New approaches to encryption and steganography for digital ...hari/files/1943/Socek et al_2007... · video encryption mechanism that falls into a new category of video encryption

Multimedia Systems (2007) 13:191–204DOI 10.1007/s00530-007-0083-z

REGULAR PAPER

New approaches to encryption and steganographyfor digital videos

Daniel Socek · Hari Kalva · Spyros S. Magliveras ·Oge Marques · Dubravko Culibrk · Borko Furht

Published online: 24 May 2007© Springer-Verlag 2007

Abstract In this work we propose a novel type of digitalvideo encryption that has several advantages over other cur-rently available digital video encryption schemes. We alsopresent an extended classification of digital video encryp-tion algorithms in order to clarify these advantages. We ana-lyze both security and performance aspects of the proposedmethod, and show that the method is efficient and secure froma cryptographic point of view. Even though the method iscurrently feasible only for a certain class of video sequencesand video codecs, the method is promising and future inves-tigations might reveal its broader applicability. Finally, weextend our approach into a novel type of digital video stega-nography where it is possible to disguise a given video withanother video.

1 Introduction

The security and privacy of digital videos has becomeincreasingly more important in today’s highly computerizedand interconnected world. Digital media content must beprotected in applications such as pay-per-view TV or con-fidential video conferencing, as well as in medical, industrialor military multimedia systems. With the rise of wirelessportable devices, many users seek to protect the private

D. Socek (B) · H. Kalva · O. Marques · D. Culibrk · B. FurhtDepartment of Computer Science and Engineering,Florida Atlantic University, Boca Raton, FL 33431, USAe-mail: [email protected]

S. S. MagliverasDepartment of Mathematical Sciences,Florida Atlantic University, Boca Raton, FL 33431, USA

multimedia messages that are exchanged over the wirelessor wired networks. In general, applying a well-established,general-purpose symmetric-key encryption algorithm toensure the confidentiality during video transmission is a goodidea from a security point of view. Unfortunately, conven-tional, general-purpose encryption algorithms, such as AES,are not suitable for a number of digital video applications[6,7,11,12,15,20,28], mainly since these algorithms do notconform to various video application-related requirements,which are discussed in Sect. 2. In order to overcome thisproblem, a significant number of video encryption algorithmsspecifically designed for digital videos have been proposed[1,16,17,20,24,31]. Even though several classifications ofvideo encryption algorithms have been previously presented[12,15], we provide an extended and more comprehensivesuch classification. Furthermore, we present and analyze avideo encryption mechanism that falls into a new categoryof video encryption algorithms. An algorithm from this cat-egory inherently possesses several advantages over otherschemes. Finally, we show that our method allows for a newtype of digital video steganography where a given video isdisguised with another video.

The rest of this paper is organized as follows. In the nextsection we review some of the application-related require-ments that are not addressed with the conventional cryp-tography. Section 3 provides an extended comprehensiveclassification of video encryption algorithms, with a briefsurvey of the relevant published research in the area of videoencryption. Our novel approach is presented in Sect. 4, withits security analysis, implementation issues, and performanceanalysis given in Sects. 5, 6 and 7, respectively. A new ap-proach to video steganography is presented in Sect. 8. Finally,Sect. 9 holds our conclusions and suggestions for furtherresearch.

123

192 D. Socek et al.

2 Application-related requirements for videoencryption algorithms

There are applications with requirements not supported bythe conventional encryption methods. Thus, the encryptionalgorithms specifically designed to support these require-ments are desirable. These requirements include thefollowing:

1. Perceptual quality control. Encryption methods could beused to intentionally degrade the quality of perception.If the video contains sensitive industrial, governmentalor military information, then the cryptographic strengthmust be substantial (high-security) and no perceptualinformation should be preserved after encryption.

2. Format-compliance. In many applications it is desiredthat the encryption algorithm preserves the videocompression format. In other words, after encryptingthe encoded video, ordinary decoders can still decodeit without crashing. This property of an encryption algo-rithm is often called format-compliance (also calledtransparency, transcodability or syntax-awareness). AsFig. 1 shows, ordinary decoders are able to processformat-compliant encrypted data. Depending on atype of encryption used, the produced output appearseither perceivable but distorted, or non-perceivable andrandom.

3. Codec standard-compliance. A method is codec-standard compliant if it conforms the used video codecstandard. A typical video system is likely to consist ofa pre-manufactured encoder and decoder modules, anda video encryption method that requires no modificationto either of the two modules is often desirable.

4. Target bitrate. The amount of data that the video systemshould process per unit of time is referred to as the tar-get bitrate. Typically, this is the function of the time usedfor encoding, encryption, transmission (which dependson the channel bandwidth), decoding, and decryption. Inmany real-time video applications, it is imperative thatthe speed of the encryption and decryption algorithmsbe fast enough to ensure the target bitrate that is usuallyneeded for the normal video system processing.

5. Constant bitrate. In many instances, it is also requiredthat the encryption transformation preserves the size ofa bitstream. This is known as the constant bitrate require-ment. However, more often than not, it is simplypreferred that the output produced by an encryption-equipped encoder and the output produced by an ordi-nary encoder have similar sizes.

6. Error-tolerance. For many multimedia systems error-tolerance, or error-resilience, is usually of high impor-tance. Most conventional ciphers possess strongavalanche property, which causes decryption to fail evenif a single bit is flipped during transfer. Some videocodecs (e.g. H.264) have their own error correcting mech-anisms. Video encryption algorithm that preserves thesemechanisms is favorable for video systems with noisychannels.

In general, modern cryptography is designed for a genericbitstream, and as such, it disregards the aforementionedproperties of a digital video and the requirements of a typi-cal digital video application. In the next section, we presenta classification and a brief overview of the existing videoencryption algorithms proposed in the past mainly to over-come some of these application-related issues.

3 Classification and overview of video encryptionalgorithms

Research in the area of digital video encryption representsa relatively new area of study, yet a considerable numberof video encryption approaches have been proposed. In sev-eral publications, such as [15] and [12], the authors presenta very limited classification regarding digital video encryp-tion approaches taken by the research community. However,to date no comprehensive classification is provided in thepublished scientific literature. In this section we present anextended, comprehensive formal classification that includessome new concepts related to our approach. Having a com-prehensive classification of digital video encryption algo-rithms in place helps the generalization and understanding ofcore aspects such as security issues, functionality objectives,

Fig. 1 Decoded videoproduced by an ordinarydecoder for a video withoutencryption, b video encryptedwith format-compliantperceptual encryption, andc video encrypted with ahigh-security format-compliantencryption

(a) (b) (c)

123

New approaches to encryption and steganography for digital videos 193

composability and applicability. Moreover, many features,properties and issues regarding the proposed approaches canbe studied at the class level, which aids in the evaluation ofexisting approaches, as well as the design and evaluation offuture proposals.

