multimedia data encryption via random rotation in ... - IEEE Xplore

Multimedia Data Encryption via Random Rotation in Partitioned Bit Streams Dahua Xie and C.-C. Jay Kuo Integrated Media Systems Center and Department of Electrical Engineering University of Southern California, Los Angeles, CA 90089-2564 E-mails: [email protected], [email protected] Abstract— A new method to encrypt a compressed multimedia bit stream, which is the output of any compression system using an entropy coder in the last stage, is proposed in this research. The basic idea is to partition a coded bit stream into randomsized blocks and perform a random rotation in each block. The proposed encryption scheme demands low computational overhead and does not increase the size of compressed bit stream. Security analysis to both the ciphertext-only attack and the known/chosen-plaintext attack shows that the proposed algorithm achieves high security.

I. I NTRODUCTION Advanced multimedia compression techniques and the wide availability of high-bandwidth networks have contributed to the exploding growth of multimedia applications recently. As a consequence, multimedia data security has emerged as an important research topic, receiving more and more attention in both academia and industry. One fundamental problem in multimedia data security is multimedia data confidentiality, which protects multimedia content from being accessed by unauthorized parties. Due to the astronomical size of multimedia data and processing speed requirements in real-time applications, traditional cryptographic ciphers tend to add a significant amount of overhead in achieving the encryption goal. An efficient yet secure multimedia data encryption algorithm that meets the stringent performance requirements imposed by real-time multimedia applications is desirable and will be the focus of our current work. Most previous research was based on the idea of selective encryption. The work can be classified into two categories. The first one works in the compressed domain, which encrypts a chosen subset of coefficients in this domain, in the hope that these encrypted parts would be critical to the semantic meaning of the content. The resulting schemes encrypted the magnitude and the sign of selected DCT coefficients and the motion vectors [1],[2],[3],[4]. The second category performs selective encryption in the bit stream domain [5]. A promising new direction in this field is to embed encryption into entropy coding using random change of multiple coding parameters [6] [7]. This approach has the salient feature of very low computation overhead while achieving a high security. In this paper, we propose another method to encrypt the compressed bit stream by adding enough randomness to the bit stream creation process. Security analysis to both the

0-7803-8834-8/05/$20.00 ©2005 IEEE.

ciphertext-only attack and the known/chosen-plaintext attack is performed. Simply speaking, the redundancy-free nature of the bit stream ensures the security of this scheme to the ciphertextonly attack. The resistance to known/chosen-plaintext attack is enhanced due to large number of alias keys that encipher the same plaintext to the same ciphertext. The resulting algorithm is very efficient and maintains high security strength. The rest of paper is organized as follows. In Section II, we describe the main idea and present a novel bit stream encryption scheme. Security analysis of our scheme under common attacks is provided in Section III. Finally, concluding remarks are given in Section IV. II. P ROPOSED E NCRYPTION A LGORITHM A. Properties of Coded Bit Streams Before addressing the issue of designing an efficient encryption algorithm, let us first take a close look at the generation process of a bit stream so as to understand its structure better. The general workflow of most image/video compression algorithms is as follows. Input video frames first go through several processing steps, mainly motion search, transform coding (DCT), and quantization. The results of these processing steps, such as quantized DCT coefficients and motion vectors, are often called quantities (or parameters) in the compressed domain. To further reduce the data size, these parameters enter an entropy coder, where they are converted to a consecutive 0-1 binary string called the bit stream. A bit stream has the following two important characteristics. First, it contains little redundancy. The operations in the beginning stages such as motion search, DCT transform and quantization have already removed a significant amount of redundancies in each individual frame and between successive frames. The resultant parameters are compressed furthermore by an entropy coder, which helps to squeeze out remaining redundancy. Thus, we can treat a bit stream as a statistically random 0-1 binary string (though not in the strictest sense). Second, a bit stream is always uniquely decodable and there should be no strong statistical correlations between the compressed domain parameters. This is again due to the fact that these parameters are almost redundancy-free. For instance, given DCT coefficients of a particular 8x8 block, it does not help much to guess the values of neighboring blocks. In summary, a bit stream can be viewed statistically random with its compressed domain parameters nearly correlation-

