Key distribution based on hierarchical access ... - Semantic Scholar

T. Jiang et al.: Key Distribution Based on Hierarchical Access Control for Conditional Access System in DTV Broadcast

225

Key Distribution Based on Hierarchical Access Control for Conditional Access System in DTV Broadcast Tianpu Jiang, Shibao Zheng and Baofeng Liu

Abstract —Conditional Access System (CAS) is one of the key techniques in digital television (DTV) broadcast which is used to charge the subscriber for subscribing fee by scrambling the program information. Scrambling algorithm and key distribution are the most important parts for CAS. In this paper, we proposed a new key distribution scheme based on hierarchical access control for conditional access system in digital television broadcast. Our key distribution scheme can greatly reduce the encrypting computation and acquire higher efficiency and security. Moreover, the proposed scheme is more flexible in processing joining and leaving of subscriber, which is very important for service provider to manage the subscriber.1. Index Terms—Conditional Access System, DTV broadcast, key distribution, hierarchical access control. I. INTRODUCTION With the rapid development of technology in the field of DTV broadcast, more and more broadcasters have provided a variety of specifically broadcast media to satisfy the ever-increasing demands of the users. In order to preserve the continued financial stability of the broadcaster to broadcast these higher-quality and well-produced programs, conditional access system (CAS) as one of the key techniques in digital television (DTV) broadcast always has been adopted to allow the already paid and authorized user to watch the subscribed programs. In CAS the transmitted information such as video, audio and data is scrambled with control words (CWs). This makes information unintelligible for unauthorized or not paid users, while authorized and already subscribed user can use the decrypting module in STB or legal smartcard to derive the CWs to descramble the scrambled program. CAS can charge the subscribing fee by management the decrypting device or key as well [1][2][3][4].

Because CAS directly relates with the benefit of service provider and the subscriber, the security of CAS is very important to both sides. Scrambling algorithm being easy to attack will damage the CAS and reduce the security, while key distribution is not enough secure which will leak the information of key. The security of CAS heavily depends on these two factors. Generally, the stream processing has higher real-time requirement in DTV broadcast, CAS always adopts symmetric encryption algorithm in scramble the program stream[5]. For DTV broadcast system, the scrambled program stream can be received by anyone connected with the broadcast network. So the pirates can subscribe to the scrambled program channel to get the plaintext as well as the accordingly scrambled program and take known-plaintext attack on the scrambled stream. This is dangerous for CAS security, but this can be improved by frequently changing the CWs or scrambling the program with s more complex symmetric encryption algorithm. For a typical CAS, CWs will be changed once per 5~20 seconds[5]. Comparing with the attack on scrambling algorithm, keys distribution for CWs is more important. If a pirate gets the keys, which can decrypt Entitlement Control Message (ECM) for CWs for scrambled program, CAS will be easily cracked even frequently changing CWs or encryption algorithm. A good CAS should be high security, efficiency in processing stream and flexible in dynamic management. In this paper, we put forward a new key distribution for CAS based on hierarchical access control. Our scheme is secure enough. Moreover, the proposed scheme can greatly reduce the encryption computation and be more flexible in dynamic management. The rest is organized as follows. Related work on key distribution for CAS is discussed in section Ⅱ . Then, in Section Ⅲ theory for hierarchical access control is discussing as well as the symbol definition. The hierarchical access control model of key distribution for CAS is proposed in section Ⅳ. Comparing with Tu’s scheme and security analysis are discussing in section Ⅴ . And finally, the conclusions are given in section Ⅵ.

1 This work was supported by Electronic Development Fund of Ministry of Information Industry of P.R.China. Tianpu Jiang is with the Institute of Image and Information Processing, Shanghai Jiao Tong University, Shanghai, P.R.China (e-mail: [email protected]) . Shibao Zheng is with the Institute of Image and Information Processing, Shanghai Jiao Tong University, Shanghai, P.R.China (e-mail: [email protected]) Baofeng Liu are with the Institute of Image and Information Processing, Shanghai Jiao Tong University, Shanghai, P.R.China (e-mail: [email protected]).

