Professional Documents
Culture Documents
Research Article
Digital Video Encryption Algorithms Based on
Correlation-Preserving Permutations
Daniel Socek,1 Spyros Magliveras,2 Dubravko Ćulibrk,1 Oge Marques,1 Hari Kalva,1 and Borko Furht1
1 Department of Computer Science and Engineering, Florida Atlantic University, Boca Raton, FL 33431, USA
2 Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA
A novel encryption model for digital videos is presented. The model relies on the encryption-compression duality of certain types
of permutations acting on video frames. In essence, the proposed encryption process preserves the spatial correlation and, as such,
can be applied prior to the compression stage of a spatial-only video encoder. Several algorithmic modes of the proposed model
targeted for different application requirements are presented and analyzed in terms of security and performance. Experimental
results are generated for a number of standard benchmark sequences showing that the proposed method, in addition to providing
confidentiality, preserves or improves the compression ratio.
Copyright © 2007 Daniel Socek et al. This is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
frame rate, bit rate, and buffer size), and the ISO end code. not secure against brute force attacks where searching com-
Bhargava et al. [3] proposed to encrypt only the sign bits of plexity is estimated to a computationally feasible number
the DCT coefficients and differential values of motion vec- of possibilities, and that the scheme is not secure against
tors in P- and B-frames of MPEG video. In approach by Li et known/chosen-plaintext attacks. Also, the scheme by Pazarci
al. [4] only the fixed length coded (FLC) data elements of a and Dipçin necessarily produces a perceivable output with
video stream are encrypted. However, the following security degraded quality but does not offer a mode where the output
issues regarding selective encryption have been identified: (1) encrypted video is nonperceivable.
encrypting only I-frames of a video sequence does not pro- An encryption scheme of much stronger security based
vide enough security against ciphertext-only attacks, since on permutations of video frames was proposed in [18], and
the unencrypted B- and P-frames can reveal partial visible in this work we extend this approach to a family of algo-
information [5]; (2) neither encrypting the sign bits nor en- rithms that can be used for a variety of video applications.
crypting multiple significant bits of the DCT coefficients is The scheme from [18] is based on the correlation-preserving
secure enough against ciphertext-only attacks utilizing the “almost sorting” permutations which are derived from the
unencrypted bits [6]; (3) if all encrypted DCT coefficients previous frames. The proposed methodology is based on the
are set to fixed values, it is possible to recover a rough view fact that both sorting and “almost sorting” permutations can
of the plaintext frame [7, 8]. In addition, many selective ap- serve to preserve or improve compressibility of frames, and
proaches require modification to both standard encoder and at the same time to disguise the frames to a nonperceivable
decoder, and a number of approaches result in a format defi- form. This duality represents the main principle upon which
ant video stream. our proposed algorithms rely.
The second type of algorithms use a nonconventional full The rest of the paper is organized as follows. Section 2
encryption methodology, where the encryption is performed introduces permutations and examines their dual role in ar-
on the entire bitstream using a nonconventional encryption eas of data compression and data encryption. The proposed
algorithm. Most of these algorithms are targeted for speed. video encryption algorithms based on permutation trans-
Methods relying on fast chaotic maps are promising due to formations are presented in Section 3, while in Section 4 a
their fast performance. Although many chaotic encryption thorough security analysis is performed. Experimental re-
approaches were shown to be insecure, there are chaotic en- sults showing the performance of proposed algorithms are
cryption algorithms that, up to date, remain unbroken, such given in Section 5. Finally, Section 6 serves to present our
as the method of Li et al. [9]. An excellent overview of these conclusions and ideas for future work related to this research.
approaches, along with their comparative security analysis is
presented in [10, 11]. There are a few recently proposed fast, 2. DUALITY OF PERMUTATIONS
hardware-friendly full encryption methods that are based
on a class of neural networks [12]. However, these methods Permutation-based transformations are basic building
were later shown to be less secure than originally anticipated blocks for many compression and encryption techniques.
