05502415

8/3/2019 05502415

http://slidepdf.com/reader/full/05502415 1/5

On the Secure Multimedia Distribution Scheme

Based on Partial Encryption

Shiguo Liana, Xi Chen b, Yuan Dongc, Haila Wangd aHCI Lab, France Telecom R&D (Orange Labs) Beijing, Beijing 100080, China

E-mail: [email protected] bDepartment of E-Commerce, Nanjing University, Nanjing 210093, China

E-mail: [email protected] University of Posts and Telecommunications, Beijing 100876, China

E-mail: [email protected] Telecom R&D (Orange Labs) Beijing, Beijing 100080, China

Abstract —Some joint fingerprinting and decryption schemes

were reported recently for secure multimedia distribution.

However, most of them need to be investigated before practical

applications. In this paper, the secure distribution schemeproposed by Lemma et al. is investigated and improved. Since

this scheme aims to distribute multimedia content by encryption

and watermarking, some important performances determine its

practicability, including the perceptual security of the encryption

operation, the imperceptibility of the embedded watermark and

the robustness of the embedded watermark. Some flaws are

found in the scheme, such as the low encryption strength, the

data overflow caused by encryption/decryption and the low

correlation value caused by collusion, which degrade its

performances greatly. To improve the scheme, some means are

proposed, including media preprocessing, media encryption

based on module addition and collusion-resistant fingerprint

encoding. Comparative experiments show that better

performances are obtained by the improved means. The analysismethod proposed in this paper can be used to investigate some

other joint fingerprinting and decryption schemes.1

Keywords-digital fingerprinting; video encryption; digital rights

management; digital watermarking; multimedia communication

I. I NTRODUCTION

Secure multimedia distribution [1-6] is becoming more andmore urgent for practical applications, which transmitsmultimedia content from the sender to different receivers in asecure manner. Generally, two properties of multimediacontent need to be protected, including the confidentiality and

traitor tracing. The confidentiality can be protected bymultimedia encryption [1][3], while the traitor tracing is often protected by digital fingerprinting [5][7][8]. Digitalfingerprinting [5][7][8] is the technique that embeds the uniquecustomer information (e.g., customer ID) into media contentwith watermarking [4][6]. If an illegal media copy is found, theunique information can be extracted from the media copy andused to tell the traitor who distributes the media copy to other unauthorized customers. A good fingerprinting algorithm

1 This work was partially supported by the Crypto and Invenio projectslaunched by France Telecom.

should be secure against collusion attack [8] that produces anew copy by combining several copies.

Till now, some secure multimedia distribution schemeshave been proposed, which can be classified into three types.The first one [9][10] embeds customer information into mediadata and then encrypts the fingerprinted media data at sender side. The second one [11] embeds customer information intomedia data by the middle-level nodes in the network. The thirdone [12] embeds the receiver information into the mediacontent at receiver side. Generally, there is a security issue inthe third scheme: If the media content is firstly decrypted thenfingerprinted, the plain content may be leaked out from the gap

between decryption and fingerprint embedding.

To strengthen the third type of distribution scheme, somemeans have been proposed to combine decryption and

fingerprint embedding. In Chamleon scheme [13], the image isencrypted with a codebook at sender side, and decrypted withdifferent new codebooks at receiver side. In Lian et al.'sscheme [14], the variable-length codes of MPEG2 video areencrypted by codeword scrambling at sender side, and they aredecrypted into the adjacent variable-length codes under thecontrol of both the decryption key and fingerprinting key. InKundur's scheme [5], the signs of DCT coefficients in an imageare encrypted at sender side, and only part of the signs aredecrypted at receiver side. The positions of the undecryptedsigns, together with the signs themselves, determine thecustomer information. In Lemma et al's scheme [15], the videocontent is encrypted with additive operation under the controlof a key sequence, and decrypted by subtraction operation

under the control of both key sequence and fingerprintsequence. Due to the combinations, these schemes have moreor less weakness in the security, imperceptibility or robustness.