Contributed Paper Original manuscript received May 5, 2003 Revised manuscript received November 26, 2003

II. RELATED WORK ON KEY DISTRIBUTION FOR CAS In this section, we first introduce the CAS model. And some related works on key distribution for CAS will be discussed and analyzed. A. CAS Model Figure 1 gives an overview of a typical Conditional Access (CA) system. Generally, CAS operates in a three-level hierarchy key distribution as follows [3][4][6][7]. The server chooses a

0098 3063/04/$20.00 © 2004 IEEE

226

IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, FEBRUARY 2004

random variable CWs as the seed of a pseudo random generator (PRG). A pseudo random sequence generated by PRG can be used to scramble the transported stream (TS). At the same time, CWs will be encrypted by authorization key (AK) to form Entitlement Control Message (ECM). And AK and other entitlement information will be encrypted together by Master Private Key (MPK) to form Entitlement Management Message (EMM). ECM, EMM and the scrambled Ts stream will be multiplexed into a new Ts stream and transferred to subscribers in an insecure channel. Subscriber Management System (SMS) is in charge of delivering smartcard with MPK to authorized subscriber or updating the MPK in smartcard[8][9].

worst case is that the subscribers cover all the combination of the channels. ie.

N max = CT1 + CT2 + CT3 + L + CTT = 2T − 1 .

(1)

We assume there is a channel group which has no channel ie.

CT0 , so the variable N max = 2T .Each group has a unique receiving group key (RGK), which can reduce the load of distributing authorized key (AK). So the four-level keys are CWs, AK, RGK and MPK. Key of each level is used to encrypt and distribute the keys of former level and all the encrypted keys should be transferred in insecure channel. In Tu’s scheme, AK and RGK are encrypted in the same package and transferred to the accordingly subscriber by mail or special channel. This causes inconveniently for rekeying in CAS, which will greatly reduce the efficiency and flexibility of CAS. Moreover, the authors consider the computation of encryption for distributing AK based on encrypting package. This is not accurate for evaluating the computational quantity of CAS, because every package is including many times of encrypting which can’t be negligible. In Tu’s scheme, because every channel has its own AK and CWs, the classification of group will result in redundant encrypting for AK. That is, if many subscribers in different receiving group are subscribing the same channel, the same AK of the channel needs to be encrypted in M times. Here M is equal to the number of the receiving groups to which at least one subscriber subscribing the channel is subordinated. Considering the combination of channels, the T channels can be divided into

2T groups. That is, every group can possess 1 to T channels Fig.1. A typical CA system

The receiver can use his smartcard to decrypted EMM to get the AK which can be used to decrypt the ECM and get the accordingly CWs. CWs can be input in a same PRG with the sever part’s to get a same pseudo random sequence to descramble the Ts. As we can see, the server sends the TS stream after scrambling and distributes the key for descrambling the TS stream only to the authorized receivers. Hence the function to distribute the descramble key only to the authorized subscribers is very important. B. Related Work on Key Distribution for CAS W.Lee proposed a key distribution scheme based on four-level key hierarchy[1], but the computation of encryption and transmission in his scheme were too heavy for CAS and without flexibility to process joining and leaving of subscriber. For CAS, because AK refreshes frequently, the load for key rekeying mainly depends on the distributing AK. Tu et al. proposed a modified scheme for key distribution based on W.Lee’s scheme[2]. In this scheme, subscribers were classified into receiving groups based on their subscribed channels. Here we first give a review of this scheme and then we will analyze it based on probability theory. First, it assumes there are T channels and S subscribers and S is far larger than T. Based on the subscribing channels, the subscribers are divided into N groups. Here we can see, if every subscriber subscribes the same channel, N will be the smallest. ie. N min = 1 . And the

group which is the combination of the T channels. That is, 1

2

3

T

channels can be divided based on CT , CT , CT ,…, CT . For discussing conveniently, we assume that there is a channel group without channel, ie.

CT0 . With similarity principle, we

divide the S subscribers based on

CS1 , CS2 , CS3 , … , CSS and

we assume there exists one group without subscriber as well. Because the number of subscriber is far larger than the number of channel, we ignore the case that subscriber is less than the channel. We use the variable

αi , β j

respectively. Here 0 ≤ i ≤ T and 0 ≤

αi

and

βj

stand for

CTi , CSj

j ≤ S . We can see that

are two dimension random variables and every pair

of them has a definite joint distribution probability ρi , j [13]. For example, for ( α 2 , β 3 ), function

ρ 2,3

CT2CS3 = T S . And we assume that the 2 2

f (α i , β j ) is the number of the needed key for the

case ( α i , β j ), so we can get

f (α i , β j ) = i * j . Based on the

probability

theory, the expectation f (α i , β j ) can be shown as:

E ( f (α i , β j ) ) = ∑∑ i * j * ρi , j i

j

of

the

function (2)

T. Jiang et al.: Key Distribution Based on Hierarchical Access Control for Conditional Access System in DTV Broadcast

We know that the expectation of a function is the average value of the function, so we can use the equation (2) to evaluate the average number of the distributing keys needed for the T channel and S subscriber. With our simulation, we find the expectation is very huge especially in the case that S is some of large. E.g. for T=50 and S=20000, the expectation of equation (2) is equal to 250125 which is about tenfold of the number of subscribers and it will increase more than 10 keys for every new added subscriber. As the increasing of subscriber and channel, this will be a heavy load for CAS. In Tu’s paper, they put forward a complete scheme of four levels hierarchy for processing the subscriber’s joining and leaving to reduce the work load of CAS by equably distribute the total work of a month in 31 days, but the total computation and quantity of messages being transferred is not reduced. Moreover, it needs to update RGK on processing subscriber’s leaving and accordingly send the updated RGK to the remained subscribers respectively of the same receiving group. This will apparently affect these subscribers and be inflexible and inefficient in dynamic management. III. THEORY FOR HIERARCHICAL ACCESS CONTROL The hierarchical access control problem exists in many organizations where a hierarchical structure of data sensitivity and user privilege coexists[10]. Several cryptographic solutions have been proposed to address this problem[10][11][12]. The solutions are based on generating cryptographic keys for each security class such that the key of a lower level security group depends on the key of the higher security groups and the members of higher level have access rights to the data of lower level, but the reverse is not allowed. Akl and Taylor were the first authors to propose a top-down structure for solving the hierarchical access control problem[12]. L.Harn et al. proposed a modified scheme which used a bottom-up key generation structure to reduce the number of public key needed in processing hierarchical access control[10]. Moreover, comparing with Akl’s scheme, L.Harn’s scheme is more efficient in the memory usage since it needs less space to keep the public information. Here we will give a review of L.Harn’s scheme[10]. As shown in figure 2, a typical hierarchical structure has seven security groups and each user in the group

Gi has one group key K i . And all the groups are ordered by

the relation

≤ , where Gi ≤ G j means that Gi is subordinate

to G j and user in group

G j can access Gi with K j . From Fig.2, we

can get G3 , G 4 ≤ G1 ≤ G 0 and G5 , G6

2.

For

227

G3 , G4 , G5 , G6 , system chooses four pairwise

relatively primes

d 3 , d 4 , d 5 , d 6 as each group’s distinct key

information respectively. That is, gcd( d i , d j )=1 for 3.

System computes

i ≠ j.

e3 , e4 , e5 , e6 where

ei di ≡ 1mod φ (n) and keeps every ei public, where φ (n) is the Euler’s totient function. 4. For each group, system computes a pair of keys ( K i , ti ), where private key

K i = (α )

Ki

∏d f G f ≤Gi

mod(n) and public key ti ti = ∏ e f . G f ≤ Gi

(3)

(4)

After the keys distributed as the above, the system forms a hierarchical access control structure. For example, if a user in G0 wants to access the data of G4 , he can firstly derive the key

K 4 for G4 with his key K 0 . It can be derived by K 4 = K 0 t0 / t4 , where public variable t0 = e3e4 e5 e6 , t4 = e4 and

K 0 = (α ) d3d4 d5 d6 .

Except for the above theory, based on the definitions in the paper of I.Ray et.al[11], we deduce one more definition for MPK distribution for subscribers. Definition 1. For any message m, if there are n keys K i =< e, N i > , i=1,2,3,…,n, and N i are pairwise relative primes, then n  −1  ∏ [ m ,  i =1 K i ], K i  = m

(5)

Where [x,y] means x is encrypted by key y,for example, if y=, so

[ x, y ] = x e mod( z ) . Decrypt key K i−1 meets

the equation

K i−1 =< d i , N i > , where d i meets the equation

ed i ≡ 1mod φ ( N i ) and 1 ≤ i ≤ n . (m e mod N1 N 2 N 3 L N n )di mod N i  = (medi mod N1 N 2 N 3 L N n ) mod N i

PROOF. LHS =

≤ G2 ≤ G0 . The key

= (m xφ ( Ni ) +1 mod N1 N 2 N 3 L N n ) mod N i

generation for this hierarchical access control structure uses the following rules.