5533

free. This property has been confirmed by previous study on the statistical behavior of MPEG bit streams [5]. This bit stream structure suggests a mechanism to design an efficient bit stream encryption scheme. That is, in order to protect the underlying video content, it is not necessary to perform heavyweight secret key encryption algorithms to encrypt the bit stream as done in [5]. Instead, we may use simple yet efficient techniques to add enough randomness to the target bit stream to achieve the encryption effect. B. Random Rotation in Partitioned Blocks Our idea is to exploit the order of bits in the entire bit stream. By default, the 0-1 bits output from the entropy coder are sequentially concatenated to form the bit stream. Here, we propose two techniques to encrypt the bit stream. First, the 0-1 output bits are grouped into blocks of a random size. Second, we alter the order of individual bits in each of these blocks before they are written into the bit stream. Both the length of bit blocks and the change of order will be selected according to a random sequence, which becomes the encryption key. Many operations can be used to alter the bit order in a block. A permutation on all bits shuffles the bit order most thoroughly but it requires a lot of computation. To reduce the complexity and facilitate the bit stream formation, we restrict the bit manipulation to a simple left rotation. For a block of n bits A = (a1 a2 . . . an ), an r-bit left rotation transforms A into (ar+1 ar+2 . . . an a1 a2 . . . ar ) by cutting the first r bits and put them at the end of A. The main reason to use this simple operation is that it can be easily merged into the algorithm that prepare the bit stream for the final output, thus adding minimum computation overhead. Second, although left rotation is a trivial operation, our analysis in Sec. III shows that combined with random partition, it leads to an attack complexity exponential in the size of encrypted bit stream. We can express the above concept mathematically as follows. Definition 1: Let A = (a1 a2 . . . aN ) be a bit stream of N bits. The (p, r) rotation in partition of A, denoted RP B(A, p, r) with p = (p1 p2 . . . pm ) and r = (r1 r2 . . . rm ), is obtained by the following 2 operations. 1) partition A into m blocks Ai with length pi , i = m
pi = n 1, 2, . . . m, i=0

2) perform an ri -bit left rotation on each component block Ai , i = 1, 2, . . . m Our encryption scheme enciphers a bit stream A into RP B(A, p, r) with the partition key p and rotation key r. The component pi ’s and ri ’s are obtained from a pseudorandom bit sequence, which can be easily generated by a pseudo-random bit generator (or a stream cipher). For ease of processing, we impose an upper bound on pi , requiring that pi < 2b for some positive integer b. The detailed encryption algorithm is described below. “Random Rotation in Partitioned Block” Encryption

1) Select a secure pseudo-random bit generation algorithm. Generate a random number s as the seed. The output sequence z is grouped into b-bit blocks to produce a random number in the range 0 ∼ 2b − 1. z. Scale r
2) Obtain two random numbers p and r
from p×r
into range 0 ∼ p by computing r =  2b −1  3) Save the first r bits output from entropy coding. 4) Accumulate next p − r bits output and append the r bits in Step (3) to the end. 5) Write the block of p bits obtained in Step (4) to the final bit stream. 6) Go to Step (2) until no more bits are output from entropy coding. Update the random sequence z when it is used up. The secret seed s is the encryption key and A
= RP B(A, p, r) is the ciphertext bit stream. On the receiving side, sequence z with component partition key p and rotation key r can be generated using the same encryption key. It is readily checked that operation RP B(A
, p, p − r) recovers the plaintext bit stream A. III. S ECURITY AND PERFORMANCE ANALYSIS To evaluate the security strength of the encryption scheme proposed in Sec. II, we consider two types of attacks; namely, ciphertext-only attack and known/chosen-plaintext attack. For the ciphertext-only attack, the amount of computation required to break the proposed algorithm is estimated. For the known/chosen-plaintext attack, we describe the effect of alias keys and show how they can help resist the attack. Finally we discuss several performance issues such as computation efficiency and impact to compression ratio. A. Security under ciphertext-only attack In a ciphertext-only attack, the cryptanalyst has only certain ciphertexts available for analysis. In the previous section, we mentioned that the bit stream is a random binary sequence without much statistical irregularity and the compression domain parameters are almost correlation-free. Thus, an attack would have to resort to a brute-force exhaustive search. In this case, the computational complexity is closely related to the total number of possible random rotations in possible partitions RP B(A, p, r) for a given bit stream A of length N . We have the following conclusion. Lemma 1: For a ciphertext bit stream of N bits, the complexity of an exhaustive search to break the random rotation in partition encryption is larger than 2N Proof Let A = (a1 a2 . . . aN ) be a given N -bit bit stream. We use R(N ) to denote the total number of all possible rotations in partitions RP B(A, p, r) of A, each one of which corresponds to a different way to partition and rotate the bit stream A. Apparently R(1) = 1 and we define R(0) = 1 for the ease of notation. Clearly, an N -bit plaintext can be encrypted in R(N ) possible ways. On the other hand, since partition and rotation are 1-to-1 reversible operations, an N -bit ciphertext

