
i i i i i i
i i
i i i i
i i
p c w m L w m
L L w m L
L w m L w m L
L w m
α α
α
α α
α
′ = + − = − + −
− − + − ≥⎧⎪
= − + − ≤ − + − <⎨⎪
− + − <⎩
. (6)
Here, the decrypted pixel in P' is nearly independent from theone in P because of the overflows in encryption and decryptionoperations. In the second case, the decrypted pixel P' keepsclose to the original one, and it contains the fingerprint
sequence W . In the third case of 0ic = ( 0i i p m+ < ), the
decrypted media copy is
[ ] [ ]round round
( )
1,
, 0
0, 0
i i i i i i
i i
i i i i
i i
p c w m w m
L w m L
w m w m L
w m
α α
α
α α
α
′ = + − = −
− − ≥⎧⎪
= − ≤ − <⎨⎪ − <⎩
. (7)
Similar to the first case, the decrypted pixel in P' is quitedifferent from the original pixel in P .
Among the proposed three cases, the first and third casescause great quality degradation on the decrypted media copy
because of the data overflows in encryption or decryptionoperations. Table 2 shows the example when L=512, l =128, s=80 and α=0.1. The pixels highlighted by italic writing showthe overflows that make the decrypted sequence P' verydifferent from the original one P .
TABLE II. DATA OVERFLOW IN LEMMA AT AL'S SCHEME
Types Sequences
Encryption sequence (M) 50, -45, 29, -38, 21, 0, -51, 48, -37
Fingerprint sequence (α W) -4, 3, -3, 0, -1, 3, 2, -3, 1
Original sequence (P) 510, 16, 123, 4, 509, 345, 276, 0, 511
Encrypted sequence (C) 511, 0, 152, 0, 511, 345, 225, 48, 474
Decrypted sequence (P') 457 , 48, 120, 42, 489, 348, 278, 0, 511
C. Robustness against collusion attack
In the proposed scheme, the media copy corresponding todifferent customer is identified by different fingerprintsequence. In collusion attack, different customers combinetheir copies together with collusion operations (averaging, min-max selection, linear combinatorial collusion attack [20], etc.)in order to produce a new copy without fingerprint sequences.Taking the averaging between N copies
0 P ′ ,1 P ′ , ,
1 N P −
′ for
example, the colluded copy ( ) N P ′ is
( )
0 1 1( ) / N
N P P P P N −
′ ′ ′ ′= + + + . (8)
Then, the correlation based fingerprint detection becomes
( )
0 1 1
0 1 1
, ( ) / ,
1 1 1, , ,
N
N
N
P W P P P N W
P W P W P W N N N
−
−
′ ′ ′ ′< >=< + + + >
′ ′ ′= < > + < > + + < >
(9)
If the fingerprint sequence W is only embedded into0 P ′ , then
the correlation value is ( )
0, , / N P W P W N ′ ′< >=< > that is N times
smaller than the one without collusion.
Taking Foreman, l =32, 0.1α = and 100 s = for example,
the relation between correlation value and collusion number N is tested and shown in Fig. 3. As can be seen, with the rise of N , the correlation value decreases and becomes smaller than T ,which makes the fingerprint sequence undetectable. Thus, theembedded fingerprint sequence is not robust against collusionattack especially when the collusion number is big.
IV. MEANS TO IMPROVE THE SCHEME
To solve the problems mentioned above, we propose somemeans.
A. Media Preprocessing
To avoid data overflow in encryption/decryption operation,the media content is preprocessed according to
,
,
1,
i
i i i
i
s p s
p p s p L s
L s p L s
α α
α α
α α
<⎧⎪
= ≤ < −⎨⎪
− − ≥ −⎩
(10)
Here, s is the maximal amplitude of the fingerprint sequence.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings
8/3/2019 05502415
http://slidepdf.com/reader/full/05502415 4/5
2 4 6 8 100
0.2
0.4
0.6
0.8
1
Number of colluders
C o r r e l a t i o
n
v a l u e
Foreman,CIF
Tempete,CIF
T
Fig. 3. Relation between the correlation value and the collusion number N.
B. DC Encryption Based on Module Addition
The encryption based on module addition, as shown in Eq.
(11), is adopted to encrypt the preprocessed media content.
( )modi i ic p m L= + . (11)
Here, the encryption sequence's amplitude l can be big enough,e.g., L-1. And the decryption operation is
( ) mod ( )modi i i i i ic w m L p w Lα α ′ = + − = + . (12)
Thus, the data overflow in encryption or decryption is avoided.
