cryptology for digital tv broadcasting

CRYPTOLOGY FOR DIGITAL TV BROADCASTING B. M. Macq and J.-J. Quisquater Proceedings of the IEEE, Volume 83, No. 6, June 1995

1

INTRODUCTION

‰ Cryptography for TV broadcasting is an old issue. ‰ Cryptography aims to prevent unauthorized receivers from decoding the programs by scrambling them. ‰ Cryptography and cryptanalysis are the two complementary approaches of cryptology. ‰ TV programs are very different from military secrets or banking information.  The information rate is very much higher.  The information value is very much lower.

‰ This paper is devoted to three issues:  Conditional aces for pay TV  Watermarking of images for copyright protection  Image signature for authentication

2

SCRAMBLING DIGITAL TV

‰ Notation  Message M (plaintext)  Invertible transformation EK1  Encrypted message C=EK1(M) (cipher text)  The cipher text is transmitted over a public channel.  An authorized receiver decodes the message by the transformation Dk2 := E-1K1.  DK2(C) = E-1K1[EK1(M)] = M.  K1: encryption key  K2: decryption key

‰ Two kinds of encryption algorithms:  Block encryption: „ The plaintext is segmented into blocks of fixed size. „ Each block is encrypted independently from the other blocks. „ If a block is sent on a noisy channel, errors propagate on the whole block.

 Stream encryption „ Each plaintext word is EXORed with a key ki generated by a PRN generator. „ Such schemes are more resistant to channel errors.

3

CONDITIONAL ACCESS FOR PAY-TV

‰ Entitlement  An entitlement is a customized authorization  The validity of an entitlement should always be limited in time.  If the user stops fulfilling the access conditions, he/she cannot receive his/her new entitlement.  The entitlements of each user can be granted, renewed or modified.

‰ Specifications  Some specific requirements of a CA system „ Minimizing the constraints imposed on the user „ Minimization of the management cost „ Minimization of the theft of services

‰ Control Word  The control word should have a sufficient length and a sufficiently short lifetime.  The control word will only be passed to the unscrambling system in the decoders of users if the users have the relevant entitlements.  In general, an access control system (ACS) may include a security processor that can be removed. 4

CONDITIONAL ACCESS FOR PAY-TV

‰ Access Control    

The user of an access control system will be provided with a decoder. The main function of the decoder is to contain the user’s access rights (i.e., the description of the programs to which he/she is entitled). The program provider embeds in his broadcast an entitlement control message (ECM). An ECM will contain the enciphered control word as well as a description of the program (identifier, data, time, level, class, etc.).

‰ Confidentiality problems    

Eavesdropping the transmitted signal: To thwart this attack, the design of the system has an encryption technique. Reading sensible information stored in the decoder: This threat is circumvented by using a security processor. Commercial confidentiality Personal privacy

‰ Integrity problems 

Introduction of altered information in the decoder (e.g., an extension of the validity period of some entitlement.

‰ Authentication problems 

The security processor will behave as the authorized representative of the program provider.

5

CONDITIONAL ACCESS FOR PAY-TV

‰ Access Control Messages  Two types of messages: ECMs and EMMs.  The entitlement control message (ECM) „ An enciphered form of the control words „ The access parameters: an identification of the program and of the conditions required for accessing this program. z z z z z

Program number Program cost per view Program cost per unit of time Program theme/level and date Maturity rating

„ These messages are routed to the security processor (implemented as a smart card). „ The security processor will decipher the control word and send it to the unscrambling circuit if one of the entitlements it contains covers the access parameters appearing in the ECM.

 The entitlement management message (EMM) z New entitlements to the end user (new subscriptions, new program numbers) z Information about the consumption

„ The EMMs can be routed either on the signal transmission channel or on a distinct channel.

6

MPEG 2 FRAMES

‰ The picture frames are divided into 3 classes:  I frames are coded without reference to preceding or upcoming frames in the sequence.  P frames are coded with respect to the temporally closest preceding I frame or P frame in the sequence.  B frames are interspersed between the I frames and P frames in the sequence.  Renewability of content protection systems

‰ MPEG 2 is based on the Discrete Cosine Transform (DCT).  Each frame (I, P, and B) goes through the following steps: „ DCT „ Quantization „ Entropy coding

