A Selective Video Encryption Scheme for MPEG ... - CiteSeerX

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.1 JANUARY 2006

194

PAPER

Special Section on Cryptography and Information Security

A Selective Video Encryption Scheme for MPEG Compression Standard Gang LIU†a) , Nonmember, Takeshi IKENAGA†b) , Member, Satoshi GOTO†c) , Fellow, and Takaaki BABA†d) , Nonmember

SUMMARY With the increase of commercial multimedia applications using digital video, the security of video data becomes more and more important. Although several techniques have been proposed in order to protect these video data, they provide limited security or introduce significant overhead. This paper proposes a video security scheme for MPEG video compression standard, which includes two methods: DCEA (DC Coefficient Encryption Algorithm) and “Event Shuffle.” DCEA is aim to encrypt group of codewords of DC coefficients. The feature of this method is the usage of data permutation to scatter the ciphertexts of additional codes in DC codewords. These additional codes are encrypted by block cipher previously. With the combination of these algorithms, the method provides enough security for important DC component of MPEG video data. “Event Shuffle” is aim to encrypt the AC coefficients. The prominent feature of this method is a shuffling of AC events generated after DCT transformation and quantization stages. Experimental results show that these methods introduce no bit overhead to MPEG bit stream while achieving low processing overhead to MPEG codec. key words: commercial multimedia applications, selective encryption, MPEG codec, MPEG bitstream, data shuffle, processing overhead, bit overhead

1.

Introduction

Multimedia data, especially video data, is widely used in various kinds of content provide services and information exchange applications. In these services and applications, digital video is transmitted from service provider to enduser or exchanged between end-users over public communication channels such as satellite, wireless networks and the Internet. As these public channels are vulnerable to the attack from hackers, video security becomes more and more important. Nowadays, without the technique of video security, multimedia applications cannot keep developing even if a big market exists. For example, for content provide service applications, such as video on demand and video broadcast, the protection of IPR (Intellectual Property Right) becomes indispensable. On the other hand, for information exchange applications, such as videoconference and video mobile phone, it is important to protect the business secret Manuscript received March 23, 2005. Manuscript revised June 27, 2005. Final manuscript received August 18, 2005. † The authors are with the Graduate School of Information, Production and Systems, Waseda University, Kitakyushu-shi, 8080135 Japan. a) E-mail: [email protected] b) E-mail: [email protected] c) E-mail: [email protected] d) E-mail: [email protected] DOI: 10.1093/ietfec/e89–a.1.194

and the privacy of personal users. As video security plays an important role in multimedia applications, it has become a focus of research in recent years. Several video security techniques based on the MPEG video compression standard have been proposed [1], [3]– [14]. According to the target data selected from MPEG compression stages, these techniques can be classified into three types. The first one is “Spatial Domain” schemes, which apply encryption to the original video data directly. The second one is named “Bitstream Domain” schemes, which encrypt the code words of compressed bitstream. The third one is “Frequency Domain” schemes, which utilize the results of DCT transformation and quantization stages of MPEG compression process. A “Spatial Domain” video encryption algorithm was proposed in [1]. This algorithm transforms all the RGB data of each pixel of every frame in order to get satisfactory security level. Since digital video contains a large amount of data, this algorithm introduces relatively big processing overhead to compression systems. Furthermore, since MPEG standards [2] utilize the spatially and temporally correlated nature to compress the video data, spatial domain scrambling changes the characteristic of original video data so that in the following compression step, it gives adverse impact to the compression efficiency of MPEG tools. In [3], “Naive Algorithm” was proposed as an example of “Bitstream Domain.” In this simple algorithm, the MPEG encoder compresses the original video data firstly, and then the result bitstream is encrypted directly by standard cryptographic algorithms. Because of the large amount of video data and processing time needed by the implementation of standard ciphers, this algorithm also produces relatively big processing overhead, which is not acceptable for most real-time applications, especially for some low-power mobile systems. Therefore, selective encryption for digital video becomes indispensable. “Bitstream Domain” selective encryption schemes pick out and encrypt the critical portion of the compressed bitstream. Some selective encryption algorithms have been proposed to encrypt only header information of bitstream, and some others encrypt only I-frames of the bitstream [4]– [7]. These schemes are not effective for video encryption. The former methods destroy the format-compliancy to the syntax of MPEG, so that MPEG decoders cannot recognize the encrypted bitstream. Moreover, headers contain standard information with few patterns, so that encryption

c 2006 The Institute of Electronics, Information and Communication Engineers Copyright