In this paper, taking Lemma et al's scheme for example, weinvestigate its security, imperceptibility and robustness, pointout the flaws caused by the additive encryption andfingerprinting, propose some improvement means, andcompare the improved scheme with the original one. The restof the paper is arranged as follows. In Section 2, Lemma et al'sscheme is briefly introduced. Its performances includingsecurity, imperceptibility and robustness are analyzed in

978-1-4244-6404-3/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2010 proceedings

8/3/2019 05502415


Section 3. In Section 4, some means are proposed to improvethe scheme. The comparison between Lemma et al's schemeand the improved scheme is presented in Section 5. Finally, inSection 6, conclusions are drawn, and future work is given.

II. BRIEF I NTRODUCTION TO LEMMA ET AL'S SCHEME

In Lemma et al's scheme [15], the DCs of DCT blocks in

MPEG2 video are encrypted by adding a random sequence,named encryption sequence, and decrypted by adding another random sequence, named decryption sequence. The encryptionsequence changes DCs and degrades video quality greatly. Thedecryption sequence contains both encryption sequence andwatermark sequence, and can mark the media copy uniquely.As shown in Fig. 1, the original media P = p0 , p1 , …, pn-1 (0≤ pi<L, i=0,1,…,n-1, n>0, L is the maximal amplitude of media pixel) is encrypted into C =c0 , c1 , …, cn-1 (0≤ ci<L, i=0,1,…,n-1, n>0) with additive operation at the server side,and decrypted into P' = p' 0 , p' 1 , …, p' n-1 (0≤ p' i<L, i=0,1,…,n-1,n>0) with additive operation at the customer side. Theencryption and decryption operations are defined as

( )

i i i

i i i i

c p m

p c w mα

= +⎧⎨′ = + −⎩

. (1)

Here, M=m0 , m1 , …, mn-1 (-l/2≤ mi<l/2, i=0,1,…,n-1, l is themaximal amplitude) is the encryption sequence, W =w0 , w1 , …,wn-1 (-s/2≤ wi<s/2, i=0,1,…,n-1, s is the maximal amplitude) isthe fingerprint sequence, and α is the adjustment factor for fingerprint embedding. Generally, M 's amplitude is big enoughto change the content of the plain media P , while W 's amplitudeis small enough to keep the embedded fingerprint sequenceimperceptible.

The fingerprint sequence is detected by computing thecorrelation between P' and W according to

1 12

0 0

, ( ) / ( )n n

i i i

i i

P W p w w− −

= =

′ ′< > = ∑ ∑ . (2)

If the correlation value is big than the predetermined thresholdT , the fingerprint sequence exists in the copy, otherwise not.

pi

mi

αwi-mi

ci=pi+mi

p'i=pi+αwi

Sender Receiver

Parameter

Selection (DC)

Media

Content

Fig. 1. Lemma's method for multimedia distribution.

This scheme realizes both media content encryption andwatermarking. It is recommended to be used in secure mediadistribution that sends different copies to different customersand is able to trace illegal redistributors. In this case, thewatermarking is also named fingerprinting. Thus, for thisscheme, such performances should be investigated, e.g., thesecurity of encryption, the imperceptibility of watermarking,and the robustness of the fingerprinting.

III. PERFORMANCE EVALUATION OF THE SECURE

EMBEDDING SCHEME

A. Perceptual Security against Ciphertext-Only Attack

In this scheme, the changes of DCs will affect videocompression efficiency. In order to reduce the effect, l , themaximal amplitude of M is often kept small, e.g., no more than32 in [15]. In this case, the media content is degraded slightly,

which gives the opportunity to a ciphertext-only attack [16] based on data filtering. The data filtering based attack isdescribed as follows:

Firstly, get the DC sequence D from the encrypted mediacontent. Secondly, apply a filtering operation to the DCsequence D according to

D D F ′ = ⊗ (3)

Here, D' is the filtered DC sequence, the filter F may beGaussian filter, averaging or median filter, and ⊗ is the

convolution operation. Thirdly, return the DCs in the filteredDC sequence D' to the DCT blocks, and decode the mediacontent. Taking 3x3 median filtering [18] for example, the

media copies encrypted with different amplitudes are recovered by the above filtering method. The Peak Signal-to-Noise Ratios(PSNRs) of the encrypted media and recovered media aretested, as shown in Table 1. Here, the media sequences areForeman (CIF) and Tempete (CIF), and the compressionefficiency is 1Mbps. Fig. 2(b) shows the Tempete's copycorresponding to l =32. As can be seen, the media content'squality can be greatly improved when the encryptionsequence's amplitude is no bigger than 32. Furthermore, thefiltering operation can be iteratively applied to the recoveredmedia content [19], and the media content's quality can befurther improved. Thus, the scheme is not secure enough.