C. Encryption of Other Parameters
According to the analysis in Section III.A, only DCencryption (in Luminance Space) is not secure enough. Someother parameters, e.g. DCs in Chrominance Spaces, ACs and
Motion Vector Differences (MVDs), should also be encrypted.Here, sign encryption [17][22] is used to encrypt the signs of DCs (in chrominance Spaces), ACs and MVDs, while their amplitudes are kept unchanged.
D. Collusion-Resistant Fingerprint Encoding
To resist collusion attacks, the fingerprint sequence will beencoded with some collusion-resistant codes, such as Boneh-Shaw code [7], Wu et al's code [8] and Tardos code [21].
V. PERFORMANCE COMPARISON
A. Perceptual Security
In the proposed scheme, the encryption sequence'samplitude l ranges from 0 to L-1, which is much bigger thanthe one in Lemma et al's scheme. Taking L=2048 and l =512,the experiments are done to compare the schemes' security. Asshown in Fig. 4, the media content (Fig. 4(b)) encrypted by theimproved scheme (both DC and sign encryption) is much moredegraded than the one (Fig. 4(a)) encrypted by Lemma et al.'sscheme, and it is difficult to be recovered by such ciphertext-only attack as filtering or replacement because of the largeencryption strength.
B. Imperceptibility
After decryption, the video content contains the uniquefingerprint sequence. The PSNRs of the video content
produced by different schemes are tested and shown in Fig. 5.Here, 0.1α = , 100 s = , and the amplitude l ranges from 16 to
256. As can be seen, the video quality decrypted by Lemma etal's scheme decreases with the rise of l , while the onedecryption by the improved scheme keeps nearly unchanged
under various encryption strength. That is because Lemma etal's scheme causes more degradation with the rise of l becauseof data overflow, while the improved scheme avoids thedegradation.
(a) Lemma et al's scheme (b) Improved DC + sign encryption
Fig. 4. Media contents encrypted by different schemes.
0 100 200 300 400 500
22
24
26
28
30
32
34
36
Encryption Strength l
P S N R ( d
B )
Foreman,Lemma's scheme
Foreman,Improved scheme
Tempete,Lemma's scheme
Tempete,Improved scheme
Fig. 5. Quality of the decrypted media content.
C. Collusion Resistance
To compare the improved scheme with Lemma et al'sscheme, the detect rate under different number of colluders istested and shown in Fig. 6. Here, the total number of customer is 100, the number of colluders range from 2 to 50, and thetested fingerprint codes include Boneh-Shaw code [7], Wu etal's code [8] and Tardos code [21]. As can be seen, theimproved scheme with various fingerprint codes obtains higher detection rate compared with Lemma et al's scheme when thenumber of colluders is certain.
VI. CONCLUSIONS AND FUTURE WORK
In this paper, the performance of Lemma et al's securedistribution scheme is analyzed and evaluated, including the
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings
8/3/2019 05502415
http://slidepdf.com/reader/full/05502415 5/5
perceptual security of the encrypted video content, theimperceptibility of the embedded fingerprint and thefingerprint's robustness against collusion attack. Firstly, sinceonly the encryption sequence with low amplitude is used invideo encryption, the video content can be recovered by suchsimple method as filtering. Secondly, the encryption or decryption operation causes data overflow, which degrades thedecrypted video content greatly. Thirdly, the fingerprint
sequence is just a simple random sequence that is not robustagainst collusion attacks especially when there are lots of colluders. To improve the scheme, some means are proposed,such as media preprocessing, media encryption based onmodule addition and collusion-resistant fingerprint encoding.These means strengthen the encrypted media content's
perceptual security, avoid data overflow and keep thedecrypted content of high imperceptibility, and improve thefingerprint's collusion-resistance.
10 20 30 40 5010
20
30
40
50
60
70
80
90
100
Number of colluders
D e t e c t i o n R a t e
Lemma's scheme
Improved,Boneh-Shaw
Improved,Wu et al.
Improved,Tardos
Fig. 6. Comparison of collusion resistance.
Of course, the encryption scheme's security can be further improved by encrypting more parameters, such as motionvector differences. In future work, the scheme's robustnessagainst some other common signal processing will be evaluatedand improved, the adaptive embedding in encryption domainwill be studied, and the scheme combined with some other codecs, such as MPEG4 and H.264/AVC, will be considered.Additionally, the analysis method proposed in this paper will
be used to investigate some other secure distribution schemes.
R EFERENCES
[1] S. Lian, Z. Liu, Z..Ren, H. Wang. Joint Fingerprint Embedding and
Decryption for Video Distribution. 2007 IEEE International Conferenceon Multimedia and Expo (ICME2007), page: 1523-1526, 2007.