5534

can also be decrypted in R(N ) possible ways. The complexity of an exhaustive search thus equals R(N ). While an exact expression of R(N ) may be difficult to obtain, we derive a recursive equation of R(N ) and establish that R(n) > 2N for N ≥ 6 in appendix I. Thus, we conclude that the complexity of exhaustive search exceeds 2N , where N is the length of the ciphertext bit stream. As the above lemma shows, random rotation in partition has a very nice property that the total number of possible encryptions grows exponentially with the size of bit stream. This would thwart any brute-force attack if the bit stream is long enough. For instance in the state-of-the-art video compression standard such as H.264, it would cost no less than 1 ∼ 2 kilo-bits to encode a CIF-size (352x288) video frame. It is thus practically impossible to perform an exhaustive search attack. B. Security under known/chosen-plaintext attack Under the known-plaintext attack, the cryptanalyst has several plaintext/ciphertext pairs to study. The goal is to discover partition p and rotation r used to encrypt the data. In this case, the cryptanalyst has certain advantages over the ciphertext-only attack since the comparison of the plaintext with the corresponding ciphertext reveals some important key information or even allows the guess of the correct key. However, the random rotation in partition encryption bears another nice property. For a given plaintext/ciphertext pair, there exists more than one keys that encipher the same plaintext to the same ciphertext. We call these keys alias keys. But only one of them is the correct key. Let us consider an illustrative example: plaintext: A = (01011101) ciphertext: A
= (00111011) key 1: p1 = (1, 7), r1 = (0, 1) key 2: p2 = (3, 4, 1), r2 = (2, 1, 0) It can be easily verified that both keys 1 and 2 converts the plaintext A into the same ciphertext A
. They are thus an example of alias keys. The cryptanalyst cannot distinguish which key is correct by simply observing the values of p and r. We stress that the concept of alias keys is associated with a particular ciphertext (assuming a fixed plaintext). Two alias keys for one ciphertext may not be alias keys for another ciphertext. Discussion on alias keys is not meaningful without the context of one particular plaintext/ciphertext pair. Under the known/chosen-plaintext attack, the security of the RPB encryption relies on the total number of alias keys for a plaintext/ciphertext pair. We have the following lemma about the number of alias keys for a general plaintext A. Lemma 2: Let A = (a1 a2 . . . aN ) be a stream of N bits containing Z 0’s and Alias(A, C) denote the number of alias keys for the plaintext/ciphertext pair (A, C). Then, there exists a ciphertext A
such that    N Alias(A, A
) > 2N (III.1) Z

In a statistically average sense, a random plaintext A contains half 0’s (Z = N/2). When the plaintext length N is large enough, we have  (III.2) Alias(A, A
) > πN/2 Lemma 2 establishes the existence of alias keys for any  plaintext A. The quantity πN/2 is however a conservative estimate of the number of alias keys. We consider the statistical average, and use A(N ) to denote the average number of alias keys for a general N -bit plaintext. Our analysis shows that the size of A(N ) grows exponentially with the ciphertext length N as described in the following lemma. Lemma 3: A(N ) ∼ cN for sufficiently large N , where c > 1 is a constant. Thus, we arrive at the conclusion that the computational complexity of a known/chosen-plaintext attack grows exponentially with the ciphertext length N since a cryptanalyst has to examine A(N ) possible alias keys to find out the correct key. Due to space limitation proofs of Lemma 2 and 3 are omitted. C. Performance evaluation The performance of the proposed encryption scheme is discussed below. 1) encryption cost The proposed encryption scheme does not perform actual cryptographic operations on the bit stream. Instead, we just select bit blocks of a random size and delay their writing in the bit stream by a random amount. It can be easily implemented with the following trivial modification to the process of bit stream writing. First, save the chosen r-bit block. Next, continue to write p−r bits to the bit stream. Finally, write the saved r-bit block to the bit stream. In many practical implementations, an output buffer is used to collect a large chunk of bits before they are written to the bit stream in one stroke. In this case, we just fill the buffer according to the above-mentioned modification. Thus, our algorithm incurs negligible computational overhead. 2) comparison with stream cipher The proposed RPB encryption is similar to a stream cipher in that a stream cipher or a pseudo-random bit generator is used to produce the random partition key and rotation key. Since the XOR operation in a stream cipher costs only one CPU instruction, one may argue that it might not worth the effort to apply the new scheme due to a small computational gain. However, a stream cipher is known to be vulnerable under the known-plaintext attack. That is, one plaintext/ciphertext pair suffices to reveal the pseudo-random sequence. While the proposed encryption algorithm can resist known/chosen-plaintext attack due to the huge number of alias keys. 3) impact to compression ratio Our algorithm has no influence on the compression ratio of the associated multimedia compression system. The encryption only alters the order of certain bit blocks.