Additionally, the encryption scheme may be broken by the

replacement attack [17] that replaces some of the encrypteddata with others. For Lemma et al's scheme, the encrypted DCof each DCT block can be replaced with certain value, e.g.,196. As shown in Fig. 2(c), the recovered media content

becomes intelligible, although there are some gray covers. Italso shows that the replacement attack is really easy to break Lemma et al's scheme.

TABLE I.

QUALITY COMPARISON OF THE ENCRYPTED MEDIA AND RECOVERED MEDIA

Encryption

strength l

Foreman, CIF Tempete, CIF

Encrypted

(dB)

Recovered

(dB)

Encrypted

(dB)

Recovered

(dB)

16 31.35 33.11 27.23 29.95

32 27.92 30.46 26.12 29.28

64 23.22 25.27 22.88 24.81

128 17.57 17.68 18.17 18.21

B. Data Overflow in Implementation

Suppose the media pixel of P or C lies in the range of [0, L-1], the encryption process follows

[ ]round

1,

, 0

0, 0

i i

i i i i i i i

i i

L p m L

c p m p m p m L

p m

− + ≥⎧⎪

= + = + ≤ + <⎨⎪ + <⎩

. (4)


8/3/2019 05502415


As can be seen, the encrypted media pixel in C is cut off whenthe summation of the pixels in P and M exceeds the range [0, L-1]. Thus, the decryption and watermarking scheme follows.

(a) Encrypted media (b) Recovered by filtering (l =32)

(c) Recovered by replacement attack

Fig. 2. Example of the encrypted media and recovered media.

[ ]round

( )

1, ( )

( ), 0 ( )

0, ( ) 0

i i i i

i i i

i i i i i i

i i i

p c w m

L c w m L

c w m c w m L

c w m

α

α

α α

α

′ = + −

− + − ≥⎧⎪

= + − ≤ + − <⎨⎪ + − <⎩

(5)

According to Eq. (5), the decrypted and watermarked media pixel P' may be cut off, it will be different from the original pixel P . Furthermore, the difference may be large enough to

degrade the marked media content's quality greatly. Accordingto Eq. (4), there are three cases to be considered. In the firstcase of 1ic L= − (

i i p m L+ ≥ ), the decrypted media copy is

[ ] [ ]round round

( ) 1

1, 1

1 , 0 1

0, 1 0

i i i i i i

i i

i i i i

i i

p c w m L w m

L L w m L

L w m L w m L

L w m

α α

α

α α

α

′ = + − = − + −

− − + − ≥⎧⎪

= − + − ≤ − + − <⎨⎪

− + − <⎩

. (6)

Here, the decrypted pixel in P' is nearly independent from theone in P because of the overflows in encryption and decryptionoperations. In the second case, the decrypted pixel P' keepsclose to the original one, and it contains the fingerprint

sequence W . In the third case of 0ic = ( 0i i p m+ < ), the

decrypted media copy is

[ ] [ ]round round

( )

1,

, 0

0, 0

i i i i i i

i i

i i i i

i i

p c w m w m

L w m L

w m w m L

w m

α α

α

α α

α

′ = + − = −

− − ≥⎧⎪

= − ≤ − <⎨⎪ − <⎩

. (7)

Similar to the first case, the decrypted pixel in P' is quitedifferent from the original pixel in P .

Among the proposed three cases, the first and third casescause great quality degradation on the decrypted media copy

because of the data overflows in encryption or decryptionoperations. Table 2 shows the example when L=512, l =128, s=80 and α=0.1. The pixels highlighted by italic writing showthe overflows that make the decrypted sequence P' verydifferent from the original one P .