3.1 Classification criteria and taxonomy

In general, all digital video encryption algorithms can be clas-sified according to the following seven classification criteria(C1–C7):

C1. What is selected for encryption?C2. Is the content perceivable after encryption?C3. Is the bitstream format-compliant after the encryption

step?C4. Does the approach require codec modification?C5. How does the bitstream size fluctuate due to the encryp-

tion algorithm?C6. Does the encryption occur before, during, or after the

compression?C7. Does the encryption process use a conventional

cryptosystem?

Classification in terms of what is selected for encryption(C1):

Full-encryption approaches. A video e ncryption algorithmthat performs encryption on the entire video bitstream (eithercompressed or uncompressed) belongs to this class of algo-rithms. This class of algorithms includes the so-called naïveapproach. The naïve approach is a type of full encryption ap-proach in which a conventional cryptosystem is used in theencryption step. All other full-encryption approaches that arenot using a conventional, general-purpose cryptosystem aregrouped into non-conventional full-encryption approaches.These non-conventional approaches are designed mostly toaccommodate low computational complexity and fast per-formance. Chaos-based video encryption algorithms, as wellas the approaches proposed in this dissertation are examplesof such algorithms.

Selective (partial) encryption approaches. This class ofvideo encryption algorithms consists of all approaches thatperform encryption only on certain, carefully selected bitsfrom the video bitstream (compressed or uncompressed),while leaving the rest of the bits unencrypted. Even moregenerally, one can define variable encryption to be an ap-proach where different encryption security levels are appliedto different bits from the input. Selective encryption (alsocalled partial encryption) can be seen as a subcategory ofvariable encryption. A special type of selective encryption

approach where the bits are selected based on spatial infor-mation is referred to as spatially selective encryption. Forinstance, one may choose to encrypt only the face of theperson appearing in the video sequence.Classification according to the degree of perception (C2):

Perceptual encryption approaches. As a quality controlmechanism, it is often desirable to have a video encryp-tion approach that intentionally preserves some low-qualityperceptual information about the source video content. Bydecrypting such encrypted video, one gains access to thesource video of original visual quality. In addition, beingable to control the degree of perception with a choice ofencryption “strength” is often desirable. Perceptual encryp-tion approaches are inherently of low-security in terms ofcontent confidentiality. However, they should be of high-security regarding the quality reconstruction control.

Non-perceivable encryption approaches. Approaches thatdo not preserve any perceptual information after encryptionare associated with this class of video encryption algorithms.An algorithm targeted for high-security video applicationsshould belong to this class of algorithms.Classification in terms of the encrypted bitstream format-compliance (C3):

Format-compliant approaches. When an encrypted videocontent is broadcast, it is often desired that the encrypted bit-stream is compliant with the appropriate video format so thatthe decoders at the client side would not crash. Video encryp-tion approaches that preserve the video compression formatafter the encryption step belong to this class of algorithms.

Format-defiant approaches. As opposed to the format-compliant algorithms, format-defiant algorithms produceoutput that is not compatible with the appropriate videoencoding format.Classification in terms of codec standard-compliance (C4):

Codec standard-compliant approaches. Algorithms fromthis class do not require modification to either the encoderor the decoder. These algorithms are favorable for those sys-tems where replacing the pre-installed software or hardwarecodecs would be infeasible. Full encryption approaches areassociated with this group of algorithms.

Codec standard-defiant approaches. This class of videoencryption algorithms consists of methods that require codecmodification. Most of the selective encryption approachesbelong to this category of algorithms, since generally theyrequire modification to both the encoder and the decoder.Classification according to the bitstream size fluctuation (C5):

123

194 D. Socek et al.

Constant (or near-constant) bitrate approaches. Algo-rithms from this class do not interfere with the compressionperformance of the encoder. In general, the non-encryptedvideo and its encrypted version should always be of the samesize (constant bitrate), or very close to one another (near-constant bitrate).

Variable bitrate approaches. This class of video encryp-tion approaches consists of methods that produce a variablebitstream size. Video encryption algorithms that significantlyincrease the bitstream size are of little interest to any practicalapplication. However, algorithms that have the ability to de-crease, preserve, or at least tolerably increase the size of thebitstream are much more practical. The approaches proposedin this dissertation are from the latter class of algorithms.Classification in terms of when the encryption occurs (C6):

In-compression approaches. Algorithms that performencryption within the video encoder belong to this class. Thisimplies that the decryption must occur within the decodingprocess at the decoder side. An algorithm from this classis inherently codec standard-defiant. Many selective videoencryption algorithms belong to this group.

Post-compression approaches. Algorithms from this classperform the encryption step after the video has been com-pressed. A naïve approach, as well as many non-conventionalfull approaches, such as [16], are indeed from this group ofalgorithms. These approaches are inherently codec standard-compliant, but also inherently format-defiant.

Pre-compression approaches. This class of video encryp-tion algorithms consists of approaches that perform encryp-tion before the compression. The algorithms from this classare inherently format-compliant and codec standard-compliant.Classification in terms of the underlying cryptosystem (C7):

Conventional encryption-based approaches. This classconsists of approaches where a conventional encryption algo-rithm is used in the encryption step. Many selective ap-proaches belong to this class. A full approach that belongsto this class is inherently a naïve approach.

Non-conventional encryption-based approaches. If theencryption process is based on a novel multimedia-specifictype of encryption, the algorithm should be classified as non-conventional encryption-based. For example, approaches likeHuffman table permutations, chaotic map-based or Hopfieldneural network-based multimedia encryptions all belong tothis class.

Several aforementioned observations regarding the pre-sented classification should be summarized:

• Perceptual encryption approaches must be format-compliant.

• In-compression approaches are inherently codecstandard-defiant.

• Post-compression approaches are inherently format-defiant.

• Pre-compression approaches are inherently format-compliant and codec standard-compliant.

• Full encryption approach that is also conventionalencryption-based is by definition a naïve approach.