[13]. There are also nonconventional full approaches based However, the dual use of these transformations has not
on other mathematically hard problems, but most of them been extensively studied. In this work we analyze the
have been shown insecure due to oversimplification. For ex- compression-encryption duality of permutations and
ample, Yi et al. [14] proposed a new fast encryption algo- develop actual methodologies for the dual use of certain
rithm for multimedia (FEA-M), which bases the security on permutation-based transformations in domain of digital
the complexity of solving nonlinear Boolean equations. The video compression and encryption. To set the stage for the
scheme was shown insecure against several different attacks later discussion, some preliminary definitions are established
[15, 16]. In addition to questionable security, most noncon- next.
ventional full encryption approaches are applied after en-
coding which does not support format compliance require-
2.1. Permutations on sequences
ments. Also many of these algorithms are obsolete in recent
years after the wide adoption of advanced encryption stan- A video frame can be represented in a one-dimensional fi-
dard (AES) that offers much faster performance in compar- nite sequence using raster scan order. A permutation of a fi-
ison to the previous conventional cryptosystems, including nite sequence s is a bijection from s onto itself. Permutation
data encryption standard (DES). P is often represented by its Cartesian form or brackets form
An approach to video encryption where the encryption denoting the indices for the rearrangement of s:
step occurs before encoding is attractive since many of the
application requirements are inherently supported. However,
most encryption algorithms have a property to randomize P = i1 i2 · · · in , (1)
the source data and thus negatively affect compression per-
formance of an encoder. The first attempt to creating an where i j , 1 ≤ j ≤ n, is a sequence of n unique indices of
encryption scheme that preserves the compressibility of the elements of s, and n is the size of s. The family of all per-
source was made by Pazarci and Dipçin [17], in which the en- mutations on a sequence of size n forms an algebraic group
cryption occurs in the RGB color space using four secret lin- under functional composition, denoted by Sn . P is called sort-
ear transforms before the video is compressed by the MPEG- ing permutation of s if it rearranges s in ascending order. We
f f
2 encoder. However, in [4] it was shown that the scheme is use s11 , . . . , skk to denote the histogram of s, where s1 , . . . , sk
Daniel Socek et al. 3
are distinct elements of s in the ascending order and fi the of this transmission is log2 n!. This approach is analogous
frequency of element si . to a fixed dictionary compression approach. Unfortunately,
sorting permutations of a natural image usually do not have
f f
Theorem 1. If a histogram of finite sequence s is s11 , . . . , skk , lexicographically small index to compress well. Furthermore,
there are exactly f1 ! × · · · × fk ! sorting permutations of s. for frames with k-bit color palette, where k < log2 n, it is
cheaper to send an uncompressed frame (nk bits) from which
Proof. Let P be a sorting permutation of s. The indices cor- the sorting permutation can be calculated, than to directly
responding to the positions of s1 appear in the first f1 places transmit the sorting permutation using n log2 n bits.
of the Cartesian form of P, the indices of s2 appear in the Thus, directly compressed source data is usually smaller
second f2 places, and so on. Thus, one can partition P into in size than compressed permuted source data plus the com-
k segments of indices of sizes f1 , . . . , fk , and rearranging the pressed permutation that is used to recover the original order
indices within each segment results in another sorting per- of the source. If efficient compression can be performed on
mutation of s since the indices correspond to same values. a source data, which is the case for natural images and video
At the same time, exchanging elements across segments dis- frames, it is likely that the cheapest way to transmit a sort-
rupts ascending order of the resulting rearrangement of s, ing permutation is to transmit the compressed source from
and the corresponding permutation is not a sorting permu- which the receiver can calculate the sorting permutation after
tation. Since there are fi ! ways of rearranging indices of the uncompressing the received data. This reveals the rationale
ith segment of the Cartesian form of P, there are exactly used in the proposed algorithms.
f1 ! × f2 ! × · · · × fk ! sorting permutations of s.
2.3. Role of permutations in data compression
Thus, if a frame F is of dimension w × h, rearrange-
ments of pixel values from F are achieved when permutations Permutation-based transformations were considered to serve
from Sw×h act on the corresponding raster scan sequence. as a compression primitive in the past. In [19], Burrows
If F has k colors, and f1 , . . . , fk are frequency values of the and Wheeler introduced one such transformation, which is
color histogram of F, then according to Theorem 1 there are referred to as the Burrows-Wheeler transformation (BWT).
f1 ! × · · · × fk ! permutations in Sw×h that sort frame F. The authors presented an approach called block sorting loss-
less data compression algorithm, which combined BWT with
2.2. Permutations and compression move-to-front coding and a standard compressor such as
Huffman coding or arithmetic coding. The algorithm report-
Permuting a sequence affects the correlation of the neighbor- edly achieves compression rates similar to that of content-
ing samples. If a random permutation acts on a sequence, the based lossless methods, but at execution times comparable to
correlation of the neighboring samples is likely destroyed and that of the fast general-purpose lossless compressors, such as
the compressibility is decreased. On the other hand, if a sort- Ziv-Lempel techniques. The work by Burrows and Wheeler
ing permutation acts on a sequence, the sample-to-sample was further investigated and improved by Deorowicz [20].
correlation of the symbols is the best possible, and thus very Using the concept of permutation codes, Arnavut and others
suitable for run-length encoding (RLE) and similar compres- also studied applications of permutations and permutation
sion primitives that exploit such correlation. codes to the compression of digital images [21]. According
Many compression algorithms that assume neighboring to study by Arnavut and Otu a good compression is achieved
sample correlation in the source, such as the image and video when BWT is used in lossless compression of color-mapped
coding methods, are likely to take advantage of the sorted sig- images where pixel values represent indices that point to
nal and produce very good compression. Figure 1 illustrates color values in a look-up table [21]. In [22], Arnavut and
how compressibility of a natural image dramatically changes Magliveras introduced lexical permutation sorting algorithm
when pixel values are rearranged according to either a ran- (LPSA), a more generalized version of BWT which has bet-
dom permutation or a sorting permutation. ter performance than BWT when transmitting permutations.
Sample reordering is used in many transform-based image
2.2.1. Compressing a sorting permutation and video coding methods. Specifically, in JPEG and MPEG
type of image and video compression, a special reordering
Even though certain permutations, such as sorting permuta- (permutation) is used to reorder transform coefficients (e.g.,
tions, can affect the compression of source data in the posi- DCT coefficients) in a fixed order that allows for a more ef-
tive way, compression of the permutation itself is usually not ficient symbol entropy coding. Although some alternate re-
efficient. If a permutation P of degree n, that is, P ∈ Sn , is to orderings exist for certain applications, best performance on
be transmitted, an obvious way is to represent P as a sequence average is expected when the coefficients are permuted ac-
of length n, consisting of unique log2 n-bit indices corre- cording to a zigzag ordering.
sponding to a Cartesian form of P. Total transmission cost
is in that case n log2 n bits. If an ordering of permutations 2.4. Permutations and encryption
from Sn is fixed, such as the lexicographic ordering, each per-
mutation have its own index according to that ordering. For Permutations are used extensively as an encryption prim-
permutations with small indices transmitting the index it- itive in modern symmetric-key cryptography. In addition,
self could be more efficient, but in the worst case the cost there is a significant number of permutation-only encryption
4 EURASIP Journal on Information Security
Figure 2: Block diagram of an approach where encryption occurs before video encoding (compression).
algorithms proposed for both analog and digital image and the previously proposed permutation-only encryption algo-
video encryption. rithms. In Section 4 it is discussed in detail why this differ-
In most modern symmetric-key cryptosystems, permu- ence makes the proposed algorithms robust against the vari-
tations are used for data diffusion. Systems such as AES or ous attacks presented in [32].
DES are essentially a substitution-permutation networks, or
shortly S-P networks, where permutation transformations
3. CORRELATION-PRESERVING VIDEO ENCRYPTION
are employed in every round. In fact, most symmetric-key
block ciphers rely on permutations of symbols (e.g., bits) in
Most encryption algorithms have a randomization effect on
order to provide data diffusion [23]. In addition, there are
the source data, and as such, cannot be effectively applied
cryptosystems based solely on transformations that use per-
before the compression stage. In this section we present a set
mutation groups. For instance, cryptosystem PGM (permu-
of encryption algorithms for spatial-only video coding based
tation group mapping) is based on logarithmic signatures of
on permutation transformations that have a correlation-
finite permutation groups [24].
preserving property. Using these algorithms, one can per-
Permutations are extensively used in analog video en-
form encryption prior to video encoding, as illustrated in
cryption. Techniques such as scan line shuffling [25] or pixel
Figure 2.
position shuffling [26–28] represent common approaches for
The basic idea behind the permutation-based methodol-
analog video encryption. Similarly, in digital video encryp-
ogy for correlation-preserving video encryption is as follows.
tion domain, secret permutations are widely used to shuffle
Sorted, as well as “almost sorted” frames are strongly spa-
the positions of pixels [29], but also to shuffle DCT/wavelet
tially correlated. Such permuted frames are in many instances
coefficients [30, 31], Huffman table codewords [3], and even
even more compressible in terms of spatial-only coding than
blocks or macroblocks [32]. These algorithms are based
the original source frames. When a sorting permutation of
solely on secret permutations that are generated by a secret
the previous frame acts on the current frame, it produces
key.
what we refer to as an “almost sorted” frame. Transmitting a
Video encryption algorithms based solely on secret per-
compressed frame from which the initial permutation can be
mutations often receive harsh criticism. In [32] it is pointed
computed is efficient. Once an initial permutation is trans-
out that these algorithms are inherently and necessarily inse-
mitted through a secure channel, the sender uses it to “al-
cure against several types of cryptanalysis, including known-
most sort” the next frame. In Section 4 it is shown that, ex-
plaintext, chosen-plaintext, and chosen-ciphertext attacks.
cept in rare circumstances, a sorted or “almost sorted” frame
The authors even discuss cryptanalytic techniques that are
can be safely sent through the regular, nonsecure channel.
universally applicable to all permutation-only encryption al-
By calculating a sorting permutation of the received frame,
gorithms. While the methods proposed in this work techni-
the receiver uses it to recover the next frame, and so on.
cally belong to this category of algorithms, there is a cru-
This way the spatial correlation within frames of a video se-
cial difference between the algorithms proposed here and
quence is expected to be preserved, if not improved, when
Daniel Socek et al. 5
Algorithm 1: Modified recursive quicksort algorithm for computing the unique sorting permutation of a given frame.
static-camera low motion sequences (e.g., video conferenc- gorithm 1 illustrates a method that we used for computing a
ing or telephony) and spatial-only video codecs (e.g., motion unique sorting permutation for a given frame. This particu-
JPEG) are used. lar method is based on a modification to a recursive quicksort
algorithm, however, similar approach can be used with other
sorting methods.
3.1. Global system settings
The system is assumed to have two channels of communica- 3.2. Basic algorithms
tion (in physical or abstract sense). ChR denotes a regular,
nonsecure channel where all messages are plain and open for If F is a frame of size n = width of F × height of F, let P(F)
eavesdropping, while ChS denotes a secure channel that can be a frame obtained by permuting the elements of F accord-
also be eavesdropped, however, the messages are encrypted ing to a permutation P from Sn . The inverse of permutation
using a secure communication protocol based on a conven- P is denoted by P −1 . For a given frame Fi , let Pi denote the
tional cryptosystem such as AES. In our model, a video con- unique sorting permutation obtained by the modified quick-
sists of one or more scenes and each scene consists of a se- sort method from Algorithm 1. The encoding of frame F is
quence of frames F1 , F2 , . . . , Fm . For a given frame, there are denoted by E(F), and D(F) denotes the decoding of F. The
likely a large number of sorting permutations of it (see The- basic algorithm for lossless video coding is described in Al-
orem 1). The system must fix a method by which a unique gorithms 2 and 3 (encryption and decryption, resp.). The al-
sorting permutation is always selected for a given image. Al- gorithm for spatial-only lossless video encryption faithfully
6 EURASIP Journal on Information Security
Input: Encoded first frame E(F1 ) and encrypted encoded subsequent frames
of a video sequence (or scene) E(P1 (F2 )), . . . , E(Pm−1 (Fm )).