TABLE II. DATA OVERFLOW IN LEMMA AT AL'S SCHEME

Types Sequences

Encryption sequence (M) 50, -45, 29, -38, 21, 0, -51, 48, -37

Fingerprint sequence (α W) -4, 3, -3, 0, -1, 3, 2, -3, 1

Original sequence (P) 510, 16, 123, 4, 509, 345, 276, 0, 511

Encrypted sequence (C) 511, 0, 152, 0, 511, 345, 225, 48, 474

Decrypted sequence (P') 457 , 48, 120, 42, 489, 348, 278, 0, 511

C. Robustness against collusion attack

In the proposed scheme, the media copy corresponding todifferent customer is identified by different fingerprintsequence. In collusion attack, different customers combinetheir copies together with collusion operations (averaging, min-max selection, linear combinatorial collusion attack [20], etc.)in order to produce a new copy without fingerprint sequences.Taking the averaging between N copies

0 P ′ ,1 P ′ , ,

1 N P −

′ for

example, the colluded copy ( ) N P ′ is

( )

0 1 1( ) / N

N P P P P N −

′ ′ ′ ′= + + + . (8)

Then, the correlation based fingerprint detection becomes

( )

0 1 1

0 1 1

, ( ) / ,

1 1 1, , ,

N

N

N

P W P P P N W

P W P W P W N N N

−

−

′ ′ ′ ′< >=< + + + >

′ ′ ′= < > + < > + + < >

(9)

If the fingerprint sequence W is only embedded into0 P ′ , then

the correlation value is ( )

0, , / N P W P W N ′ ′< >=< > that is N times

smaller than the one without collusion.

Taking Foreman, l =32, 0.1α = and 100 s = for example,

the relation between correlation value and collusion number N is tested and shown in Fig. 3. As can be seen, with the rise of N , the correlation value decreases and becomes smaller than T ,which makes the fingerprint sequence undetectable. Thus, theembedded fingerprint sequence is not robust against collusionattack especially when the collusion number is big.

IV. MEANS TO IMPROVE THE SCHEME

To solve the problems mentioned above, we propose somemeans.

A. Media Preprocessing

To avoid data overflow in encryption/decryption operation,the media content is preprocessed according to

,

,

1,

i

i i i

i

s p s

p p s p L s

L s p L s

α α

α α

α α

<⎧⎪

= ≤ < −⎨⎪

− − ≥ −⎩

(10)

Here, s is the maximal amplitude of the fingerprint sequence.


8/3/2019 05502415


2 4 6 8 100

0.2

0.4

0.6

0.8

1

Number of colluders

C o r r e l a t i o

n

v a l u e

Foreman,CIF

Tempete,CIF

T

Fig. 3. Relation between the correlation value and the collusion number N.

B. DC Encryption Based on Module Addition

The encryption based on module addition, as shown in Eq.

(11), is adopted to encrypt the preprocessed media content.

( )modi i ic p m L= + . (11)

Here, the encryption sequence's amplitude l can be big enough,e.g., L-1. And the decryption operation is

( ) mod ( )modi i i i i ic w m L p w Lα α ′ = + − = + . (12)

Thus, the data overflow in encryption or decryption is avoided.

C. Encryption of Other Parameters

According to the analysis in Section III.A, only DCencryption (in Luminance Space) is not secure enough. Someother parameters, e.g. DCs in Chrominance Spaces, ACs and

Motion Vector Differences (MVDs), should also be encrypted.Here, sign encryption [17][22] is used to encrypt the signs of DCs (in chrominance Spaces), ACs and MVDs, while their amplitudes are kept unchanged.

D. Collusion-Resistant Fingerprint Encoding

To resist collusion attacks, the fingerprint sequence will beencoded with some collusion-resistant codes, such as Boneh-Shaw code [7], Wu et al's code [8] and Tardos code [21].