3.2 Overview of related work

The idea of selective video encryption was introduced inde-pendently by Meyer and Gadegast [17] with an algorithmSECMPEG, and by Spanos and Maples [24] with an algo-rithm Aegis. Since then, a significant number of selectiveencryption proposals appeared in the scientific literature.A good reference for selective image and video encryptionmethods along with some security analysis is given in [7,8,12,15,28]. The proposed selective video encryption ap-proaches can generally be partitioned into two groups:(1) approaches that select information from the compressedbitstream (e.g. encrypting only compressed bitstream head-ers), and (2) approaches where the selection is performedduring the compression step (e.g. encrypting DCT coeffi-cients). Figure 2 shows the basic architecture of these twoselective encryption techniques.

Many selective encryption approaches were successfullycryptanalyzed shortly after the initial proposal as scientistsfound ways to exploit the information from the remaining,unencrypted bits. For example, Agi and Gong [2] showedweaknesses in SECMPEG [17] and Aegis [24] a year later.Also, a year after Tang proposed an image/video encryp-tion method [27] based on permuting the zig-zag reorderingafter a DCT transformation, Qiao et al. [21] discovered seri-ous weaknesses against attacks derived from statistical anal-ysis of the unencrypted DCT coefficients. Seidel et al. [25]show some weaknesses in the video encryption algorithms byShi et al. shortly after the original proposals [3,22,26]. Dueto complexity of the compressed video bitstream, it is oftendifficult to analyze how much the unencrypted bits can trulytell about the encrypted ones, or how can one use that infor-mation to aid cryptanalysis. Hence, the selective encryptionapproaches are much easier to design and evaluate againstthe performance aspects, than to properly evaluate in termsof security.

Selective approaches where the selection is performedduring the compression step (as depicted in Fig. 2a) are inher-ently codec-standard defiant. Most selective encryption ap-proaches, especially the ones that select information directly

123

New approaches to encryption and steganography for digital videos 195

“Modified” Encoder

First Stages of the Standard Encoder

Selected Bits Unselected Bits

Last Stages of the Standard Encoder

Encryption

“Modified” Decoder

Last Stages of the Standard Decoder

Decryption

First Stages of the Standard Decoder

Encrypted Bits Unencrypted Bits

Distribution Channel

Original Raw Video Decoded Video

Selective

Distribution Channel

Standard Encoder Standard Decoder

Decompression

Original Raw Video Decoded Video

Compression

Selected Bits Unselected Bits

Encryption

Postprocessing Selective

Decryption Unselected Bits

Selected Bits

Preprocessing

(a) (b)

Fig. 2 The usual architecture for selective video encryption approaches where selection and encryption occurs: a during compression stage, andb after compression stage

Full Approach

Distribution Channel

Standard Encoder Standard Decoder

Decompression

Original Raw Video Decoded Video

Full Approach

Decryption

Compression

Encryption

New Proposal

Distribution Channel

Standard Encoder

Compression

Standard Decoder

Decompression

Original Raw Video Decoded Video

New Proposal

DecryptionEncryption

(a) (b)

Fig. 3 The architecture for: a full video encryption algorithms proposed in the past almost all of which are post-compression approaches, andb the proposed method which is pre-compression approach resulting in no modification to the codec and fully application compliant video output

from the compressed bitstream (as shown in Fig. 2b), areformat-defiant.

A notable path that the research community took for thefull non-conventional video encryption approaches was theuse of fast chaotic maps to achieve encryption. Chaos-basedmethods are apparently promising due to their fast perfor-mance. Although many chaotic encryption approaches wereshown to be insecure, there are chaotic encryption algorithmsthat, up to date, remain unbroken (e.g. [16]). A good overviewof these approaches, along with their comparative securityanalysis is presented in [11] and [7]. There are a few recentlyproposed fast, hardware-friendly, full encryption methodsthat are based on a class of neural networks [4,9]. However,these methods were later shown to be less secure than origi-nally anticipated [5,23]. There are also non-conventional fullapproaches based on other mathematically hard problems,but most of them have been shown insecure due to oversim-plification. For example, Yi et al. [31] proposed a new fastencryption algorithm for multimedia (FEA-M), which basesthe security on the complexity of solving nonlinear Boolean

equations. The scheme was shown insecure against severaldifferent attacks [18,19,29,30]. Later its improved versionfrom [18] was shown insecure against differential chosen-plaintext attack in [13].

In addition to questionable security, the full non-conventional encryption approaches are, as noted earlier,not application-friendly when applied after compression andapplication requirements such as format-compliance or error-resilience are not supported. Figure 3a shows the typicalstructural design of full encryption approaches, whereencryption is performed after compression and where nomodification to the codec is required.

With the adoption of AES in 2001, which is a much fasterand more secure cryptosystem than DES, application issuesconcerning only the encryption processing speed are lesssignificant. In light of this, most fast full non-conventionalapproaches proposed in the past are, to a certain degree,obsolete.

In this work we propose a video encryption mechanismthat securely encrypts the video stream before compression

123

196 D. Socek et al.

(pre-compression approach), but that also preserves data cor-relation present in a typical video sequence. The architectureof this kind of approach is shown in Fig. 3b. In particular, wepresent a model that uses the permutation-based transforma-tions to achieve this goal.

4 The proposed model: correlation-preservingencryption for digital videos

Strong encryption is a process that produces randomizeddata. On the other hand, compression efficiency is directlydependent on the presence of source data redundancy. Themore the data is correlated, the better the compression, andvice versa. One may ask the following important question:is it possible to design an encryption mechanism of reason-able security that preserves, or perhaps even increases thecompressibility of data? Such system is here referred to asthe correlation-preserving encryption (CPE). CPE for dig-ital videos encoded with spatial-only coding is possible toachieve with permutation-based transformations.

4.1 Notation

Let V be a video sequence consisting of m frames denotedby I1, I2, . . . , Im . For our model we assume that all framesin V are part of a single scene with a relatively low move-ment, captured with a static camera, so that the differencesbetween adjacent frames are relatively small. Furthermore,we assume that each frame has a dimension of w × h and upto 2n different pixel values (colors). Finally, let σi denote acanonical sorting permutation of Ii , and σi (Ii ) the image withsorted pixels from Ii . For a given frame I there are a largenumber of sorting permutations for I . By a canonical sortingpermutation of I we mean a unique sorting permutation σ

that any two distant parties can compute solely by knowingI , which is the case when the parties utilize the same com-putational method. For example, the communicating partiescan agree on always choosing the lexicographically smallestsorting permutation of frame I . A more efficient method forgenerating a canonical sorting permutation relies on usinga standard sorting algorithm such as quicksort. A quicksort-

based algorithm that was used in our experiments is presentedin Sect. 6.

4.2 The algorithm: encryption and decryption

We describe two versions of our algorithm. The first one isdesigned for lossless spatial-only codecs, such as AnimatedGIF (A-GIF), Motion PNG (M-PNG), or Motion LosslessJPEG (M-JLS), while the second one is targeted for lossyspatial-only codecs, such as Motion JPEG (M-JPEG).

Suppose Alice wishes to securely transmit a video se-quence V = I1, I2, . . . , Im to Bob. We assume that if Alicewould like to transmit V to Bob non-securely, she would nor-mally use video compression algorithm C (the encoder) anddecompression algorithm D (the decoder). She opens twochannels with Bob, the regular, non-secure multimedia dis-tribution channel R, and a second, secure channel S wheretransmission data is encrypted using some standard method(e.g. AES-based protocol).

4.2.1 The lossless case

The following is the proposed encryption algorithm for loss-less codecs (see Fig. 4):

1. Given a video sequence V = I1, . . . , Im , Alice computesσ1.

2. Alice calculates C(I1) and transmits it through channelS. This is the secret part (the key) of the algorithm.

3. For each subsequent frame Ii , i = 2, . . . , m, Alice doesthe following:

(a) She computes the frame σi−1(Ii ) and the permuta-tion σi ;

(b) Alice then applies the standard encoder to the frameσi−1(Ii ) and transmits the encoded frameC(σi−1(Ii )) to Bob via the regular, non-secure mul-timedia channel R.

At the other end, Bob performs the following decryptionalgorithm (see Fig. 5) in order to recover the original videosequence V:

Fig. 4 Diagram of theproposed encryption algorithmfor lossless spatial-only videocodecs

123

New approaches to encryption and steganography for digital videos 197

Fig. 5 Diagram of theproposed decryption algorithmfor lossless spatial-only videocodecs

Fig. 6 Diagram of theproposed encryption algorithmfor lossy spatial-only videocodecs

1. Bob decodes C(I1) into I1 and obtains a canonical sort-ing permutation σ1.

2. For each received frame C(σi−1(Ii )), i = 2, . . . , m, Bobdoes the following:

(a) Decodes C(σi−1(Ii )) into σi−1(Ii ) and calculatesIi = σ−1

i−1(σi−1(Ii )) where σ−1i−1 is the inverse per-

mutation of σi−1;(b) Calculates the canonical sorting permutation σi of

Ii .

4.2.2 The lossy case

The proposed encryption algorithm for lossy codecs (seeFig. 6) is as follows:

1. Given a video sequence V = I1, . . . , Im , Alice first com-putes C(I1) and then I ′

1 = D(C(I1)) from which sheobtains the canonical sorting permutation σ ′

1.2. Alice sends C(I1) via secure channel S to Bob.3. She applies σ ′

1 to I2, computes C(σ ′1(I2)), and sends it

via R to Bob.4. Next, she computes I ′

2 = D(C(σ ′1(I2))) and then I ′′

2 =(σ ′

1)−1(I ′

2) from which she calculates the canonical sort-ing permutation σ ′′

2 .5. For each subsequent frame Ii , i = 3, . . . , m, Alice does

the following:

(a) Appliesσ ′′i−1 to Ii , computes C(σ ′′

i−1(Ii )), and sendsit to Bob via the regular channel R;

(b) Computes I ′i = D(C(σ ′′

i−1(Ii )));

123

198 D. Socek et al.

Fig. 7 Diagram of theproposed decryption algorithmfor lossy spatial-only videocodecs

(c) Applies (σ ′′i−1)

−1 to get I ′′i = (σ ′′

i−1)−1(I ′

i );(d) Calculates the canonical sorting permutation σ ′′

i .

At the receiver’s side, Bob performs the following decryp-tion algorithm (see Fig. 7) to recover the approximation ofthe original video sequence V:

1. Bob calculates D(C(I1)) = I ′1 ≈ I1 and sorting permu-

tation σ ′1.

2. From C(σ ′1(I2)) he computes I ′

2 = D(C(σ ′1(I2))).

3. Bob approximates I2 ≈ I ′′2 = (σ ′

1)−1(I ′

2).4. He then recovers the canonical sorting permutation σ ′′

2of I ′′

2 .5. For each received frame C(σ ′′

i−1(Ii )), i = 3, . . . , m, Bobdoes the following:(a) Decodes C(σ ′′

i−1(Ii )) into I ′i = D(C(σ ′′

i−1(Ii )));(b) Approximates Ii ≈ I ′′

i = (σ ′′i−1)

−1(I ′i );

(c) If i < m he calculates a sorting permutation σ ′′i of

I ′i .

The lossy version of our proposed algorithm requires acompression stage as a preprocessing to the encryption, sotechnically it does not exactly corresponds to the Fig. 3b.When compression is seen as a preprocessing step, the algo-rithm should still be considered to be a pre-compression ap-proach, and as such, inherently possesses the nice propertiessuch as codec-standard compliance and format-compliance.

4.3 Discussion

Intuitively, our permutation-based encryption approachworks as follows. Sorted, as well as “almost sorted” framesare quite compressible, and in many instances even morecompressible than the original source frames. When a sort-ing permutation of the previous frame acts on the currentframe, it produces an almost sorted frame. In general, trans-mitting permutations for a frame to the receiver is an expen-sive transmission. However, transmitting a compressed framefrom which the initial permutation can be computed is cheap.

Once an initial permutation is transmitted via secure chan-nel, the sender uses it to “almost sort” the next frame. In thenext section we show that a sorted or almost sorted framecan be safely sent via regular channel. By calculating a sort-ing permutation of the received frame, the receiver uses it torecover the next frame, and so on. This way the spatial cor-relation within frames of a video sequence is expected to bepreserved, if not improved, when static-camera low-motionsequences (e.g. video conferencing or telephony) and spa-tial-only video codecs (e.g. M-JPEG) are used.

5 Security analysis of our model

This section serves to analyze security aspects of the pro-posed method. The security strengths and weaknesses of theproposed system are pointed out.

Brute-force attack. Brute-force attack is based on exhaus-tive key search, and is feasible only for the cryptosystemswith relatively small key space. In our case, the brute-forceattack consists of two possible venues: one could either attackthe underlying conventional cryptosystem used for encryp-tion in channel S, or the proposed permutation-based methodused in channel R. For that reason, it is recommended to usea strong conventional symmetric-key cryptosystem, such asAES with 128-bit or stronger keys. The size of the key spacerelated to our permutation-based method is equivalent to thefollowing: Given a color histogram of an w×h image I , howmany different images can be formed out of the histogramcolor values? Note that I is just one of these images.

Let U (I ) ⊂ Z2n denote the set of unique pixel valuesthat appear in I . Furthermore, if u ∈ U (I ), let N (u) denotethe number of times pixel value u appears in I . By a rela-tively well-known counting result we have that the numberof different images that can be formed out of pixels from I ,where U (I ) = {u1, . . . , uk}, is

|Sw×h(I )| = (w × h)!∏k

i=1 N (ui )!.

123

New approaches to encryption and steganography for digital videos 199

Thus, there are exactly (w × h)!/∏ki=1 N (ui )! differ-

ent images, with exactly the same frequency distribution of{N (ui ) : i = 1, . . . , k}. These distinct images determine theeffective key space of our method. Thus, if one uses an n-bitconventional cryptosystem to encrypt key frames in channelS, the actual key space of the proposed method is

min

(

2n,(w × h)!

∏ki=1 N (ui )!

)

.

Clearly, the size of the key space depends on the color his-togram of the encrypted frame. As one can see, this numberis extremely large when considering any meaningful imagesof reasonable dimensions, and it is usually much larger thanbrute-forcing 2n keys of the used conventional symmetric-key cryptosystem.

Known/chosen-plaintext and chosen-ciphertext attacksPermutation-only video encryption is considered weakagainst known/chosen-plain-text attack, and a chosen-ciphertext attack [14]. However, all of the previouslyproposed methods rely on generating the secret permutationusing a secret key. Under this scenario, all of the aforemen-tioned attacks are trying to recover the secret key (or a partof it) that was used for the current or future encryptions.Our scheme does not rely on such a principle, and there isno secret key upon which a permutation is generated. Ourmethod relies on the sorting permutation of the previousframe, and thus, a key is directly dependant of the plaintext.Under a chosen-plaintext attack, the adversary can computethe sorting permutation for the chosen frame, but this gives noinformation about the sorting permutations for the unknownframes. Under a chosen-ciphertext attack, the adversary canrecover the unsorting permutation for the chosen encryptedframe, but this gives no information regarding other unknownciphertexts.

Known weaknesses A limited known-plaintext attack isapplicable to our method, because the adversary can recoverall frames that follow the known frame until the scene changesand key frame is updated. This, however, only reveals thatone scene, since the key is completely changed as soon asthe scene changes. This is a feature of all systems whosekey depends on the plaintext. In addition, if the adversaryhas the information on the possible videos to be encrypted,he or she may be able to recognize which video sequence isbeing transmitted from Alice to Bob by observing the pub-licly given pixel value histograms of frames. Another relatedproblem is the adversary’s ability to analyze the properties ofa given histogram for rough clues about the content. Namely,cartoon pictures and real photos have different histograms,and photos of human faces usually have narrower histogramsthan photos of natural scenes [11]. Although limited, these

attacks are unavoidable in the proposed scheme and thescheme should not be used when conditions are such thatthese attacks are possible to launch by an adversary.

6 Implementation issues

There are a few implementation issues related to the pro-posed scheme. The compression performance of the pro-posed method can be further improved by knowing how thecompression works at the encoder side. In particular, sinceM-JPEG performs a DCT-based compression on 8×8 blocksof a frame, better compression is achieved if the “almostsorted” data is reordered by filling in the 8 × 8 blocks in aframe instead of applying the usual raster ordering. This stepdoes not impact the computational complexity of the pro-posed method and it notably improves the performance ofM-JPEG encryption.

The second issue involves the calculation of a sorting per-mutation for a given frame. An efficient way of calculatingsuch a permutation is by using a modification of a fast sortingalgorithm, such as quicksort [10]. A given sorting algorithmshould be modified so that, in addition to keeping track ofthe exchanged elements, it keeps track of the indices of theexchanged elements. Both the sender and the receiver shoulduse the same sorting method in order to obtain the same sort-ing permutation.

The following recursive algorithm for obtaining a canoni-cal sorting permutation (with zero-based index) of an imageis used in our experiments. The algorithm takes four inputvariables, and the initial input is: (1) a copy a of a w × himage I , (2) p = [0 1 2 . . . (w × h) − 1] (the iden-tity permutation with zero-based index), (3) l = 0 and (4)r = (w × h) − 1

1. Set i = l − 1, j = r , and v = a[r ]2. If r ≤ l return from the algorithm3. Start an infinite loop and do the following:

(a) Set i = i + 1(b) While a[i] < v do the following:

i. Set i = i + 1

(c) Set j = j − 1(d) While v < a[ j] do the following:

i. If j = l break from this while loopii. Set j = j − 1

(e) If i ≥ j break from the infinite loop(f) Exchange a[i] and a[ j](g) Exchange p[i] and p[ j]

4. Exchange a[i] and a[r ]5. Exchange p[i] and p[r ]

123

200 D. Socek et al.

6. Recursively call this algorithm with a = a, p = p, l = land r = i − 1

7. Recursively call this algorithm with a = a, p = p,l = i + 1 and r = r

Finally, there is a need for having self-decodable frames,ones that are independent of previous or future frames. In thebase scheme, the current frame is always recoverable fromthe sorting permutation of the previous frame, and as such,the scheme cannot handle VCR-like functionality or framedropping caused by noisy channels or other communicationerrors. There is a simple and straightforward extension bywhich these functionalities can be achieved: the sorting per-mutation of the first frame (the key frame) can be used to“almost sort” every kth frame. The loss in compression gainis expected to be small since the assumption that all framesare part of a single scene holds. By doing so, the receiver canfast forward or rewind the video up to a kth frame, and framedropping will affect only frames up to the next kth frame.This strategy is analogous to the strategy used in MPEG-likealgorithms, where GOPs (group of pictures) with repetitiveI-frames are utilized.

7 Performance analysis and experimental results

To evaluate the performance of our method in terms of com-pression, we run experiments on several fairly static grey-scale sequences in CIF and QCIF formats. As Tables 1 and

2 show, our method preserves, and in many instances evenimproves the compression performance of the original codecwithout encryption. Table 2 also compares the loss of qual-ity (in terms of PSNR) when our method is applied to thelossy M-JPEG with quality parameter Q that controls thequantization level in M-JPEG. Q ranges from 0 (the worstquality) to 100 (the best quality). A modest loss of qualityoccurs by performing the proposed encryption with lossycodecs.

Figures 8 and 9 show in more detail how the compres-sion ratios of A-GIF and M-JLS lossless codecs with andwithout the proposed method compare when applied to se-quences Akiyo and Mother Daughter. As the figures depict,the compression results are better for Akiyo since it is amore static sequence than Mother Daughter (see Fig. 11).Figure 10 shows the compression performance of a lossycodec (M-JPEG with quality parameter Q = 90) with andwithout the proposed method applied to the same two se-quences. Again the results are better for a more static of thetwo sequences.

Observe that the curves from Figs. 8, 9, and 10 correspond-ing to our approach are, for the most part, similar amongstthemselves and also to the corresponding curves in Fig. 11,which depicts the mean square errors (MSEs) between theconsecutive frames within Akiyo and Mother Daughtersequences. In essence, this phenomenon occurs due to thetype of transformations we apply. This observation indicatesthat as long as the rate of change between the consecutive

Table 1 Performance of ourmethod for lossless spatial-onlycodecs

Codec w/o encryption Codec w/ encryption

Sequence Codec Size (MB) Avg. Fr. (KB) Size (MB) Avg. Fr. (KB)

Akiyo A-GIF 21.53 73.51 9.24 31.54

CIF (300 frms) M-PNG 19.09 65.15 7.96 27.17

M-JLS 10.70 36.53 7.39 25.23

Mother and A-GIF 21.68 73.99 15.93 54.38

Daughter M-PNG 19.23 65.64 14.97 51.11

CIF (300 frms) M-JLS 11.31 38.62 12.63 43.12

Monitor Hall A-GIF 24.88 84.91 18.50 63.14

CIF (300 frms) M-PNG 21.67 73.97 17.55 59.91

M-JLS 13.13 44.83 14.62 49.89

Grandma A-GIF 2.06 21.91 1.45 14.84

QCIF (100 frms) M-PNG 1.90 19.46 1.30 13.34

M-JLS 1.18 12.13 0.89 9.09

Claire A-GIF 1.52 15.59 1.17 11.98

QCIF (100 frms) M-PNG 1.35 13.86 1.02 10.48

M-JLS 0.75 7.68 0.71 7.27

Miss A-GIF 1.54 15.80 1.33 13.57

America M-PNG 1.44 14.79 1.27 13.05

QCIF (100 frms) M-JLS 0.81 8.34 0.91 9.37

123

New approaches to encryption and steganography for digital videos 201

Table 2 Performance of ourmethod for lossy spatial-onlycodecs

M-JPEG w/o encryption M-JPEG w/ encryption

Sequence Q Size (MB) Avg. Fr. (KB) PSNR Size (MB) Avg. Fr. (KB) PSNR

Akiyo 90 3.96 15.93 45.29 3.71 12.72 41.63

CIF (300 frms) 70 2.05 8.24 40.39 1.92 6.59 36.13

50 1.55 6.24 38.20 1.37 4.70 33.93

Mother and 90 4.21 16.96 45.25 4.98 17.07 39.97

Daughter 70 2.24 9.04 40.91 2.48 8.48 34.68

CIF (300 frms) 50 1.70 6.84 38.88 1.72 5.91 32.70

Monitor Hall 90 5.55 22.35 43.21 6.05 20.71 38.89

CIF (300 frms) 70 3.02 12.15 38.12 2.93 10.03 33.49

50 2.25 9.05 35.95 2.01 6.89 31.40

Grandma 90 0.57 5.94 41.04 0.35 3.58 41.55

QCIF (100 frms) 70 0.32 3.28 36.47 0.19 1.93 36.35

50 0.24 2.48 34.81 0.14 1.44 34.06

Claire 90 0.41 4.22 45.19 0.31 3.19 42.23

QCIF (100 frms) 70 0.25 2.62 39.86 0.17 1.80 36.60

50 0.20 2.08 37.51 0.13 1.36 34.36

Miss 90 0.35 3.64 45.63 0.36 3.69 41.55

America 70 0.19 1.98 41.52 0.19 1.98 35.97

QCIF (100 frms) 50 0.15 1.56 39.71 0.14 1.46 33.83

Fig. 8 Comparison of thecompression performance forA-GIF (left) and M-JLS (right)codecs on Akiyo sequence withand without encryption

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Com

pres

sed

Fra

me

Siz

e [K

B]

10

20

30

40

50

60

70

80

90

100C

ompr

esse

d F

ram

e S

ize

[KB

]

Frame Number 50 100 150 200 250 300

Frame Number

Akiyo CIF, 300 Frames, A-GIF

A-GIF w/ EncryptionA-GIF w/o Encryption

Akiyo CIF, 300 Frames, M-JLS

M-JLS w/ EncryptionM-JLS w/o Encryption

Fig. 9 Comparison of thecompression performance forA-GIF (left) and M-JLS (right)codecs applied to MotherDaughter sequence with andwithout encryption

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Com

pres

sed

Fra

me

Siz

e [K

B]

10

20

30

40

50

60

70

80

90

100

Com

pres

sed

Fra

me

Siz

e [K

B]

Frame Number

50 100 150 200 250 300

Frame Number

Mother Daughter CIF, 300 Frames, A-GIF

A-GIF w/ EncryptionA-GIF w/o Encryption

Mother Daughter CIF, 300 Frames, M-JLS

M-JLS w/ EncryptionM-JLS w/o Encryption

frames is small, the performance of our approach should besatisfactory. In Fig. 12, one can visually observe the appear-ance of the encrypted frames and the quality loss due to lossy

encryption. There is a slight salt-and-pepper noise addedto the reconstructed (decrypted) video as can be seen inFig. 12f.

123

202 D. Socek et al.

Fig. 10 Comparison of thecompression performance forM-JPEG codec applied to Akiyo(left) and Mother Daughter(right) sequences with andwithout encryption

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Com

pres

sed

Fra

me

Siz

e [K

B]

Frame Number

Akiyo CIF, 300 Frames, M-JPEG [Quality=90]

M-JPEG w/ EncryptionM-JPEG w/o Encryption

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Com

pres

sed

Fra

me

Siz

e [K

B]

Frame Number

Mother Daughter CIF, 300 Frames, M-JPEG [Quality=90]

M-JPEG w/ EncryptionM-JPEG w/o Encryption

Fig. 11 Mean square error(MSE) between the consecutiveframes of Akiyo (left) andMother Daughter (right)sequences

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Mea

n S

quar

e E

rror

(M

SE

)

Frame Number

Akiyo CIF 300 Frames, MSE for consecutive frames

Akiyo Frames MSE

10

20

30

40

50

60

70

80

90

100

50 100 150 200 250 300

Mea

n S

quar

e E

rror

(M

SE

)

Frame Number

Mother Daughter CIF 300 Frames, MSE for consecutive frames

Mother Daughter Frames MSE

(a)

(d) (e) (f)

(b) (c)

Fig. 12 The frame #150 of: a the original Akiyo (uncompressed) se-quence, b the sequence obtained by encrypting Akiyo sequence with theproposed method for a lossless codec and decoding it without decryp-tion, c the sequence obtained by properly decrypting an encryptedAkiyo sequence using the proposed method with a lossless codec,d the sequence obtained by encrypting Akiyo sequence with the

proposed method for lossy M-JPEG codec (quality parameter Q = 90)and decoding it without decryption, e the sequence decoded from a reg-ular, not encrypted encoded Akiyo sequence (compressed size: 16 KB,PSNR: 45.198), and f the sequence obtained by properly decrypting anencrypted Akiyo sequence using the proposed method with M-JPEGcodec (compressed size: 12 KB, PSNR: 41.737)

Finally, we note that the computational complexity of theproposed method is very low at the decoder side for both loss-less and lossy codecs, since the only additional computationthat has to be performed involves the calculation of a sorting

permutation. A standard sorting algorithm with complexityof O(N log N ) can be used to calculate a sorting permutationof the given frame. Inverting and/or applying a permutationis equivalent to a table lookup.

123

New approaches to encryption and steganography for digital videos 203

8 New steganographic architecture

The traditional digital video steganography is based on someform of data embedding. Permutation-based transformationsallow for a different type of digital video steganography. Thebasic idea can be described as follows.

Let I and J be two natural images of the same size, some-what similar histograms, and possibly completely differentcontent. Furthermore, letσI andσJ denote sorting, or “almostsorting” permutations of I and J , respectively. Then,

I ′ = σ−1I (σJ (J )) = σ−1

I · σJ (J ) and

J ′ = σ−1J (σI (I )) = σ−1

J · σI (I ),

where · denotes the product of two permutations. The imagesI ′ and J ′ appear, at least to a human visual system, similarto images I and J , respectively. Figure 13 shows an exam-ple of this transformation: an image of Marilyn Monroe istransformed into an image of John Wayne, and vice versa.

These transformations can be used to realize a stegano-graphic scheme within the framework of our proposed videoencryption approach. Namely, instead of encrypting thesource video V into “almost sorted” frames, given a differ-ent video sequence W , the sender can further transform the“almost sorted” frames according to the inverse sorting per-mutation of the frames of W . At the receiving end, the re-ceiver easily recovers the “almost sorted” frames by knowingthe actual sequence W . Here, it is assumed that the sender

and the receiver previously agreed on the hiding video se-quence W . For example, W could be some publicly knownsequence. Once the “almost sorted” frames are obtained, ourmethod resumes as previously proposed. Figure 14 showsthe output of the proposed steganographic method where asequence Grandma is disguised with a sequence Claire.

9 Conclusions and further research

In this work, along with providing an extended comprehen-sive classification of video encryption algorithms, we pro-pose a novel video encryption algorithm designed for bothlossless and lossy low-motion spatial-only video codecs. Thealgorithm preserves, and in many instances even improves thespatial correlation of the source data. The proposed encryp-tion method can thus be performed before compression at theencoder side, and after decompression at the decoder side, aunique and often desirable feature. In effect, the algorithmproduces fully application-friendly output, and requires nomodification to the codec modules. We present both securityand performance analysis of our method, and show that thealgorithm is computationally efficient and resistant to typi-cal cryptanalytic attacks. Finally, we introduce a new type ofsteganography as an extension to our encryption approach.The proposed steganographic scheme enables disguising avideo with another video, which is a new concept in digitalvideo steganography.

(a) (b) (c) (d)

Fig. 13 Permutation-based transformations: a the original image of Marilyn Monroe, b the original image of John Wayne, c the image of trans-formed Marilyn Monroe into John Wayne, and d the image of transformed John Wayne into Marilyn Monroe

Fig. 14 A new kind of digitalvideo steganography usingpermutation-basedtransformations: Grandma videosequence is transformed into adegraded but visible version ofClaire video sequence. As acomparison, A-GIF of theoriginal Grandma sequence is2.06 MB, while A-GIF of itssteganographic encryption intoClaire is 1.90 MB

123

204 D. Socek et al.

Future directions should include an investigation ofextending or modifying this principle to achieve efficiency inexploiting temporal correlation as well, in order to achieveapplicability to more advanced video codecs such as H.26xand MPEG-x.

References

1. Alattar, A.M., Al-Regib, G.I.: Evaluation of selective encryptiontechniques for secure transmission of mpeg video bit-streams. In:Proceedings of the IEEE International Symposium on Circuits andSystems (ISCAS ’99), 30 May–2 June 1999, Orlando, FL, USA,vol. 4, pp. 340–343. IEEE Computer Society

2. Agi, I., Gong, L.: An empirical study of secure mpeg video trans-mission. In: Proceedings of the IEEE Symposium on Network andDistributed System Security (SNDSS ’96), 22–23 February 1996,San Diego, CA, USA, pp. 137–144. IEEE Computer Society

3. Bhargava, B., Shi, C., Wang, S.-Y.: Mpeg video encryption algo-rithms. Multimed. Tools Appl. 24(1), 57–79 (2004)

4. Chan, C.-K., Chan, C.-K., Lee, L.-P., Cheng, L.-M.: Encryptionsystem based on neural network. In: Proceedings of the IFIPTC6/TC11 5th Joint Working Conference on Communicationsand Multimedua Security (CMS ’01), Darmstadt, Germany, inCommunications and Multimedia Security Issuses of the NewCentury pp. 117–122. Kluwer, Boston 21–22 May 2001

5. Culibrk, D., Socek, D., Sramka, M.: Cryptanalysis of the blockcipher based on the hopfield neural network. In: Proceedings of theFifth Central European Conference on Cryptology (MoraviaCrypt’05), 15–17 June 2005, Brno, Czech Republic, Tatra MountainsMathematical Publications (2005, to appear)