[2] S. Lian, Z. Liu, Y. Dong, H. Wang. On the Joint Audio Fingerprintingand Decryption Scheme. 2008 IEEE International Conference onMultimedia and Expo (ICME2008), 2008, page: 261-264.
[3] S. Lian, Y. Dong, H. Wang. A Secure Solution for UbiquitousMultimedia Broadcasting. 2009 IEEE International Conference onCommunications (ICC 2009), Dresden, Germany, 13-18 June, 2009.
[4] I. J. Cox, M. L. Miller and J. A. Bloom, Digital Watermarking, Morgan-Kaufmann, San Francisco, 2002.
[5] D. Kundur and K. Karthik, “Video fingerprinting and encryption principles for digital rights management,” Proceedings of the IEEE, Vol.92, No. 6, pp. 918-932, 2004.
[6] S. Lian, Z. Liu, Z. Ren, H. Wang, "Commutative encryption and
watermarking in compressed video data," IEEE Circuits and Systems for Video Technology, vol. 17, no. 6, pp. 774-778, June 2007.
[7] D. Boneh, J. Shaw, “Collusion-secure fingerprinting for digital data,”IEEE Trans. Inform. Theory, Vol. 44, pp. 1897-1905, Sept. 1998.
[8] M. Wu, W. Trappe, Z. J. Wang, R. Liu, "Collusion-resistantfingerprinting for multimedia," IEEE Signal Processing Magazine,March 2004, pp. 15-27.
[9] H. V. Zhao, K. J. Ray Liu, "Fingerprint Multicast in Secure VideoStreaming," IEEE Transactions on Image Processing, 15(1), pp.12-29,2006.
[10] D. Simitopoulos, N. Zissis, P. Georgiadis, V. Emmanouilidis and M.G.Strintzis, “Encryption and Watermarking for the Secure Distributionof Copyrighted MPEG Video on DVD”, ACM Multimedia SystemsJournal, Special Issue on Multimedia Security, vol. 9, no. 3, pp. 217-227, Sep. 2003.
[11]
I. Brown, C. Perkins, and J. Crowcroft. Watercasting: Distributedwatermarking for multicast media. In Proceedings of the FirstInternational Workshop on Networked Group Communication, Springer-Verlag Lecture Notes in Computer Science, 1736, 1999.
[12] J. Bloom, “Security and rights management in digital cinema,” in Proc.IEEE Int. Conf. Acoustic, Speech and Signal Processing, Vol. 4, pp.712-715, 2003.
[13] R. Anderson and C. Manifavas, "Chamleon – A new kind of streamcipher," in Lecture Notes in Computer Science, Fast SoftwareEncryption, Springer-Verlag, pp. 107-113, 1997.
[14] S. Lian, Z. Liu, Z. Ren, H. Wang, “Secure Distribution Scheme for Compressed Data Streams,” 2006 IEEE Conference on ImageProcessing (ICIP 2006), Oct 2006, pp. 1953-1956.
[15] A. N. Lemma, S. Katzenbeisser, M. U. Celik, M. V. Veen, "SecureWatermark Embedding Through Partial Encryption," Proceedings of International Workshop on Digital Watermarking (IWDW 2006),
Springer LNCS, 4283, 433-445, 2006.
[16] R. A. Mollin. An Introduction to Cryptography, 2nd edition. CRC Press.2006.
[17] S. Lian, Z. Liu, Z. Ren, H. Wang, "Secure Advanced Video CodingBased on Selective Encryption Algorithms," IEEE Transactions onConsumer Electronics, Vol. 52, No. 2, pp. 621-629, May 2006.
[18] R. C. Gonzalez, R. E. Woods. Digital Image Processing, 2nd Edition.Prentice Hall, 2002.
[19] A. Said, “Measuring the strength of partial encryption schemes,” In proceedings of 2005 IEEE International Conference on ImageProcessing (ICIP 2005), 11-14 Sept., vol.2, pp. 1126-1129.
[20] Y. Wu, “Linear Combination Collusion Attack and its Application on anAnti-Collusion Fingerprinting,” IEEE International Conference onAcoustics, Speech, and Signal Processing, 2005, Vol. 2, pp. 13-16.
[21] G. Tardos, "Optimal Probabilistic Fingerprint Codes," In Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC), pp. 116-125, 2003.
[22] S. Lian, Z. Liu, Z. Ren, Z. Wang. Multimedia data encryption in block based codecs. International Journal of Computers and Applications, Vo.29, No. 1, 2007.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings