This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts

for publication in the IEEE ICC 2010 proceedings

On the Secure Multimedia Distribution Scheme Based on Partial Encryption

Shiguo Liana, Xi Chenb, Yuan Dongc, Haila Wangd
a

HCI Lab, France Telecom R&D (Orange Labs) Beijing, Beijing 100080, China E-mail: shiguo.lian@orange-ftgroup.com b Department of E-Commerce, Nanjing University, Nanjing 210093, China E-mail: chenx@nju.edu.cn c Beijing University of Posts and Telecommunications, Beijing 100876, China E-mail: yuandong@bupt.edu.cn d France Telecom R&D (Orange Labs) Beijing, Beijing 100080, China should be secure against collusion attack [8] that produces a new copy by combining several copies. Till now, some secure multimedia distribution schemes have been proposed, which can be classified into three types. The first one [9][10] embeds customer information into media data and then encrypts the fingerprinted media data at sender side. The second one [11] embeds customer information into media data by the middle-level nodes in the network. The third one [12] embeds the receiver information into the media content at receiver side. Generally, there is a security issue in the third scheme: If the media content is firstly decrypted then fingerprinted, the plain content may be leaked out from the gap between decryption and fingerprint embedding. To strengthen the third type of distribution scheme, some means have been proposed to combine decryption and fingerprint embedding. In Chamleon scheme [13], the image is encrypted with a codebook at sender side, and decrypted with different new codebooks at receiver side. In Lian et al.'s scheme [14], the variable-length codes of MPEG2 video are encrypted by codeword scrambling at sender side, and they are decrypted into the adjacent variable-length codes under the control of both the decryption key and fingerprinting key. In Kundur's scheme [5], the signs of DCT coefficients in an image are encrypted at sender side, and only part of the signs are decrypted at receiver side. The positions of the undecrypted signs, together with the signs themselves, determine the customer information. In Lemma et al's scheme [15], the video content is encrypted with additive operation under the control of a key sequence, and decrypted by subtraction operation under the control of both key sequence and fingerprint sequence. Due to the combinations, these schemes have more or less weakness in the security, imperceptibility or robustness. In this paper, taking Lemma et al's scheme for example, we investigate its security, imperceptibility and robustness, point out the flaws caused by the additive encryption and fingerprinting, propose some improvement means, and compare the improved scheme with the original one. The rest of the paper is arranged as follows. In Section 2, Lemma et al's scheme is briefly introduced. Its performances including security, imperceptibility and robustness are analyzed in

AbstractSome joint fingerprinting and decryption schemes were reported recently for secure multimedia distribution. However, most of them need to be investigated before practical applications. In this paper, the secure distribution scheme proposed by Lemma et al. is investigated and improved. Since this scheme aims to distribute multimedia content by encryption and watermarking, some important performances determine its practicability, including the perceptual security of the encryption operation, the imperceptibility of the embedded watermark and the robustness of the embedded watermark. Some flaws are found in the scheme, such as the low encryption strength, the data overflow caused by encryption/decryption and the low correlation value caused by collusion, which degrade its performances greatly. To improve the scheme, some means are proposed, including media preprocessing, media encryption based on module addition and collusion-resistant fingerprint encoding. Comparative experiments show that better performances are obtained by the improved means. The analysis method proposed in this paper can be used to investigate some other joint fingerprinting and decryption schemes.1 Keywords-digital fingerprinting; video encryption; digital rights management; digital watermarking; multimedia communication

I.

INTRODUCTION

Secure multimedia distribution [1-6] is becoming more and more urgent for practical applications, which transmits multimedia content from the sender to different receivers in a secure manner. Generally, two properties of multimedia content need to be protected, including the confidentiality and traitor tracing. The confidentiality can be protected by multimedia encryption [1][3], while the traitor tracing is often protected by digital fingerprinting [5][7][8]. Digital fingerprinting [5][7][8] is the technique that embeds the unique customer information (e.g., customer ID) into media content with watermarking [4][6]. If an illegal media copy is found, the unique information can be extracted from the media copy and used to tell the traitor who distributes the media copy to other unauthorized customers. A good fingerprinting algorithm
1

This work was partially supported by the Crypto and Invenio projects launched by France Telecom.

978-1-4244-6404-3/10/$26.00 2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings

Section 3. In Section 4, some means are proposed to improve the scheme. The comparison between Lemma et al's scheme and the improved scheme is presented in Section 5. Finally, in Section 6, conclusions are drawn, and future work is given. II. BRIEF INTRODUCTION TO LEMMA ET AL'S SCHEME

III.

PERFORMANCE EVALUATION OF THE SECURE EMBEDDING SCHEME

In Lemma et al's scheme [15], the DCs of DCT blocks in MPEG2 video are encrypted by adding a random sequence, named encryption sequence, and decrypted by adding another random sequence, named decryption sequence. The encryption sequence changes DCs and degrades video quality greatly. The decryption sequence contains both encryption sequence and watermark sequence, and can mark the media copy uniquely. As shown in Fig. 1, the original media P=p0, p1, , pn-1 (0pi<L, i=0,1,,n-1, n>0, L is the maximal amplitude of media pixel) is encrypted into C=c0, c1, , cn-1 (0ci<L, i=0,1,,n-1, n>0) with additive operation at the server side, and decrypted into P'=p'0, p'1, , p'n-1 (0p'i<L, i=0,1,,n-1, n>0) with additive operation at the customer side. The encryption and decryption operations are defined as

A. Perceptual Security against Ciphertext-Only Attack In this scheme, the changes of DCs will affect video compression efficiency. In order to reduce the effect, l, the maximal amplitude of M is often kept small, e.g., no more than 32 in [15]. In this case, the media content is degraded slightly, which gives the opportunity to a ciphertext-only attack [16] based on data filtering. The data filtering based attack is described as follows: Firstly, get the DC sequence D from the encrypted media content. Secondly, apply a filtering operation to the DC sequence D according to (3) D = D F Here, D' is the filtered DC sequence, the filter F may be Gaussian filter, averaging or median filter, and is the convolution operation. Thirdly, return the DCs in the filtered DC sequence D' to the DCT blocks, and decode the media content. Taking 3x3 median filtering [18] for example, the media copies encrypted with different amplitudes are recovered by the above filtering method. The Peak Signal-to-Noise Ratios (PSNRs) of the encrypted media and recovered media are tested, as shown in Table 1. Here, the media sequences are Foreman (CIF) and Tempete (CIF), and the compression efficiency is 1Mbps. Fig. 2(b) shows the Tempete's copy corresponding to l=32. As can be seen, the media content's quality can be greatly improved when the encryption sequence's amplitude is no bigger than 32. Furthermore, the filtering operation can be iteratively applied to the recovered media content [19], and the media content's quality can be further improved. Thus, the scheme is not secure enough. Additionally, the encryption scheme may be broken by the replacement attack [17] that replaces some of the encrypted data with others. For Lemma et al's scheme, the encrypted DC of each DCT block can be replaced with certain value, e.g., 196. As shown in Fig. 2(c), the recovered media content becomes intelligible, although there are some gray covers. It also shows that the replacement attack is really easy to break Lemma et al's scheme.
TABLE I. QUALITY COMPARISON OF THE ENCRYPTED MEDIA AND RECOVERED MEDIA

ci = pi + mi . pi = ci + ( wi mi )

(1)

Here, M=m0, m1, , mn-1 (-l/2mi<l/2, i=0,1,,n-1, l is the maximal amplitude) is the encryption sequence, W=w0, w1, , wn-1 (-s/2wi<s/2, i=0,1,,n-1, s is the maximal amplitude) is the fingerprint sequence, and is the adjustment factor for fingerprint embedding. Generally, M's amplitude is big enough to change the content of the plain media P, while W's amplitude is small enough to keep the embedded fingerprint sequence imperceptible. The fingerprint sequence is detected by computing the correlation between P' and W according to

< P, W > = ( piwi ) / ( wi 2 ) .

i =0 i =0

n 1

n 1

(2)

If the correlation value is big than the predetermined threshold T, the fingerprint sequence exists in the copy, otherwise not.
Sender
mi pi
Media Content Parameter Selection (DC)

Receiver

ci=pi+mi

p'i=pi+wi

Encryption strength l 16 32 64 128

wi-mi

Fig. 1. Lemma's method for multimedia distribution.

Foreman, CIF Encrypted Recovered (dB) (dB) 31.35 33.11 27.92 30.46 23.22 25.27 17.57 17.68

Tempete, CIF Encrypted Recovered (dB) (dB) 27.23 29.95 26.12 29.28 22.88 24.81 18.17 18.21

This scheme realizes both media content encryption and watermarking. It is recommended to be used in secure media distribution that sends different copies to different customers and is able to trace illegal redistributors. In this case, the watermarking is also named fingerprinting. Thus, for this scheme, such performances should be investigated, e.g., the security of encryption, the imperceptibility of watermarking, and the robustness of the fingerprinting.

B. Data Overflow in Implementation Suppose the media pixel of P or C lies in the range of [0, L1], the encryption process follows

ci = [ pi + mi ]round

pi + mi L L 1, = pi + mi , 0 pi + mi < L . 0, pi + mi < 0

(4)

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings

As can be seen, the encrypted media pixel in C is cut off when the summation of the pixels in P and M exceeds the range [0, L-1]. Thus, the decryption and watermarking scheme follows.

Among the proposed three cases, the first and third cases cause great quality degradation on the decrypted media copy because of the data overflows in encryption or decryption operations. Table 2 shows the example when L=512, l=128, s=80 and =0.1. The pixels highlighted by italic writing show the overflows that make the decrypted sequence P' very different from the original one P.
TABLE II. DATA OVERFLOW IN LEMMA AT AL'S SCHEME Types Encryption sequence (M) Fingerprint sequence ( W) Original sequence (P) Encrypted sequence (C) Decrypted sequence (P') Sequences 50, -45, 29, -38, 21, 0, -51, 48, -37 -4, 3, -3, 0, -1, 3, 2, -3, 1 510, 16, 123, 4, 509, 345, 276, 0, 511 511, 0, 152, 0, 511, 345, 225, 48, 474 457, 48, 120, 42, 489, 348, 278, 0, 511

(a) Encrypted media

(b) Recovered by filtering (l=32)

(c) Recovered by replacement attack Fig. 2. Example of the encrypted media and recovered media.

C. Robustness against collusion attack In the proposed scheme, the media copy corresponding to different customer is identified by different fingerprint sequence. In collusion attack, different customers combine their copies together with collusion operations (averaging, minmax selection, linear combinatorial collusion attack [20], etc.) in order to produce a new copy without fingerprint sequences. Taking the averaging between N copies P0 , P , , PN 1 for 1 example, the colluded copy P ( N ) is (8) P( N ) = ( P0 + P+ + PN 1 ) / N . 1 Then, the correlation based fingerprint detection becomes
< P( N ) , W >=< ( P0 + P + 1 = + PN 1 ) / N , W > + 1 < PN 1 , W > N 1 1 < P0, W > + < P,W > + 1 N N

pi = [ ci + ( wi mi ) ]round ci + ( wi mi ) L L 1, = ci + ( wi mi ), 0 ci + ( wi mi ) < L 0, ci + ( wi mi ) < 0

(5)

(9)

According to Eq. (5), the decrypted and watermarked media pixel P' may be cut off, it will be different from the original pixel P. Furthermore, the difference may be large enough to degrade the marked media content's quality greatly. According to Eq. (4), there are three cases to be considered. In the first case of ci = L 1 ( pi + mi L ), the decrypted media copy is

If the fingerprint sequence W is only embedded into P0 , then the correlation value is < P( N ) ,W >=< P0,W > / N that is N times smaller than the one without collusion. Taking Foreman, l=32, = 0.1 and s = 100 for example, the relation between correlation value and collusion number N is tested and shown in Fig. 3. As can be seen, with the rise of N, the correlation value decreases and becomes smaller than T, which makes the fingerprint sequence undetectable. Thus, the embedded fingerprint sequence is not robust against collusion attack especially when the collusion number is big. IV. MEANS TO IMPROVE THE SCHEME

pi = [ ci + ( wi mi ) ]round = [ L 1 + wi mi ]round L 1 + wi mi L L 1, . = L 1 + wi mi , 0 L 1 + wi mi < L 0, L 1 + wi mi < 0

(6)

Here, the decrypted pixel in P' is nearly independent from the one in P because of the overflows in encryption and decryption operations. In the second case, the decrypted pixel P' keeps close to the original one, and it contains the fingerprint sequence W. In the third case of ci = 0 ( pi + mi < 0 ), the decrypted media copy is

To solve the problems mentioned above, we propose some means. A. Media Preprocessing To avoid data overflow in encryption/decryption operation, the media content is preprocessed according to

pi = [ ci + ( wi mi )]round = [ wi mi ]round

wi mi L L 1, = wi mi , 0 wi mi < L wi mi < 0 0,

(7)

Similar to the first case, the decrypted pixel in P' is quite different from the original pixel in P.

Here,

s is the maximal amplitude of the fingerprint sequence.

pi < s s, pi = pi , s pi < L s L s 1, p L s i

(10)

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings

1 Foreman,CIF Tempete,CIF 0.8 Correlation value

0.6

0.4 T

B. Imperceptibility After decryption, the video content contains the unique fingerprint sequence. The PSNRs of the video content produced by different schemes are tested and shown in Fig. 5. Here, = 0.1 , s = 100 , and the amplitude l ranges from 16 to 256. As can be seen, the video quality decrypted by Lemma et al's scheme decreases with the rise of l, while the one decryption by the improved scheme keeps nearly unchanged under various encryption strength. That is because Lemma et al's scheme causes more degradation with the rise of l because of data overflow, while the improved scheme avoids the degradation.