7

AN I FRAME

8

A CASE STUDY: AN 8X8 BLOCK

52

55

61

66

70

61

64

73

63

59

66

90

109

85

69

72

62

59

68

113

144

104

66

73

63

58

71

122

154

106

70

69

67

61

68

104

126

88

68

70

79

65

60

70

77

68

58

75

85

71

64

59

55

61

65

83

87

79

69

68

65

76

78

94

9

A CASE STUDY: LEVEL SHIFTING

The quantity 2n-1 is subtracted from each pixel value. n=8 => 2n-1= 128

-76

-73

-67

-62

-58

-67

-64

-55

-65

-69

-62

-38

-19

-43

-59

-56

-66

-69

-60

-15

16

-24

-62

-55

-65

-70

-57

-6

26

-22

-58

-59

-61

-67

-60

-24

-2

-40

-60

-58

-49

-63

-68

-58

-51

-65

-70

-53

-43

-57

-64

-69

-73

-67

-63

-45

-41

-49

-59

-60

-63

-52

-50

-34

10

A CASE STUDY: APPLICATION OF DCT

-415

-29

-62

25

55

-20

-1

3

7

-21

-62

9

11

-7

-6

6

-46

8

77

-25

-30

10

7

-5

-50

13

35

-15

-9

6

0

3

11

-8

-13

-2

-1

1

-4

1

-10

1

3

-3

-1

0

2

-1

-4

-1

2

-1

2

-3

1

-2

-1

-1

-1

-2

-1

-1

0

-1

11

A CASE STUDY: NORMALIZATION MATRIX

Z (u , v)

16

11

10

16

24

40

51

61

12

12

14

19

26

58

60

55

14

13

16

24

40

57

69

56

14

17

22

29

51

87

80

62

18

22

37

56

68

109

103

77

24

35

55

64

81

104

113

92

49

64

78

87

103

121

120

101

72

92

95

98

112

100

103

99

12

A CASE STUDY: QUANTIZATION

DCT coefficients are quantized using the below formula

⎡ T (u, v) ⎤ Tˆ (u , v) = round ⎢ ⎥ ⎣ Z (u, v) ⎦

38 consecutive zeros!

-26

-3

-6

2

2

0

0

0

1

-2

-4

0

0

0

0

0

-3

1

5

-1

-1

0

0

0

-4

1

2

-1

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

13

A CASE STUDY: ZIGZAG REORDERING

[-26 -3 1 -3 -2 -6 2 -4 1 -4 1 1 5 0 2 0 0 -1 2 0 0 0 0 0 -1 -1 EOB]

a special EOB Huffman code word indicates that the remainder of the coefficients are zeros.

14

A CASE STUDY: ZIGZAG REORDERING

‰ Entropy coding is lossless. ‰ DC and AC coefficients are treated differently. ‰ Differential Pulse Code Modulation (DPCM) on DC coefficients  Each DPCM-coded DC coefficient is represented by a pair of symbols: (CATEGORY, AMPLITUDE)  CATEGORY: indicates the # of bits needed to represent the coefficient.  AMPLITUDE: contains the actual bits.  The 1’s complement notation is used for negative numbers.

‰ Run-length coding (RLC) on AC coefficients    

RLC replaces each AC coefficient by a pair (RUNLENGTH, VALUE) RUNLENGTH: indicates the # of zeros in the run. VALUE: the next nonzero coefficient. The special pair (0,0) indicates the EOB after the last nonzero AC coefficient.

15

A CASE STUDY: COMPLETELY CODED ARRAY

1010110 0100 001 0100 0101 100001 0110 100011 001 100011 001

[-26 -3 1 -3 -2 -6 2 -4 1 -4 1 1 5 0 2 0 0 -1 2 0 0 0 0 0 -1 -1 EOB]

001 100101 11100110 110110 0110 11110100 000 1010 # of bits needed to store the 8x8 block = 64x8 = 512 # of bits after JPEG compression = 92 Compression ratio = 512/92 => 5.6:1

16

SET-TOP BOX

Set-Top Box DVD player

Broadcast network

PC Switched network

DTV

Remote control device

17

COPYRIGHT PROTECTION BY DIGITAL IMAGES

‰ The issue of copyright protection of digital broadcasted sources is being studied. ‰ An electronic stamp must be a holographically inlaid over all the picture. ‰ The requirements for the electronic stamp:    

Undeletable by a hacker. Perceptually invisible. ∈ Statistically invisible. Fully resistant to any additional noise (compression, transmission, etc.)

‰ I: the original image, ∈ : the stamp ‰ Stamp procedure    

Q: a procedure which extracts essential characteristics of I. S(Q(I)) → ∈ , where S is a secret algorithm. I ⊕ ∈: the stamped image CS(Q(I ⊕ ∈)), → stamped by S = “YES”, where CS is a correlation procedure.

18

AUTHENTICATION OF PICTURES

‰ A stamp is not a signature. ‰ The stamp aims to protect the author while the signature aims to protect the receiver. ‰ There are different methods of signature generation:  Symmetric  Asymmetric

‰ Asymmetric methods    

Diffie-Hellman key agreement RSA signature scheme ElGamal signature scheme Digital Signature Standard (DSS): This standard specifies a Digital Signature Algorithm (DSA).

‰ Symmetric methods  Diffie-Lamport signature scheme  Merkle signature scheme 19