= (m xφ ( Ni ) +1 ) mod N i = m = RHS IV.

Fig 2. A typical hierarchical structure

1. System choose two large primes p and q and a parameter α ∈ [2, n − 1] which is relative prime with n=p.q and let n public.

KEY DISTRIBUTION BASED ON HIERARCHICAL ACCESS CONTROL FOR CAS

In DTV broadcast, a service provider normally provides many DTV program channels and the subscriber can subscribe their favorite program channels. Some subscribers may subscribe more channels including all the channels which are subscribed by other subscribers. That is, subscribers who

228

IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, FEBRUARY 2004

subscribe more channels have higher privilege than those subscribe few channels. This can be considered as a hierarchical access control relation. So we adopt a hierarchical access control structure in channels for CAS, which can get a good efficiency in reducing the computation of encryption and quantity of message being transferred for key distribution as well as flexibility in dynamic management. In our proposed scheme, we still adopt four level key hierarchy, that is CW, AK, RGK and MPK. We divide the program channels into several channels groups and every group needs only one AK to encrypt the CWs of all the channels in the group to form ECM package. For example, for one DTV broadcast station, there are 50 DTV program channels. We divide these channels into six basic channel groups as shown in Fig 3. That is movie channel group G1 , TV channel group G2 , stock information channel group G3 , news channel G4 , sports channel group

G5 and integrated information group G6 , where

chi denotes the ith channel. Based on the content near principle or some special principle, we derive several combinational channel groups as well. We call the basic channel group as leaf node and the combinational group above leaf node as midnode such as G7 , G8 , G 9 and the highest privilege group

G0 as root

node. The subscriber of higher privilege node in the hierarchical access control structure can access the program that can be accessed by subscriber of the lower privilege node which is subordinated to the higher privilege node. For example, subscribers in group

G 7 can access both the programs which

can be accessed by the subscriber in group

G1 and G2 ，i.e.

movie channel and TV channel from channel 1 to channel 30. Subscriber in

G 0 can access all the programs provided by the

service provider.

1. System chooses two large relative primes p and q to compute n=p.q and let n public and a parameter α ∈ [2, n − 1] . 2. System produces two secret keys each leaf node

G i as two days’ authorization key (AK) for

channels in the leaf node keys AKPi

odd

AK iodd and AK ieven for

and

G i and computes two public

AKPi even respectively. Where

 AK isymbol = (α ) yi mod(n)  AKPi symbol = ξisymbol  symbol

(6) . odd

Here symbol is a mark to mean odd or even. yi

and

yieven are

two relatively primes chosen randomly by system. ξ i

odd

ξ

even i

are

computed

by

the

and

equation

yisymbol × ξisymbol ≡ 1mod φ (n) . Variable i is index number for leaf node. And system computes the private receiving group key RGK i and public receiving group key RGKPi for Gi . Where

 RGK i = (α ) yi yi mod(n)  RGKPi = ξiodd ξieven  odd

even

(7).

3. For every midnode G j , system distributes a private receiving group key

RGK j and a public receiving group key RGKPj as

well. Where

∏ yiodd yieven  Ci ≤G j mod(n)  RGK j = (α )  odd even  RGKPj = ∏ ξi × ξi Gi ≤ G j 

(8).

Here for our system, j=7, 8, 9 and i is the index of the leaf node subordinated to the midnode G j . 4. For the root node G0 , system computes a private group key

RGK l and a public group key RGKPl . yieven ∏ yodd i  Gi ≤G j ≤Gl mod(n)  RGK l = (α )  odd even  RGKPl = ∏ ξi ξi Gi ≤G j ≤Gl 

Fig.3. A hierarchical access control structure of CAS

If the grouping scheme is more simple, the CAS will be more convenient and efficient in key distribution and management. For simplifying grouping of the program channel, service provider can provide more favorable action, for example discount for binding channels, to attract subscriber to subscribe more large combinational channels or the whole channels. If the subscriber in one group exceeds a fixed number, the system can divide the group into 2 groups as well. The keys of each group are distributed as follows.

(9).

Here l=0 and j=7,8,9 in our system and i=1,2,…,6. After distributing keys for each node, subscriber can be classified into the accordingly node. For example, if a subscriber subscribes to watch movie program channels, the CAS only need to send the receiving group key Because

RGK1 to him.