0.2

4 6 8 10 Number of colluders Fig. 3. Relation between the correlation value and the collusion number N.

B. DC Encryption Based on Module Addition The encryption based on module addition, as shown in Eq. (11), is adopted to encrypt the preprocessed media content. (11) ci = ( pi + mi ) mod L . Here, the encryption sequence's amplitude l can be big enough, e.g., L-1. And the decryption operation is (12) pi = (ci + wi mi ) mod L = ( pi + wi ) mod L . Thus, the data overflow in encryption or decryption is avoided. C. Encryption of Other Parameters According to the analysis in Section III.A, only DC encryption (in Luminance Space) is not secure enough. Some other parameters, e.g. DCs in Chrominance Spaces, ACs and Motion Vector Differences (MVDs), should also be encrypted. Here, sign encryption [17][22] is used to encrypt the signs of DCs (in chrominance Spaces), ACs and MVDs, while their amplitudes are kept unchanged. D. Collusion-Resistant Fingerprint Encoding To resist collusion attacks, the fingerprint sequence will be encoded with some collusion-resistant codes, such as BonehShaw code [7], Wu et al's code [8] and Tardos code [21]. V. PERFORMANCE COMPARISON

(a) Lemma et al's scheme

(b) Improved DC + sign encryption

Fig. 4. Media contents encrypted by different schemes.

36 34 32 PSNR (dB) 30 28 26 24 22 0 100 200 300 Encryption Strength l 400 500 Foreman,Lemma's scheme Foreman,Improved scheme Tempete,Lemma's scheme Tempete,Improved scheme

Fig. 5. Quality of the decrypted media content.

A. Perceptual Security In the proposed scheme, the encryption sequence's amplitude l ranges from 0 to L-1, which is much bigger than the one in Lemma et al's scheme. Taking L=2048 and l =512, the experiments are done to compare the schemes' security. As shown in Fig. 4, the media content (Fig. 4(b)) encrypted by the improved scheme (both DC and sign encryption) is much more degraded than the one (Fig. 4(a)) encrypted by Lemma et al.'s scheme, and it is difficult to be recovered by such ciphertextonly attack as filtering or replacement because of the large encryption strength.

C. Collusion Resistance To compare the improved scheme with Lemma et al's scheme, the detect rate under different number of colluders is tested and shown in Fig. 6. Here, the total number of customer is 100, the number of colluders range from 2 to 50, and the tested fingerprint codes include Boneh-Shaw code [7], Wu et al's code [8] and Tardos code [21]. As can be seen, the improved scheme with various fingerprint codes obtains higher detection rate compared with Lemma et al's scheme when the number of colluders is certain. VI. CONCLUSIONS AND FUTURE WORK

In this paper, the performance of Lemma et al's secure distribution scheme is analyzed and evaluated, including the

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings

perceptual security of the encrypted video content, the imperceptibility of the embedded fingerprint and the fingerprint's robustness against collusion attack. Firstly, since only the encryption sequence with low amplitude is used in video encryption, the video content can be recovered by such simple method as filtering. Secondly, the encryption or decryption operation causes data overflow, which degrades the decrypted video content greatly. Thirdly, the fingerprint sequence is just a simple random sequence that is not robust against collusion attacks especially when there are lots of colluders. To improve the scheme, some means are proposed, such as media preprocessing, media encryption based on module addition and collusion-resistant fingerprint encoding. These means strengthen the encrypted media content's perceptual security, avoid data overflow and keep the decrypted content of high imperceptibility, and improve the fingerprint's collusion-resistance.
100 90 80 Detection Rate 70 60 50 40 30 20 10 10 20 30 Number of colluders 40 50 Lemma's scheme Improved,Boneh-Shaw Improved,Wu et al. Improved,Tardos

[3]

[4] [5]

[6]

[7] [8]

[9]

[10]

[11]

[12]

[13]

[14]

Fig. 6. Comparison of collusion resistance.