LIU et al.: A SELECTIVE VIDEO ENCRYPTION SCHEME FOR MPEG COMPRESSION STANDARD

195

for headers cannot provide satisfactory security. The latter methods make some portions of the video left visible. These portions are Intra-coded blocks with high energy in P and B frames. Another “Bitstream Domain” selective encryption scheme, proposed in [8], shuffles the codewords of MPEG bitstream. According to [6], this method loses some error resiliency. Moreover, in order to get code words, the algorithm has to analysis the syntax of MPEG bitstream. Therefore, it increases the complexity of the algorithm. Various kinds of “Frequency Domain” schemes have been proposed so far. These schemes selectively encrypt the result data of motion estimation process or DCT transformation process, so that they belong to the selective encryption. In [9]–[11], Shi and Bhargava propose some methods, which encrypt the sign bits of DC and AC coefficients of every block and that of all the motion vectors. The methods XOR these sign bits with a generated binary key. Although this method is simple and keeps the bitstream format-compliant, but obviously, the encrypted bitstream is vulnerable when the attacker get some plaintexts of the encrypted video data. Tang proposed another “Frequency Domain” selective encryption scheme, which is called “Block Shuffle” [12]. This algorithm shuffles the DCT coefficients in 8 by 8 blocks with a permutation table instead of the original zigzag order of MPEG. Although the algorithm introduces few processing overhead, it replaces the original zigzag order with a random order. Therefore, a large amount of bit overhead occurs after the entropy coding stage. Experiment results in [3] show that the bit overhead becomes 108% for I-frame encryption and 55% for the entire encryption of sequence “Carphone,” respectively. “Subband Shuffle” [13] is another “Frequency Domain” technique belongs to a joint encryption and compression framework. The main method described in this framework is a shuffling of the DCT coefficients within a subband. According to [13], in an 8 by 8 DCT block, each DCT coefficient can be treated as a local frequency component from a certain band. Coefficients coming from the same location in blocks can be grouped together to a subband. Subband is not just limited in a macroblock. It can extend to a segment such as a slice or a frame, which consists of a number of macroblocks. “Subband Shuffle” changes the position of coefficients in a subband according to a permutation table. As pointed out in [13], the proposed algorithm makes the video become incomprehensible, and it is difficult for an adversary to recover the video through exhaustive searches. However, the simulation results show that subband shuffle along a slice still generates bit overhead of 9.1% and 19.8% when processing I-frame and all the sequence, respectively. This paper proposes a selective video security scheme, which includes two encryption methods. The first method is named DCEA, which encrypts the DC coefficients of each block in digital video. Since DC coefficients play an important role in MPEG video data, the method is designed to provide relatively high level of security for DC coefficients. The second method called “Event Shuffle” is aim to

encrypt AC coefficients of MPEG video. This method employs a shuffling of event (LAST, RUN, LEVEL) generated after DCT transformation and quantization stages. Experimental results show that these two encryption methods introduce no bit overhead to MPEG bitstream while achieving low processing overhead to MPEG codec. The rest of this paper is organized as follows. Section 2 introduces our proposed scheme. The first part of this section presents some necessary considerations in the design of video encryption scheme. Another part presents the detailed description of two proposed methods: DCEA and “Event Shuffle.” And then, in Sect. 3, experimental results and some explanation are shown. Finally, some conclusions for this work are drawn in Sect. 4. 2.

Proposed Algorithms

2.1 Considerations of Video Encryption Design To be precise, video encryption schemes are aim to make the digital video unknown to unauthorized users. Generally, some traditional data encryption algorithms are utilized in these schemes, but they are not simply the application of these algorithms. Some important things should be considered when designing a video encryption scheme: 1. For video encryption schemes, the most important respect is security. These schemes should be proven to withstand kinds of attacks from hackers. General attacks to digital video data on communication channels include known-plaintext attack, chosen-plaintext attack and finally brute-force attack. Schemes, which use standard encryption algorithms, are easier to be proven secure, but they may not satisfy other requirements such as time constraints. In order to design an efficiency video encryption scheme with enough security for video data, the characteristic of digital video data should be utilized sufficiently. That is the difference between ordinary data encryption and digital video data encryption. 2. Another important consideration of video encryption scheme design is the processing overhead generated in encryption process. Generally, digital video has a large amount of data even if it is compressed by MPEG or some other compression algorithms. In order to decrease the processing overhead, it is necessary to encrypt only a portion of video data. So the selection of object data becomes a key work. On the other hand, it is important to adopt some light-weight encryption algorithms, which have low computational complexity. 3. One more consideration is that the proposed video encryption schemes should not provide adverse impact to the compression efficiency of video compression tools. That means the proposed schemes should introduce as few bit overhead to video bitstream as possible. A large amount of bit overhead will not only increase the processing time and power consumption of video codec