AKPi odd and AKPi even and the public receiving

group key RGKP1 are public in channel, the subscriber can use

RGK1 and

RGKP1 combined with AKPi odd and

AKPi even to derivate the AK of the movie channel. The

T. Jiang et al.: Key Distribution Based on Hierarchical Access Control for Conditional Access System in DTV Broadcast

derivation for

AK ieven is the same as that for AK iodd , so we just odd

consider the derivation of AK i

. It can be derived from the

following equation.

AK iodd = ( RGK1 )

RGKP1 / AKPiodd

mod(n)

(10)

Similarly, to derive RGK of lower privilege node from the higher privilege node just need to use the accordingly and RGKPi , while substitute the public key lower privilege node for

RGK i

RGKPk of the

AKPi odd in the equation (10). Once

the higher privilege node got the RGK of the subordinated lower privilege node, it can compute the AK of its subscribed channel by recursion as equation (10). So in our scheme, if a subscriber subscribes some kind of the channel, the system only needs to send a RGK of the channel group to him. In order to keep flexible to process the subscriber’s joining and leaving and reduce the load of key distribution for CAS, distributing RGK should be flexible and less computation or encryption. In our proposed scheme, the CAS chooses for each subscriber a unique key denoted as

< e, N j > and computes MPK using

MPK i =< di , N j > as definition 3. For each channel group Gi , system uses the following algorithm to encrypt the RGK i . E ( RGK i ) = [ RGK i , < e,

∏

N i >]

(11)

subscirberj ∈Gi

So for each group, CAS only needs to distribute one encrypted message, that is

E ( RGK i ) , which is usually

contained in EMM. All the subscribers in the group can use their MPK to decrypt the message to get RGK i as the equation (5) defined in the definition 3. Moreover, our scheme is more flexible in processing the joining and leaving. If a subscriber m joins the group, system only needs to choose a unique key

< e, N m > and computes MPK m for the subscriber. At the same time, system use the key

< e, N m > as a part of the

encrypting key to encrypt the RGK of the subscribed group and send the

MPK m by smartcard to the subscriber. In our

scheme, AK refreshes every day and for each leaf node we distribute two AKs. That is

AK iodd and AK ieven , while each key

will only be validate for one day. When refreshing AKs, the system only needs to refresh one AK such as even

or AK i

AK iodd

based on the current AK. For example, if the current

valid AK is AK

odd , i

so CAS needs to refresh AK

even . i

refreshing of AK, RGK will accordingly change to

After '

RGK .

'

RGK will be encrypted with the remaining subscribers’ key to form the new EMM and distributed in the channel. For the left subscriber, because

RGK ' is encrypted without his key

229

information, so he can not decrypt the encrypted message in EMM any longer, while the remaining subscribers can still '

decrypt EMM for the RGK for next day’s using. For the remaining subscriber and the left subscribers, because they can '

store the AKs for two days, so during rekeying RGK , it will not affect these users. The left subscriber can at most receive the program one more day after his leaving and the newly joining subscriber can receive the program after receiving EMM in '

which RGK is encrypted with his key information as a part of the encrypting key . Because of small quantity of transferred message for rekeying, system can periodically transfer EMM in a short time to ensure that the newly subscribers can receive it in time. All of the process for rekeying can be done online which is more flexible and important for CAS. In order to avoid the smartcard sharing or cloning problem, system must take pairing authentication between set top box (STB) and smartcard with zero knowledge proof or digital signature etc., but this is beyond the paper’s issue, which is not discussed here. Our scheme is discussed above mainly for pay-per-channel (PPC), but by changing the period of rekeying for AK as the specific program’s lasting time and using only one AK for each node, it can be used for pay-per-view (PPV). Ⅴ . ANALYSIS AND COMPARING In the proposed scheme, if there are T channels which are divided into M channel groups including combinational channel group. On group key RGK distribution, for each channel group, there only needs one encryption and accordingly only one EMM package to be transferred, so there totally needs M encryption and M packages of EMM message. Comparing with Tu’s scheme, this greatly reduces the computation of encryption and the quantity of package. Moreover, for processing joining and leaving, Tu’s scheme needs to change RGK and retransmit the EMM package which is not multiplexed into transport stream (TS) to all the subscribers related with the RGK by email or a specific channel. This needs a great deal of packages and is not compatible with DTV MPEG standard for CAS. Comparably, the proposed system is more flexible and compatible and needs fewer messages which can be transmitted with the public information in multiplexed TS stream in the program channels. Our scheme for key distribution is equivalent to RSA cryptosystem, so the security is based on the difficulty of factoring large prime numbers. We can choose a large exponent to avoid the low exponent attack. So the CAS is secure enough as long as choosing appropriate parameters. Ⅵ . CONCLUSIONS In this paper, related works on key distribution for CAS are discussed and Tu’s scheme is analyzed in detail. Based on the key hierarchy thought, we proposed a hierarchical access control scheme for key distribution for CAS in DTV broadcast. By analyzing and comparing, our scheme can greatly reduce the computation of encrypting and the quantity of messages