(1) Bob computes D(E(F1 )) = F1 and obtains the permutation P1 .
(2) For each successive received frame E(Pi−1 (Fi )), i = 2, . . . , m, Bob does
the following:
(a) Computes D(E(Pi−1 (Fi ))) = Pi−1 (Fi ) and calculates Fi =
Pi−−11 (Pi−1 (Fi )) where Pi−−11 is the inverse permutation of Pi−1 ;
(b) Calculates the permutation Pi of Fi .
corresponds to the model from Figure 2 where encryption the encryption, so technically it does not exactly correspond
completely precedes video encoding. This is achieved by cre- to Figure 2. When compression is seen as a preprocessing
ating “almost sorted” frames that are sent through open step, the algorithm should still be considered to be a pre-
channel ChR. In spatial-only lossless video encoding, adap- compression encryption approach, and as such, inherently
tive dictionary-based compression primitives are often used possesses the nice properties such as codec-standard compli-
to exploit neighboring pixel correlation prior to applying en- ance and format compliance.
tropy coding. In particular, this technique is employed in an- In lossy transform-based coding of digital images and
imated GIF and motion PNG coding. Sorted and “almost video frames, typically a block of pixels undergoes the trans-
sorted” data is well suited to this type of compression. Com- formation such as DCT or wavelet. For instance, this is the
pression with a pixel prediction model such as the one used case with motion JPEG (M-JPEG) coding. The given block
in motion JLS (lossless JPEG) also relies on correlation of of pixels represents a small subimage of the image or frame,
the currently encoded pixel and the pixels in the neighbor- thus containing a set of two-dimensional neighboring pix-
hood area. In motion JLS, for instance, a current pixel is pre- els. In this setting sorted and “almost sorted” images and
dicted in raster order, from pixels directly on top, to the diag- frames compress well. If the sorted and “almost sorted” data
onal and to the left of the current pixel. Sorted and “almost is grouped in to the blocks of the same size that is used in
sorted” data are also suitable for this compression model. transform coding, the compression is further improved, as
Similar, but slightly different approach to video encryp- indicated by an example in Figure 3.
tion can be taken when dealing with lossy spatial-only video The computational complexity of the proposed method
coding. However, to compensate for the loss of data and to is very low at the decoder side for both lossless and lossy
prevent error propagation issues, “almost sorting” permuta- video coding, since the only additional computation that has
tions must be calculated on the compressed frames which re- to be performed involves the calculation of a sorting permu-
sults in somewhat more involved encryption step. The algo- tation. The algorithm from Algorithm 1 used to calculate the
rithm (encryption and decryption) targeted for lossy video unique sorting permutation of a given frame has a computa-
coding is depicted in Algorithms 4 and 5, respectively. This tional complexity of only O(N log N). Inverting or applying
algorithm requires a compression stage as a preprocessing to a permutation is equivalent to a table lookup.
Daniel Socek et al. 7
Input: Encoded first frame E(F1 ), encrypted encoded second frame E(P1 (F2 ))
and encrypted encoded subsequent frames of a video sequence (or scene)
E(P2 (F3 )), . . . , E(Pm−1 (Fm )).
(1) Bob calculates D(E(F1 )) = F1 ≈ F1 and sorting permutation P1 .
(2) From E(P1 (F2 )) he computes F2 = D(E(P1 (F2 ))).
(3) Bob approximates F2 ≈ F2 = (P1 )−1 (F2 ).
(4) He then recovers the unique sorting permutation P2 of F2 .
(5) For each received frame E(Pi−1 (Fi )), i = 3, . . . , m, Bob:
(a) Decodes E(Pi−1 (Fi )) into Fi = D(E(Pi−1 (Fi )));
(b) Approximates Fi ≈ Fi = (Pi−1 )−1 (Fi );
(c) If i < m he calculates a sorting permutation Pi of Fi .
The basic algorithms proposed in this section can be ex- 3.3.1. Block-based approach
tended to accommodate for additional application require-
ments. For instance, these algorithms do not offer perceptual The proposed algorithm can be applied on individual blocks
quality control, cannot handle global camera motion such as within a frame the same way it is applied on the entire frame.
translation, and do not support VCR-like functionality. Next, By doing so, two different features are achieved: (1) the algo-
we introduce several extensions to the basic algorithms in or- rithm is more robust to high motion within a frame as long
der to support these additional application requirements. as the motion is limited to small number of blocks, and (2)
by controlling the block size one can also control the degree
of perception in the sense that the video becomes degraded
3.3. Extensions to basic algorithms (blocky) but perceivable for smaller blocksizes. This algorith-
mic mode is illustrated in Figures 6(g), 6(h), and 6(i).
The following extensions to the basic algorithms from Algo- 3.3.2. Extensions for handling global camera motion
rithms 2, 3, 4, and 5 are established in order to broaden their
applicability. Unfortunately, the basic algorithms cannot handle camera
motion well, since the sorting permutation of the previous
(i) Block-based extension for perceptual quality control.
frame will, in the case of global motion, not create almost
(ii) Extension for handling global camera translational sorted data when applied to the data of the current frame.
motion. However, if a global translational camera motion is known,
for instance, by using some motion estimation methods as
(iii) Extension for hiding the histogram.
a preprocessor, it is possible for the receiver to readjust the
(iv) Extension for enabling VCR-like functionality and bet- sorting permutation accordingly by sending this information
ter error resilience. to the receiver’s side.
8 EURASIP Journal on Information Security
k
Brute-force attack there are exactly (wh)!/ i=1 fi ! different images with the
f1 fk
same color histogram s1 , . . . , sk . These distinct images
de-
Brute-force attack is based on exhaustive key search, and
termine the effective key space of our method. If one uses
is feasible only for the cryptosystems with relatively small
an n-bit conventional cryptosystem to encrypt key frames
key space. In our case, the brute-force attack consists of
in channel ChS, the actual key space of the proposed
two possible venues: one could either attack the underly-
method is
ing conventional cryptosystem used for encryption in chan-
nel ChS, or the proposed permutation-based method used
in channel ChR. For that reason, it is recommended to (wh)!
min 2n , k . (6)
use a strong conventional symmetric-key cryptosystem such i=1 fi !
as AES with 128-bit or stronger keys. The size of the key
space related to our permutation-based method is equiva- The size of the key space depends on the color histogram
lent to the following: given a color histogram of a w × h of the encrypted frame. As one can see, this number is ex-
image F, how many different images can be formed out tremely large when considering any meaningful images of
of the histogram color values? Note that F is just one of reasonable dimensions, and it is usually much larger than
these images. brute-forcing 2n keys of the used conventional symmetric-
f fk
Let s11 , . . . , sk be the histogram of frame F. In [18] it key cryptosystem.
was shown that the number of different images that can be In the case of block-based algorithmic mode, the attacker
formed by permuting F is equal to the size of the Sw×h - is faced with a smaller key space. If a blocksize of b × c is used,
orbit of F, denoted by Sw×h (F), under the group action of there are wh/bc blocks within a frame. Suppose that each ith
10 EURASIP Journal on Information Security
Table 2: Compression performance of the proposed encryption algorithms with lossless spatial-only video coding.