196

as a heavy-weight algorithm does, but also increase the burden of storage systems and communication network. 4. The last consideration is bitstream format-compliant, which means the structure of the encrypted bitstream is kept unchanged with the syntax of corresponding compression standard such as MPEG. As the result, the encrypted bitstream can be played back by decoders, which support the specific format. This can be used in some commerce applications such as video broadcast, in which, content provider intents to show some corrupted video to unauthorized users. It is important to satisfy above-mentioned requirements when designing a video encryption scheme. In order to achieve this object, the first necessary work is the examination about which part of data in MPEG compression process is suitable to be encrypted. As shown in [2], MPEG bitstream has a hierarchical structure, which includes five layers. The top layer is sequence layer and then the picture layer, slice layer and macroblock layer. Each one of the upper layers is composed of layer header, some parameters and a group of lower layers. The lowest layer is macroblock layer, which is composed of some parameters, codewords of motion vectors and DC, AC coefficients belong to six 8 by 8 blocks. It can be seen from Sect. 1 that several kinds of data in MPEG video can be used to encrypt. These data include layer headers, parameters, motion vectors, DC and AC coefficients. As pointed out in Sect. 1, encrypting layer headers only cannot provide enough level of security while the formatcompliancy to the syntax of MPEG is destroyed. Parameters are similar with header information. Other proposals such as [14] suggest encrypting motion vectors only. Because motion vectors just indicate the movement of P-Blocks and BBlocks of frames, all of the I-Blocks of each frame are kept perceivable. As the result, headers, parameters and motion vectors are not very suitable for MPEG video encryption. Since DC coefficients represent the average brightness of 8 by 8 blocks and AC coefficients represent the detail information of them, these data affect the reconstruction of digital video mostly and they are suitable for video encryption. As DC coefficients are more important than AC coefficients, especially high frequency AC coefficients, two encryption methods are considered for DC and AC coefficients respectively. In this way, special structure of these data can be utilized adequately and different level of security can be realized. Other previously proposed frequency domain algorithms just treat DC and AC coefficients as the same data. 2.2 DC Coefficient Encryption Algorithm According to the previous analysis, the first method named DCEA is proposed to protect DC coefficients. Figure 1 shows the relationship between DCEA and MPEG compression scheme. After DCT transformation and quantization, the DC coefficients of each 8 by 8 block are

Fig. 1 The relationship between DCEA and MPEG compression scheme.

Fig. 2

Table 1

Structure of DC codeword.

Variable length codes for dct dc size luma.

Variable length code 011 11 10 010 001 0001 0000 1 0000 01 0000 001 0000 0001 0000 0000 1 0000 0000 01 0000 0000 001

Dct dc size luminance 0 1 2 3 4 5 6 7 8 9 10 11 12

encoded into codewords. After that, these codewords are encrypted with the block of DCEA. As shown in Fig. 2, the codeword of DC coefficient consists of two parts, “Length Code” and “Additional Code.” The length code indicates the number of bit, which required to represent the value of a DC coefficient. It is variable length coded according to a table as Table 1 (for a luminance component). On the other hand, additional code represents the value of DC coefficients. DCEA utilizes the special structure of DC codewords to perform the encryption process. In a group of DC codewords, all of the length codes are shuffled with a permutation table as an optional step to change the nature order of DC components. On the other hand, the additional codes are concatenated into a long vector, which is then encrypted by block cipher. At last, the encrypted vector is divided into a group of new additional codes. These codes are combined with length codes to form new DC codewords. Figure 3 shows the detail of DCEA. In this figure, C represents an array of DC codewords in a slice. In QCIF video format, there are 11 MBs in one slice, so that, 66 DC codewords can be processed together. The


197

Fig. 3

Detail process of DC coefficient encryption algorithm.

sub array of length codes is L, and another sub array of additional codes is A. The simple algorithm performs the next four steps. 1. Shuffling of array L to L’ according to a permutation table T1. 2. Concatenating all the elements of array A into a long vector named S. 3. Encryption of S by using block cipher. In order to perform the encryption, S is divided into a group of short vectors with same length and block cipher encrypts these vectors respectively. Then the results of encryption is concatenated into S’. 4. In the last step, the result of encryption, S’, is divided into a new array of A’. The elements of A’ can be considered as new additional codes and then they are connected behind each length code of L’ to form new codeword array C’. And C’ is the cipher text of C. In order to build valid DC codewords in array C’, elements of A’ should match with each corresponding elements of L’. Hence, the dividing operation means extracting sub codes from S’ and the bit number of each code is decided by each element of L’. Furthermore, in order to increase the security, another table named T2 is used to indicate the order of code extraction. For example, as shown in Fig. 3, the first element of T2 is “6,” that means, the 6th elements of L’, “0000 01,” should be used firstly. Since “0000 01” means 7bits in Table 1, a new additional code with 7bits should be extracted from S’ and be connected to the 6th element of L’. By performing this method, both the original order of codewords and the correspondence between length codes and additional codes are concealed completely. In this design, the first step leads the video data looks more incomprehensible, however, it can be broken easily if one has the plaintext. So it can be used as an optional step for some applications. The core part, which affects the security and efficiency mostly, is the block cipher embedded in the algorithm and the part of bit distribution in the last step. Enough security can be

obtained by using traditional DES algorithm in this method. Although it is well known that DES is vulnerable to brute force attack, known-plaintext attack such as Matsui’s linear cryptanalysis [16], [17] and chosen-plaintext attack [18], however, these attacks need enough pairs of plaintext and ciphertext. DCEA just conceals the original ciphertext into new codeword group by utilizing T2. If attackers want to crack DCEA to get the plaintext of C, first of all, they have to obtain correct ciphertext S’, and then break DES to get S. Because S’ is scattered into array A’ randomly by T2, suppose the data group consists of n DC codewords, the reconstruction of S’ means attempting at most n! combinations, and DES breaking operation will be performed at most n! times too. In figure 3, n equals to 66, which means, although the fastest hardware implementation of cryptanalysis of DES known so far [19] just takes a little time (Td), the maximum time (66!×Td) taken to break the DES key here is still astronomical. As the result, a relatively high level of security is guaranteed. Maybe some video applications need absolute security. In this case, AES can be utilized as the block cipher embedded in DCEA. If so, it seems reasonable to remove the permutation after the block-ciphering process. However it is recommended to keep the algorithm unchanged to take precautions against future effective cryptanalysis of AES. Although DES cannot provide absolute security as AES, DES is proved more efficient than AES especially in hardware implementation. As detailed in [19]–[21], DES implementation is much better in terms of Throughput/Area than AES hardware implementation. Applications, which attach greater importance to efficiency than to absolute security, are recommended to select DES as the core part of DCEA. Other frequency domain video encryption algorithms such as “Block Shuffle” [12] and “Subband Shuffle” [13] cannot provide the same level of security as DCEA does. “Block Shuffle” and “Subband Shuffle” are strong to brute forth attack because DC coefficients are concealed by shuffling in a big data group. But they are not secure against a


198 Table 2 An example of variable length coding table for intra luminance and chrominance. VLC CODE LAST RUN LEVEL 011s 1 0 1 0000 1100 1s 0 11 1 0000 0000 101s 1 0 6 ... ... ... ...

Fig. 4 The relationship between “Event Shuffle” and MPEG compression scheme.