[15]

Of course, the encryption scheme's security can be further improved by encrypting more parameters, such as motion vector differences. In future work, the scheme's robustness against some other common signal processing will be evaluated and improved, the adaptive embedding in encryption domain will be studied, and the scheme combined with some other codecs, such as MPEG4 and H.264/AVC, will be considered. Additionally, the analysis method proposed in this paper will be used to investigate some other secure distribution schemes. REFERENCES
[1] S. Lian, Z. Liu, Z..Ren, H. Wang. Joint Fingerprint Embedding and Decryption for Video Distribution. 2007 IEEE International Conference on Multimedia and Expo (ICME2007), page: 1523-1526, 2007. S. Lian, Z. Liu, Y. Dong, H. Wang. On the Joint Audio Fingerprinting and Decryption Scheme. 2008 IEEE International Conference on Multimedia and Expo (ICME2008), 2008, page: 261-264.

[16] [17]

[18] [19]

[20]

[21]

[2]

[22]

S. Lian, Y. Dong, H. Wang. A Secure Solution for Ubiquitous Multimedia Broadcasting. 2009 IEEE International Conference on Communications (ICC 2009), Dresden, Germany, 13-18 June, 2009. I. J. Cox, M. L. Miller and J. A. Bloom, Digital Watermarking, MorganKaufmann, San Francisco, 2002. D. Kundur and K. Karthik, Video fingerprinting and encryption principles for digital rights management, Proceedings of the IEEE, Vol. 92, No. 6, pp. 918-932, 2004. S. Lian, Z. Liu, Z. Ren, H. Wang, "Commutative encryption and watermarking in compressed video data," IEEE Circuits and Systems for Video Technology, vol. 17, no. 6, pp. 774-778, June 2007. D. Boneh, J. Shaw, Collusion-secure fingerprinting for digital data, IEEE Trans. Inform. Theory, Vol. 44, pp. 1897-1905, Sept. 1998. M. Wu, W. Trappe, Z. J. Wang, R. Liu, "Collusion-resistant fingerprinting for multimedia," IEEE Signal Processing Magazine, March 2004, pp. 15-27. H. V. Zhao, K. J. Ray Liu, "Fingerprint Multicast in Secure Video Streaming," IEEE Transactions on Image Processing, 15(1), pp.12-29, 2006. D. Simitopoulos, N. Zissis, P. Georgiadis, V. Emmanouilidis and M. G.Strintzis, Encryption and Watermarking for the Secure Distribution of Copyrighted MPEG Video on DVD, ACM Multimedia Systems Journal, Special Issue on Multimedia Security, vol. 9, no. 3, pp. 217227, Sep. 2003. I. Brown, C. Perkins, and J. Crowcroft. Watercasting: Distributed watermarking for multicast media. In Proceedings of the First International Workshop on Networked Group Communication, SpringerVerlag Lecture Notes in Computer Science, 1736, 1999. J. Bloom, Security and rights management in digital cinema, in Proc. IEEE Int. Conf. Acoustic, Speech and Signal Processing, Vol. 4, pp. 712-715, 2003. R. Anderson and C. Manifavas, "Chamleon A new kind of stream cipher," in Lecture Notes in Computer Science, Fast Software Encryption, Springer-Verlag, pp. 107-113, 1997. S. Lian, Z. Liu, Z. Ren, H. Wang, Secure Distribution Scheme for Compressed Data Streams, 2006 IEEE Conference on Image Processing (ICIP 2006), Oct 2006, pp. 1953-1956. A. N. Lemma, S. Katzenbeisser, M. U. Celik, M. V. Veen, "Secure Watermark Embedding Through Partial Encryption," Proceedings of International Workshop on Digital Watermarking (IWDW 2006), Springer LNCS, 4283, 433-445, 2006. R. A. Mollin. An Introduction to Cryptography, 2nd edition. CRC Press. 2006. S. Lian, Z. Liu, Z. Ren, H. Wang, "Secure Advanced Video Coding Based on Selective Encryption Algorithms," IEEE Transactions on Consumer Electronics, Vol. 52, No. 2, pp. 621-629, May 2006. R. C. Gonzalez, R. E. Woods. Digital Image Processing, 2nd Edition. Prentice Hall, 2002. A. Said, Measuring the strength of partial encryption schemes, In proceedings of 2005 IEEE International Conference on Image Processing (ICIP 2005), 11-14 Sept., vol.2, pp. 1126-1129. Y. Wu, Linear Combination Collusion Attack and its Application on an Anti-Collusion Fingerprinting, IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005, Vol. 2, pp. 13-16. G. Tardos, "Optimal Probabilistic Fingerprint Codes," In Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC), pp. 116-125, 2003. S. Lian, Z. Liu, Z. Ren, Z. Wang. Multimedia data encryption in block based codecs. International Journal of Computers and Applications, Vo. 29, No. 1, 2007.