230

IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, FEBRUARY 2004

transferred for rekeying, which acquires higher efficiency and security for CAS. Moreover, the proposed scheme is more flexible in processing subscriber’s joining and leaving, this is very important for service provider to dynamic manage the subscriber. Furthermore, our system is compatible with the DTV standard, which can be used for both PPC and PPV service.

REFERENCES [1]

W.Lee, “Key Distribution and Management for Conditional Access System on DBS” Proc. of international conference on cryptology and information security, 1996, pp. 82-86. [2] F.K.Tu, C.S.Laih, and H.H.Tung, “On key distribution management for conditional access system on Pay-TV system”, IEEE Trans. on Consumer Electronics, Vol.45. Feb 1999, pp.151-158. [3] B.M.Macq and J.J.Quisquater, “Cryptology for digital TV broadcasting”, IEEE Proc. Vol.83. no.6, pp.944-957, June 1995. [4] D.J.Cutts, “DVB conditional access”, IEEE Electronics&Communication Engineering Journal, 1997 Feb,pp. 21-27. [5] ETR 289. Digital Video Broadcastiong (DVB); Support for use of scrambling and Conditional Access (CA) within digital broadcasting systems”, Oct.1996. [6] F.Kamperman and B.V.Rijnsoever, “Conditonal access system Interoperability through software downloading”, IEEE Trans. on Consumer Electronics, Vol 47, No.1 2001,pp 47-53. [7] EBU Project Group B/CA, “Functional model of a conditional access system”, EBU Technical Review, pp.64-77, Winter 1995 [8] ISO/IEC-13818-1, Generic coding of moving pictures and associated audio system. November 1994. [9] A045, Head-End implementation of DVB simulcrypt, June 1999. [10] Harn,L.and Lin,H.Y., “A new cryptographic key gerneration scheme for multilevel data security”, Computers and Security, 1990, pp.539-546

[11] I.Ray, I.Ray and N.Narasimhamurthi, “A cryptographic solution to implement access control in a hierarchy and more”, [12] S.G.Akl and P.D.Taylor, “Cryptographic solution to a multilevel security problem”, Proc. Crypto-82, Santa Barbara, CA, August 23-25,1982,pp.237-250 [13] Galambos, J. (1995). Advanced Probability Theory. A series of Textbooks and Reference books/10. Marcel Dekker, Inc. Tianpu Jiang received the B.S. and M.S. degrees in instrument and signal processing engineering from Harbin Institute of Technology, Harbin, P.R China, in 1999 and 2001 respectively. He is currently working for the Ph.D. degree in electronic engineering at the Institute of Image Communication and Information Processing of Shanghai Jiao Tong University, Shanghai, P. R. China. Since 2001, he has been engaged in the research and development for China’s digital television broadcasting system and digital television receiver. His research interests include HDTV, middleware, and conditional access system. Shibao Zheng graduated from Xidian University in 1986 and received B.S. degree. From 1986 to 1999, he was an expert of important project in HDTV of China. From 2000, he worked in Institute of Image Communication and Information Processing of Shanghai Jiao Tong University as a professor. His general research interests include DTV, multimedia in network and ASIC design. Baofeng Liu received the B.S. and M.S. degrees in instrument and signal processing engineering from Harbin Institute of Technology, Harbin, P.R China, in 1998 and 2000 respectively. He is currently working for the Ph.D. degree in electronic engineering at the Institute of Image Communication and Information Processing of Shanghai Jiao Tong University, Shanghai, P. R. China. His general research interests include DTV, multimedia security and copyright protection.