known plaintext attack. By comparing the original data sequence and the encrypted data sequence, the permutation list can be retrieved. Then the list can be applied to retrieve all the data. Comparing with these existing algorithms, DCEA can withstand kinds of attacks well as the analysis above. DCEA introduces small processing overhead to video compression systems because the algorithm only consists of simple data shuffle operations and a block cipher. Although block ciphers may take relatively long time, it just processes a small amount of data (about a half of DC codewords) in this method. As the experimental results shown in Sect. 3, DCEA takes just a little time. DCEA does not add bit overhead to MPEG bitstream. At the first step, the shuffling of length code array just changes the order of all elements. No additional bits are added. Moreover, block cipher such as DES or AES does not change data length as a common sense. At the last step, the algorithm just put necessary bits to each codeword. Obviously, there are no extra bits generated after this encryption process. As mentioned above, after encryption, the number of DC codewords and the structure of each codeword are not changed. As the result, even if the order of length code and value of each corresponding additional codeword are changed, the format-compliancy to MPEG is kept well. 2.3 AC Coefficient Encryption Algorithm The second method named “Event Shuffle” [15] is designed to protect the AC coefficients of MPEG bitstream. The relationship between “Event Shuffle” and MPEG compression scheme is shown in Fig. 4. Scrambler and de-scrambler are inserted into the MPEG compression and decompression process. There are two algorithms in the proposed method: (1) Shuffling of RLE events in an area of video frame. (2) Flipping the sign bit of the LEVEL component in RLE events. The basic idea of the first algorithm is to change the positions of RLE events in a specified area of video frame according to a permutation table. As shown in Fig. 4, in the part of the encoder, each 8 by 8 block (Y, Cb and Cr) is fed into some processing blocks, which consist of DCT transformation, quantization, run length encoding and variable length coding. In general, after quantization, many DCT

coefficients become to zero. Therefore, the output of quantization is arranged into a vector of DC, AC1, AC2, . . ., AC63 in zigzag order. And then, in the run length encoding stage, the sub vector of AC coefficients AC1, AC2, . . ., AC63 is turned into a sequence of (LAST, RUN, LEVEL) triples called RLE events. Then, in variable length coding based on Table 2, the event sequence is changed into codewords. These codewords are basic units of MPEG bitstream. The algorithm of the proposed method is to change the positions of these RLE events according to a permutation table. Since it does not change the number and content of events in each 8 by 8 block, the method generates no bit overhead to MPEG bitstream. According to the algorithm, after run length encoding stage, a video frame can be divided into several areas, which consist of many macroblocks. Each macroblock has 6 blocks (4 luminance blocks and 2 Chrominance blocks), and each of these blocks contains several RLE events. A part of these events in an area can be gathered into one group. Event shuffle is conducted on these groups. Figure 5 shows an area and its event groups. In this area, events with the same location in every 8 by 8 blocks are grouped (G1, G2,. . .,Gn) and shuffled by using a permutation table (T). As mentioned above, the area is a part of video frame. It can be defined as a macroblock, a slice or the whole frame. With the increase of the area’s size, more events are involved in the shuffling process and higher security level can be obtained. When the events are shuffled in a group, the total number of events in that group should be the same as the length of the permutation table. But in fact, not every group can meet this requirement because 8 by 8 blocks usually have different number of events. In order to solve this problem, some events of the following groups can be borrowed to fill up the holes. In order to increase the level of security, a random flipping algorithm can be utilized as an option. This algorithm is dedicated to the sign bit of LEVEL components in RLE events. In this algorithm, a vector K = b1 b2 b3 b4 . . . bn is used as an encryption key. At first, the sigh bits of LEVLE component are gathered into another vector S = s1 s2 s3 s4 . . . sn. Then, R = (K xor S) is executed and each bit of R is used to replace the original sign bit of each LEVEL component of events. In this way, the original sign bit is flipped when the corresponding bit of K is “1.” On the other hand, the sign bit maintains the original value when the corresponding bit is “0.” As the result, if the sign bit of a LEVEL component is flipped, the corresponding codeword with a different last bit is obtained from the Variable Length Coding table. Since this method just changes the last


199

Fig. 5

Detail process of event shuffle algorithm for AC coefficients.

bit of the corresponding codewords, there are no extra bits generated after using this method. As other frequency domain video encryption algorithm such as “Block Shuffle” and “Subband Shuffle,” our proposed “Event Shuffle” can withstand brute forth attack very well. As shown in figure 5, a shuffle group consists of 66 events. That means attackers should attempt at most 66! times to get the original event sequence. “Event Shuffle” provides the same security level against brute forth attack as existing algorithms. However, “Event Shuffle” is not strong enough to known-plaintext attack. If an attacker holds several original video frames, the shuffling table can be determined easily by comparing the events in original frames and the encrypted frames. And then, the entire video can be deciphered by using the determined shuffling table. However, the optional sign bit flipping can help to confuse the ciphertext more. 3.

Experimental Results

The proposed video security algorithms are verified and evaluated based on software simulation. In this experiment, the size of encrypted video sequences and average time taken by different video security schemes are compared. The results are obtained from a PC running on Microsoft Windows XP, with P4-2.4G processor and 1 GB RAM. Microsoft MPEG-4 encoder software for ISO MPEG-4 video verification model is utilized in this experiment. Simulation for standard video sequences “Carphone,” “Susie,” “Foreman,” “Salesman” (QCIF, one I-frame followed by 73 Pframes) is performed with two existing video encryption algorithms: “Block Shuffle” and “Subband Shuffle” and our proposed scheme which includes DCEA and “Event Shuffle.” In this experiment, DES is selected to encrypt additional codes in DCEA. In this experiment, DCEA is only applied to DC coefficients in I-frame because these DC coefficients are encoded to DC codewords which consist of length code and additional code as shown in figure 2. Other DC coefficients of

Table 3 Effects of different algorithm on compression efficiency for one I-frame of “Susie” sequence. Scramble Method No Scramble DCEA(ours) Event Shuffle(ours) Sub band Shuffle Block Shuffle

Size (bits) 39311 39311 39311 42888 80312

Bit Overhead 0% 0% 0% 9.1% 104.3%

Table 4 Effects of different algorithm on compression efficiency for 74 frames of “Susie” sequence (One I-frame followed by 73 P-frames). Scramble Method No Scramble DCEA(ours) Event Shuffle(ours) Sub band Shuffle Block Shuffle

File Size (Byte) 165,617 165,617 165,617 198,409 259,025

Bit Overhead 0% 0% 0% 19.8% 56.4%

Inter-blocks in P-frames are encoded together with AC coefficients so that they are encrypted by “Event Shuffle.” As shown in Table 3 and Table 4, for both only I-frame and entire sequence encryption, DCEA and “Event Shuffle” generates no bit overhead to the MPEG bitstream. On the contrary, “Subband Shuffle” and “Block Shuffle” generate 9–100% bit overhead to I-frame and entire sequence. Tables 5 and 6 show the processing time taken by different encryption algorithms embedded in MPEG-4 video compression process. In Table 5, the comparison among “Block Shuffle,” “Subband Shuffle” and our proposed “Event Shuffle” is shown. Obviously, existing algorithms take more time than “Event Shuffle” in processing each sample video sequence. It should be noticed that existing algorithms take almost the same time to encrypt different video sequences. That is because the sample sequences have the same total number of coefficients and existing algorithms process these coefficients in a same way. Although coefficients of different video sequences have different value, it has no influence on the processing time. On the contrary, the processing time of proposed “Event Shuffle” algorithm depends on the num-


200 Table 5 Video Sequence “Carphone” “Susie” “Foreman” “Salesman”

Processing overhead of “Event Shuffle” and other existing algorithms on four sequences.

Original Time(ms) 6782 8407 7343 4985

Event Shuffle(ours) Group Number Time(ms) Overhead 2831 14.59 0.22% 2923 15.10 0.18% 4065 21.24 0.29% 4410 23.09 0.46%

Table 6

Block Shuffle Time(ms) Overhead 28.41 0.42% 28.56 0.34% 28.27 0.38% 28.79 0.58%

Subband Shuffle Time(ms) Overhead 47.98 0.71% 47.80 0.57% 47.95 0.65% 48.03 0.96%

Processing overhead of DCEA on I-frame of four sequences.

Video sequence at 176 144 with 74 frames “Carphone” sequence “Susie” sequence “Foreman” sequence “Salesman” sequence

Original Time (ms) 6782 8407 7343 4985

Bit number of all DC coefficients 1596 1498 1816 1555

DCEA Time (ms) 0.0812 0.0773 0.0874 0.0793

Overhead (%) 0.0012 0.0009 0.0012 0.0016

(a) Unscrambled frame

(b) DCEA Only

(c) Event Shuffle Only

(d) DCEA & Event Shuffle

Fig. 6 Comparison of total event group number and time taken by Event Shuffle with sample sequences (“Carphone,” “Susie,” “Foreman,” “Salesman”).