V. PERFORMANCE COMPARISON

A. Perceptual Security

In the proposed scheme, the encryption sequence'samplitude l ranges from 0 to L-1, which is much bigger thanthe one in Lemma et al's scheme. Taking L=2048 and l =512,the experiments are done to compare the schemes' security. Asshown in Fig. 4, the media content (Fig. 4(b)) encrypted by theimproved scheme (both DC and sign encryption) is much moredegraded than the one (Fig. 4(a)) encrypted by Lemma et al.'sscheme, and it is difficult to be recovered by such ciphertext-only attack as filtering or replacement because of the largeencryption strength.

B. Imperceptibility

After decryption, the video content contains the uniquefingerprint sequence. The PSNRs of the video content

produced by different schemes are tested and shown in Fig. 5.Here, 0.1α = , 100 s = , and the amplitude l ranges from 16 to

256. As can be seen, the video quality decrypted by Lemma etal's scheme decreases with the rise of l , while the onedecryption by the improved scheme keeps nearly unchanged

under various encryption strength. That is because Lemma etal's scheme causes more degradation with the rise of l becauseof data overflow, while the improved scheme avoids thedegradation.

(a) Lemma et al's scheme (b) Improved DC + sign encryption

Fig. 4. Media contents encrypted by different schemes.

0 100 200 300 400 500

22

24

26

28

30

32

34

36

Encryption Strength l

P S N R ( d

B )

Foreman,Lemma's scheme

Foreman,Improved scheme

Tempete,Lemma's scheme

Tempete,Improved scheme

Fig. 5. Quality of the decrypted media content.

C. Collusion Resistance

To compare the improved scheme with Lemma et al'sscheme, the detect rate under different number of colluders istested and shown in Fig. 6. Here, the total number of customer is 100, the number of colluders range from 2 to 50, and thetested fingerprint codes include Boneh-Shaw code [7], Wu etal's code [8] and Tardos code [21]. As can be seen, theimproved scheme with various fingerprint codes obtains higher detection rate compared with Lemma et al's scheme when thenumber of colluders is certain.

VI. CONCLUSIONS AND FUTURE WORK

In this paper, the performance of Lemma et al's securedistribution scheme is analyzed and evaluated, including the


8/3/2019 05502415


perceptual security of the encrypted video content, theimperceptibility of the embedded fingerprint and thefingerprint's robustness against collusion attack. Firstly, sinceonly the encryption sequence with low amplitude is used invideo encryption, the video content can be recovered by suchsimple method as filtering. Secondly, the encryption or decryption operation causes data overflow, which degrades thedecrypted video content greatly. Thirdly, the fingerprint

sequence is just a simple random sequence that is not robustagainst collusion attacks especially when there are lots of colluders. To improve the scheme, some means are proposed,such as media preprocessing, media encryption based onmodule addition and collusion-resistant fingerprint encoding.These means strengthen the encrypted media content's

perceptual security, avoid data overflow and keep thedecrypted content of high imperceptibility, and improve thefingerprint's collusion-resistance.

10 20 30 40 5010

20

30

40

50

60

70

80

90

100

Number of colluders

D e t e c t i o n R a t e

Lemma's scheme

Improved,Boneh-Shaw

Improved,Wu et al.

Improved,Tardos

Fig. 6. Comparison of collusion resistance.

Of course, the encryption scheme's security can be further improved by encrypting more parameters, such as motionvector differences. In future work, the scheme's robustnessagainst some other common signal processing will be evaluatedand improved, the adaptive embedding in encryption domainwill be studied, and the scheme combined with some other codecs, such as MPEG4 and H.264/AVC, will be considered.Additionally, the analysis method proposed in this paper will

be used to investigate some other secure distribution schemes.

R EFERENCES

[1] S. Lian, Z. Liu, Z..Ren, H. Wang. Joint Fingerprint Embedding and

Decryption for Video Distribution. 2007 IEEE International Conferenceon Multimedia and Expo (ICME2007), page: 1523-1526, 2007.

[2] S. Lian, Z. Liu, Y. Dong, H. Wang. On the Joint Audio Fingerprintingand Decryption Scheme. 2008 IEEE International Conference onMultimedia and Expo (ICME2008), 2008, page: 261-264.

[3] S. Lian, Y. Dong, H. Wang. A Secure Solution for UbiquitousMultimedia Broadcasting. 2009 IEEE International Conference onCommunications (ICC 2009), Dresden, Germany, 13-18 June, 2009.