5535

The size of encrypted bit stream is exactly the same as that of original bit stream without encryption. IV. C ONCLUSION A novel method to encrypt the compressed multimedia bit stream called the random rotation in partition encryption was proposed. The new scheme adds low computational overhead and can be effortlessly embedded into the operation of writing the bit stream. The redundancy-free nature of the bit stream ensures the security of this scheme to the ciphertext-only attack. The resistance to known/chosen-plaintext attack is enhanced due to large number of alias keys (exponential with ciphertext length) that encipher the same plaintext to the same ciphertext. A PPENDIX I P ROOF OF L EMMA 1 Let A = (a1 a2 . . . aN ) be an N -bit bit stream. We denote by R(N ) the total number of possible rotations in partitions RP B(A, p, r) of A. Assume B is the maximum block size allowed in partitioning A. Notice that this restriction implies any rotation in partition cannot start with bit beyond aB . Thus, all R(N ) possible rotation in partition RP B(A, p, r) can be classified into the following B categories. 1) those starting with a1 ; 2) those starting with a2 ; .. . B) finally, those starting with aB . We denote the total number of each category by R1 (N ), R2 (N ), . . . , RB (N ). Note this classification is mutuallyexclusive and all-inclusive, meaning that any possible resultant bit stream A
= RP B(A, p, r) must belong to one and only one of the above categories. Thus, we have R(N ) =

B 

Ri (N )

(I.1)

Finally, summing up Ri (N ), we arrive at R(N ) =

R2 (N ) =

N −2 

R(k)

k=N −B

Continuing the same line of reasoning we have the following equation: N −i  Ri (N ) = R(k)

Ri (N )

i=1

= R(N − 1) +

B N −i  

R(k)

(I.2)

i=2 k=N −B

= R(N − 1) +

N −2 

(N − 1 − k)R(k)

k=N −B

Rearranging the terms of the above equation, we obtain another recursive relationship of R(N ): N −3 

R(N ) = 2R(N − 1) +

R(k)

(I.3)

k=N −B

If we define the following recursive sequence 2S(N − 1) N > 0 S(N ) = 1 N =0 the solution is apparently S(N ) = 2N . From the above definitions of R(N ) and S(N ), it is clear that if R(N0 ) > S(N0 ) for some N0 , then R(N ) > S(N ) for all N > N0 . Now, it is readily checked that R(6) = 65 > S(6) = 64. Thus, we come to the conclusion that R(N ) > 2N for N ≥ 6. This completes the proof. ACKNOWLEDGMENT This research has been funded in part by the Integrated Media Systems Center, a National Science Foundation Engineering Research Center, Cooperative Agreement No. EEC9529152. Any Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.

i=1

Now let us look at each of the above categories. In category 1), a1 is fixed and we are left with N − 1 bits after a1 which we can freely partition and rotate. Thus R1 (N ) = R(N − 1). In category 2), it must be true that the first 2 ≤ k ≤ B bits are chosen as a block and a 1-bit left rotation is performed. This is the only way A
can start with a2 . If k = 2 (A
starts with a2 a1 ), we have N −2 bits left over and total number of possible rotation in partition is clearly R(N − 2). k = 3 (A
starts with a2 a3 a1 ) corresponds to R(N − 3). Finally for k = B we have the number R(N − B). Notice that this classification with different values of k is again mutually-exclusive and allinclusive. Hence we end up with:

B 

R EFERENCES [1] L. Tang, ”Methods for encryption and decrypting MPEG video data efficiently,” Proceedings of the 4th ACM International Conference on Multimedia, Boston, MA, Nov 18-22, pp. 219-230, 1996. [2] C. Shi and B. Bhargava, ”A fast MPEG video encryption algorithm,” Proceedings of the 6th ACM International Conference on Multimedia, Bristol, UK, Sep 1998. [3] C. Shi, S.-Y. Wang and B. Bhargava, ”MPEG video encryption in real-time using secret key cryptography,” 1999 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA’99), Las Vegas, NV, Jun 28 - Jul 1, 1999. [4] W. Zeng, and S. Lei, ”Efficient frequency domain digital scrambling for content access control,” Proc. ACM Multimedia 99, pp. 285-294, Orlando, FL, Oct 1999. [5] L. Qiao and K. Nahrstedt, ”A new algorithm for MPEG video encryption,” Proc. of the 1st international conference on imaging science, systems, and technology, Las Vegas, NV, Jul 1997. [6] C. Wu and C.-C. J. Kuo, ”Efficient Multimedia Encryption via Entropy Codec Design,” SPIE international symposium on electronic imaging, San Jose, CA, Jan 2001. [7] D. Xie and C.-C. J. Kuo, ”Efficient multimedia data encryption based on flexible QM coder,” Security, Steganography, and Watermarking of Multimedia Contents VI, Proc. of the SPIE, vol 5306, pp. 696-704, San Jose, CA, Jan 2004.

k=N −B

5536