ber of shuffling group. As shown in Table 5 and Fig. 6, the processing time of “Event Shuffle” is in direct proportion to the total number of shuffling group of object sequences. A question may be presented here, if sequences have too much shuffling groups, the proposed algorithm will take more time than existing algorithms. This problem can be resolved by processing only a part of shuffling groups. Because events are taken out from coefficient vector in zigzag permutation, former shuffling groups consist of low frequency coefficients. These coefficients take important information of video frames so that processing former shuffling group can make video adequately incomprehensible. Table 6 shows the processing time taken by DCEA on different video sequences. Because of the small amount of data processed and the simplicity of the algorithm, DCEA just needs a little time. Compared with “Event shuffle,” the processing overhead introduced by DCEA is almost negligible. Figure 7 shows the encrypted I-frame of “Susie” sequence using proposed algorithms. In picture (b), because DC coefficients are encrypted by DCEA, it can be seen that the average brightness of each area is different from the original picture. But because AC coefficients are kept unchanged, some detail of the content in the picture can be recognized. On the contrary, in picture (c), “Event Shuffle” scrambles the AC components, but DC components remain unchanged. As the result, the background of most area of

Fig. 7 The I-frame of encrypted “Susie” sequence (one I-frame followed by 73 P-frames).

the picture remains unchanged. And it is seen in (d) that the encryption with both DCEA and “Event Shuffle” renders a completely incomprehensible picture. 4.

Conclusion

This paper has proposed a new video security scheme, which includes two encryption methods. The first one is DCEA (DC Coefficient Encryption Algorithm), which is dedicated to protecting the DC component of MPEG video sequences. As analyzed in Sect. 2.2, DCEA provide enough security to DC component. The second proposed algorithm is “Event Shuffle” for the AC component of MPEG video. Although it is relatively vulnerable to some attacks, changing the key periodically can make a good improvement. This scheme keeps the total number of DC coefficients and RLE events unchanged, as well as the bit number of these data. So, even if the proposed encryption scheme has been inserted into the encoder, no additional data is introduced. That means the compression efficiency of the encoder is not changed.


201

Furthermore, because of the simplicity of the proposed algorithms and the little amount of object data to be processed, this scheme just adds little processing overhead to MPEG codec. Acknowledgments This work was supported by funds from the MEXT via Kitakyushu and Fukuoka innovative cluster projects and was also supported by Waseda University grant for special research projects (2005B-383). The authors would like to thank Dr. Yukiyasu Tsunoo (NEC Internet Systems Research Laboratories) for his many valuable suggestions. References [1] P. Melih and D. Vadi, “A MPEG-2-transparent scrambling technology,” IEEE Trans. Consum. Electron., vol.48, no.2, pp.345–355, May 2002. [2] Information Technology-Coding of Audio-Visual Objects-Part 2: Visual ISO/IEC 14 496-2, ISO/IEC/SC29/WG11, Nov. 1998. [3] L. Qiao and K. Nahrstedt, “Comparison of MPEG encryption algorithms,” Int. J. Compus. Graph., Special Issue on Data Security in Image Communications and Networks, vol.22, no.3, pp.437–448, 1998. [4] G.A. Spanos and T.B. Maples, “Security for real-time MPEG compressed video in distributed multimedia applications,” IEEE 15th Annual International Conference on Computers and Communications, pp.72–78, 1996. [5] A.M. Alattar and G.I. Al-Regib, “Evaluation of selective encryption techniques for secure transmission of MPEG video bit-streams,” IEEE Symposium on Circuits and Systems, pp.340–343, 1999. [6] A.M. Alattar, G.I. Al-Regib, and S.A. Al-Semari, “Improved selective encryption techniques for secure transmission of MPEG video bit-streams,” International Conference on Image Processing, pp.256–260, 1999. [7] J. Meyer and F. Gadegast, “Security mechanisms for multimedia data with the example MPEG-1 video,” http://www.cs.tuberlin.de/ phade/phade/secmpeg.html, 1995. [8] J. Wen, M. Severa, W. Zeng, M. Luttrell, and W. Jin, “A format compliant configurable encryption framework for access control of multimedia,” IEEE Workshop on Multimedia Signal Processing, pp.435–440, Cannes, France, Oct. 2001. [9] C. Shi and B. Bhargava, “Light-weight MPEG video encryption algorithm,” Multimedia 98, pp.55–61, 1998. [10] C. Shi and B. Bhargava, “An efficient MPEG video encryption algorithm,” 17th IEEE Symp. on Reliable Distributed Systems, IEEE Computer Society, pp.381–386, West Lafayette, Indiana, USA, Oct. 1998. [11] C. Shi and B. Bhargava, “A fast MPEG video encryption algorithm,” ACM Multimedia’98, pp.81–88, 1998. [12] L. Tang, “Methods for encrypting and decrypting MPEG video data efficiently,” Proc. Fourth ACM Int. Multimedia Conf., pp.219–229, 1996. [13] W. Zeng and S. Lei, “Efficient frequency domain selective scrambling of digital video,” IEEE Trans. Multimed., vol.5, no.1, pp.118– 129, March 2003. [14] Z. Liu and X. Li, “Motion vector encryption in multimedia streaming,” IEEE 10th International Multimedia Modelling Conference, pp.64–71, Jan. 2004. [15] G. Liu, S. Goto, T. Baba, and T. Ikenaga, “No bit overhead MPEG video scrambling based on event shuffle in frequency domain,” Proc. IEEE Asia-Pacific Conf. on Circuits And Systems, pp.761–764, Taiwan, Dec. 2004.