[4] I. J. Cox, M. L. Miller and J. A. Bloom, Digital Watermarking, Morgan-Kaufmann, San Francisco, 2002.

[5] D. Kundur and K. Karthik, “Video fingerprinting and encryption principles for digital rights management,” Proceedings of the IEEE, Vol.92, No. 6, pp. 918-932, 2004.

[6] S. Lian, Z. Liu, Z. Ren, H. Wang, "Commutative encryption and

watermarking in compressed video data," IEEE Circuits and Systems for Video Technology, vol. 17, no. 6, pp. 774-778, June 2007.

[7] D. Boneh, J. Shaw, “Collusion-secure fingerprinting for digital data,”IEEE Trans. Inform. Theory, Vol. 44, pp. 1897-1905, Sept. 1998.

[8] M. Wu, W. Trappe, Z. J. Wang, R. Liu, "Collusion-resistantfingerprinting for multimedia," IEEE Signal Processing Magazine,March 2004, pp. 15-27.

[9] H. V. Zhao, K. J. Ray Liu, "Fingerprint Multicast in Secure VideoStreaming," IEEE Transactions on Image Processing, 15(1), pp.12-29,2006.

[10] D. Simitopoulos, N. Zissis, P. Georgiadis, V. Emmanouilidis and M.G.Strintzis, “Encryption and Watermarking for the Secure Distributionof Copyrighted MPEG Video on DVD”, ACM Multimedia SystemsJournal, Special Issue on Multimedia Security, vol. 9, no. 3, pp. 217-227, Sep. 2003.

[11]

I. Brown, C. Perkins, and J. Crowcroft. Watercasting: Distributedwatermarking for multicast media. In Proceedings of the FirstInternational Workshop on Networked Group Communication, Springer-Verlag Lecture Notes in Computer Science, 1736, 1999.

[12] J. Bloom, “Security and rights management in digital cinema,” in Proc.IEEE Int. Conf. Acoustic, Speech and Signal Processing, Vol. 4, pp.712-715, 2003.

[13] R. Anderson and C. Manifavas, "Chamleon – A new kind of streamcipher," in Lecture Notes in Computer Science, Fast SoftwareEncryption, Springer-Verlag, pp. 107-113, 1997.

[14] S. Lian, Z. Liu, Z. Ren, H. Wang, “Secure Distribution Scheme for Compressed Data Streams,” 2006 IEEE Conference on ImageProcessing (ICIP 2006), Oct 2006, pp. 1953-1956.

[15] A. N. Lemma, S. Katzenbeisser, M. U. Celik, M. V. Veen, "SecureWatermark Embedding Through Partial Encryption," Proceedings of International Workshop on Digital Watermarking (IWDW 2006),

Springer LNCS, 4283, 433-445, 2006.

[16] R. A. Mollin. An Introduction to Cryptography, 2nd edition. CRC Press.2006.

[17] S. Lian, Z. Liu, Z. Ren, H. Wang, "Secure Advanced Video CodingBased on Selective Encryption Algorithms," IEEE Transactions onConsumer Electronics, Vol. 52, No. 2, pp. 621-629, May 2006.

[18] R. C. Gonzalez, R. E. Woods. Digital Image Processing, 2nd Edition.Prentice Hall, 2002.

[19] A. Said, “Measuring the strength of partial encryption schemes,” In proceedings of 2005 IEEE International Conference on ImageProcessing (ICIP 2005), 11-14 Sept., vol.2, pp. 1126-1129.

[20] Y. Wu, “Linear Combination Collusion Attack and its Application on anAnti-Collusion Fingerprinting,” IEEE International Conference onAcoustics, Speech, and Signal Processing, 2005, Vol. 2, pp. 13-16.

[21] G. Tardos, "Optimal Probabilistic Fingerprint Codes," In Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC), pp. 116-125, 2003.

[22] S. Lian, Z. Liu, Z. Ren, Z. Wang. Multimedia data encryption in block based codecs. International Journal of Computers and Applications, Vo.29, No. 1, 2007.


05502415

Documents