6. Eskicioglu, A.M.: Protecting intellectual property in digital mul-timedia networks. IEEE Computer, Special Issue on Piracy andPrivacy (2003), 39–45

7. Furht, B., Muharemagic, E.A., Socek, D.: Multimedia security:encryption and watermarking. Multimedia Systems and Applica-tions, vol. 28, Springer, December 2005

8. Furht, B., Socek, D., Eskicioglu, A.M.: Multimedia security hand-book, Internet and Communications Series, vol. 4, chap. Funda-mentals of Multimedia Encryption Techniques pp. 95–132. CRCPress (2004)

9. Guo, D., Cheng, L.-M., Cheng, L.L.: A new symmetric proba-bilistic encryption scheme based on chaotic attractors of neuralnetworks. Appl. Intelli. 10, 71–84 (1999)

10. Knuth, D.E.: The art of computer programming, 2nd edn., vol. 3:Sorting and Searching, pp. 113–122. Addison–Wesley, Reading,MA (1998)

11. Li, S., Chen, G., Zheng, X.: Multimedia security handbook. In-ternet and Communications Series, vol. 4, chap. Chaos-BasedEncryption for Digital Images and Videos, pp. 133–167. CRCPress, West Palm Beach (2004)

12. Liu, X., Eskicioglu, A.M.: Selective encryption of multimediacontent in distribution networks: Challenges and new directions.In: Proceedings of the Second IASTED International Confer-ence on Communications, Internet and Information Technology(CIIT 2003), pp. 527–533. Scottsdale, AZ, USA, IASTED, 17–19November 2003

13. Li, S., Lo, K.-T.: Security problems with improper imple-mentations of improved fea-m. J. Syst. Softw. (2006).http://dx.doi.org/10.1016/j.jss.2006.05.002

14. Li, S., Li, C., Chen, G., Bourbakis, N.G.: A general cryptanalysisof permutation-only multimedia encryption algorithms, IACR’sCryptology ePrint Archive: Report 2004/374, 2004

15. Lookabaugh, T.D., Sicker, D.C., Keaton, D.M., Guo, W.Y.,Vedula, I.: Security analysis of selectively encrypted mpeg-2

streams. Multimedia Systems and Applications VI, Proceedingsof SPIE, Orlando, FL, USA, vol. 5241 pp. 10–21. SPIE Publishers,September 7–11 2003

16. Li, S., Zheng, X., Mou, X., Cai, Y.: Chaotic encryption scheme forreal-time digital video. In: Real-Time Imaging VI, Proceedings ofSPIE, vol. 4666, pp. 149–160. SPIE Publishers (2002)

17. Meyer, J., Gadegast, F.: Security mechanisms for multimedia datawith the example mpeg-1 video, Project description of SECM-PEG, Technical University of Berlin. http://www.gadegast.de/frank/doc/secmeng.pdf

18. Mihaljevic, M.J.: On vulnerabilities and improvements of fastencryption algorithm for multimedia fea-m. IEEE Trans. Consum.Eletron. 49(4), 1199–1207 (2003)

19. Mihaljevic, M.J., Kohno, R.: Cryptanalysis of fast encryptionalgorithm for multimedia fea-m. IEEE Commun. Lett. 6(9), 382–384 (2002)

20. Qiao, L., Nahrstedt, K.: A new algorithm for mpeg videoencryption. In: Proceedings of the First International Confer-ence on Imaging Science, Systems and Technology (CISST ’97),pp. 21–29. Las Vegas CSREA Press, 30 June–3 July 1997

21. Qiao, L., Nahrstedt, K., Tam, M.-C.: Is mpeg encryption by us-ing random list instead of zigzag order secure? In: Proceedingsof the IEEE International Symposium on Consumer Electron-ics pp. 226–229 2–4 December 1997. IEEE Computer Society,Singapore

22. Shi, C., Bhargava, B.: A fast mpeg video encryption algorithm. In:Proceedings of the Sixth ACM International MultimediaConference, Bristol, UK, ACM Electronic Proceedings, 12–16September 1998. http://turing.acm.org/sigs/sigmm/MM98/electronic_proc eedings/shi/

23. Socek, D., Culibrk, D.: On the security of a clipped hopfield neuralnetwork cryptosystem. In: Proceedings of the ACM Multimediaand Security Workshop (ACM-MM-Sec’05), pp. 71–75. ACMPress, New York City 2005, 1–2 August 2005

24. Spanos, G.A., Maples, T.B.: Performance study of a selectiveencryption scheme for the security of networked, real-time video.In: Proceedings of the 4th International Conference on ComputerCommunications and networks (ICCCN ’95), pp. 2–10. IEEEPress, Las Vegas 20–23 September 1995

25. Seidel, T.E., Socek, D., Sramka, M.: Cryptanalysis of videoencryption algorithms. Tatra Mt. Math. Publ. 29, 1–9 (2004)

26. Shi, C., Wang, S.-Y., Bhargava, B.: Mpeg video encryption inreal-time using secret key cryptography. In: Proceedings of theInternational Conference on Parallel and Distributed ProcessingTechniques and Applications (PDPTA ’99), Las Vegas, NV, USA,vol. 6, pp. 2822–2828. CSREA Press, 28 June– 1 July 1999

27. Tang, L.: Methods for encrypting and decrypting mpeg videodata efficiently. In: Proceedings of the Fourth ACM InternationalMultimedia Conference, pp. 219–230. Boston, ACM Press 18–22November 1996

28. Uhl, A., Pommer, A.: Image and video encryption: from digi-tal rights management to secured personal communication. In:Advances in Information Security, vol. 15. Springer, New York(2005)

29. Wu, H., Bao, F., Deng, R.H.: An efficient known plaintext at-tack on fea-m. In: Proceedings of the Fifth International Confer-ence on Information and Communications Security (ICICS 2003),pp. 84–87. Huhehaote, China, vol. 2836. LNCS, Springer, Berlin,Germany 10–13 October 2003

30. Youssef, A.M., Tavares, S.E.: Comments on the security of fastencryption algorithm for multimedia (fea-m). IEEE Trans. Con-sum. Eletron. 49(1), 168–170 (2003)

31. Yi, X., Tan, C.H., Siew, C.K., Syed, M.R.: Fast encryption for mul-timedia. IEEE Trans. Consumer Eletronics 47(1), 101–107 (2001)

123