[16] M. Matsui, “Linear cryptanalysis method for DES cipher,” Proc. Advances in Cryptology-EuroCrypt ’93, ed. T. Helleseth, pp.386–397, 1993. [17] M. Matsui, “The first experimental cryptanalysis of the data encryption standard,” Proc. Advances in Cryptology-Crypto’94, ed. Y. Desmedt, pp.1–11, 1994. [18] L.R. Knudsen and J.E. Mathiassen, “A chosen-plaintext linear attack on DES,” Proc. Int’l Symp. Foundations of Software Eng. (FSE’ 00), ed. B. Schneier, pp.262–272, 2000. [19] G. Rouvroy, F.-X. Standaert, J.-J. Quisquater, and J.-D. Legat, “Efficient uses of FPGAs for implementations of DES and its experimental liner eryptanalysis,” IEEE Trans. Comput., vol.52, no.4, pp.473– 482, April 2003. [20] A. Hodjat and I. Verbauwhede, “A 21.54 Gbits/s fully pipelined AES processor on FPGA,” Proc. 12th Annual IEEE Symp. FieldProgrammable Custom Computing Machines, pp.308–309, April 2004. [21] G. Rouvroy, F.-X. Standaert, J.-J. Quisquater, and J.-D. Legat, “Compact and efficient encryption/decryption module for FPGA implementation of the AES,” Proc. International Conference on Information Technology, pp.583–587, April 2004.

Gang Liu received his B.E. degree in Automation from Beijing Union University, China, in 1995. He is currently a Ph.D. candidate in Graduate School of Information, Production and Systems, Waseda University, Japan. His research interest includes video coding, video security and associated very large scale integration (VLSI) architecture.

Takeshi Ikenaga received his B.E. and M.E. degrees in electrical engineering and the Ph.D. degree in information & computer science from Waseda University, Tokyo, Japan, in 1988, 1990, and 2002, respectively. He joined LSI Laboratories, Nippon Telegraph and Telephone Corporation (NTT) in 1990, where he has been undertaking research on the design and test methodologies for highperformance ASICs, a real-time MPEG2 encoder chip set, and a highly parallel LSI & system design for imageunderstanding processing. He is presently an associate professor in the system LSI field of the Graduate School of Information, Production and Systems, Waseda University. His current interests are application SoCs for image, security and network processing. Dr. Ikenaga is a member of the IPSJ and the IEEE. He received the IEICE Research Encouragement Award in 1992.


202

Satoshi Goto was born in Hiroshima, Japan, 1945. He received the B.E. and the M.E. Degrees in Electronics and Communication Engineering from Waseda University in 1968 and 1970 respectively. He also received the Dr. of Engineering from the same University in 1981. He joined NEC Laboratories in 1970 where he worked for LSI design, Multimedia system and Software. Since 2003, he has been professor of Waseda University at Kitakyushu whose interests include LSI design and multimedia applications. He is IEEE Fellow and Member of Academy Engineering Society of Japan.

Takaaki Baba was born on January 10, 1949 in Aichi, Japan. He received Ms. degree and Dr. of Engineering from Nagoya University in 1973 and 1979, respectively. He joined Matsushita Electric Industrial Co., Ltd in 1973. From 1983 to 2002 he worked for Matsushita Electric Co., of America, involving and conducting several strategic projects such as System LSI and ASIC application, wireless communication system and electronic devices. From 1980 to 1982, he was a research fellow at UCBerkeley. From 2002 to 2003 he was a visiting scholar at Stanford University. Since 2003 he is a professor in the system LSI field at Graduate School of Information, Production Systems of Waseda University. He is a member of IEEE and served as an Executive Committee member of IEEE-ISSCC from 1995 to 2003.