Animated GIF
Algorithm Hall monitor Akiyo Mother Grandma Claire Miss Am
Basic 0.746 0.433 0.745 0.685 0.776 0.867
blk32 0.959 0.597 0.955 — — —
blk16 0.976 0.655 0.968 0.845 0.908 0.981
blk8 0.980 0.745 0.975 0.877 0.941 0.990
Basic+hh 0.633 0.254 0.634 0.438 0.475 0.683
blk32+hh 0.657 0.264 0.654 — — —
blk16+hh 0.657 0.262 0.652 0.444 0.487 0.686
blk8+hh 0.658 0.259 0.650 0.445 0.487 0.688
Motion PNG
Algorithm Hall monitor Akiyo Mother Grandma Claire Miss Am
Basic 0.813 0.421 0.789 0.695 0.765 0.891
blk32 0.993 0.555 0.969 — — —
blk16 1.007 0.631 0.982 0.869 0.941 0.995
blk8 1.011 0.738 0.993 0.915 0.990 1.011
Basic+hh 0.699 0.302 0.709 0.510 0.571 0.729
blk32+hh 0.713 0.314 0.713 — — —
blk16+hh 0.715 0.310 0.710 0.517 0.587 0.740
blk8+hh 0.716 0.307 0.708 0.518 0.583 0.743
Motion JLS
Algorithm Hall monitor Akiyo Mother Grandma Claire Miss Am
Basic 1.113 0.693 1.135 0.757 0.954 1.131
blk32 1.120 0.691 1.122 — — —
blk16 1.128 0.750 1.132 0.818 1.037 1.142
blk8 1.150 0.854 1.147 0.882 1.135 1.163
Basic+hh 1.053 0.441 1.085 0.662 0.789 1.069
blk32+hh 1.049 0.445 1.056 — — —
blk16+hh 1.048 0.440 1.047 0.660 0.794 1.064
blk8+hh 1.046 0.433 1.035 0.664 0.797 1.064
f f
b × c block in F has the color histogram si1i1 , . . . , sikik . Then, the proposed approaches rely on the sorting permutation of pre-
size of the key space is vious frame, and thus, a key is directly dependant of the
plaintext. Under a chosen-plaintext attack, the adversary can
wh/bc
(bc)! compute the sorting permutation for the chosen frame, but
n
min 2 , k , (7) this gives no information about the sorting permutations for
j =1 i=1 f ji ! the unknown frames. Under a chosen-ciphertext attack, the
adversary can recover the unsorting permutation for the cho-
which is for reasonable blocksizes, such as 8 × 8 or larger, still sen encrypted frame, but this gives no information regarding
computationally infeasible. other unknown ciphertexts.
Table 3: Compression performance of the proposed encryption algorithms with lossy spatial-only video coding.
possible videos to be encrypted, he or she may be able to rec- sary have the access to the distribution of frame differences in
ognize which video sequence is being transmitted from Alice the encrypted video, a statistics that can reveal the previously
to Bob by observing the publicly given pixel value histograms known video.
of frames. Another related problem is the adversary’s ability Even though some weaknesses have been identified, the
to analyze the properties of a given histogram for rough clues proposed video encryption algorithms are applicable to a
about the content. Namely, cartoon pictures and real photos majority of real-word video security scenarios.
have different histograms, and photos of human faces usu-
ally have narrower histograms than photos of natural scenes 5. EXPERIMENTAL RESULTS
[10]. Finally, since the encrypted frames look less smooth
when a fast motion occurs within a scene, it is possible to To evaluate the performance of our method in terms of com-
gain a limited knowledge about the scene dynamics by ob- pression, experiments are performed on six benchmark se-
serving the “almost sorted” frames. Although limited, these quences in CIF (352 × 288) and QCIF (176 × 144) formats.
attacks are unavoidable in the proposed methodology and Table 1 shows the technical summary of the used sequences.
our video encryption algorithms should not be used in ap- The following is a legend of acronyms used in Tables 2, 3, and
plications where these attacks are of interest to an adversary. 4:
Histogram-hiding extension of the proposed algorithms
is much more robust against the second type of the known (i) basic—basic algorithm operating on entire frames;
histogram attack since the adversary does not have the ac- (ii) blk32—block-based extension operating on 32 × 32
tual color histograms of the frames needed to analyze the blocks;
properties of a given histogram for rough clues about the (iii) blk16—block-based extension operating on 16 × 16
content. Source recognition attack still holds since the adver- blocks;
Daniel Socek et al. 13
Table 4: Resulting PSNR (in dB) with lossy spatial-only video coding.
stances even improve the spatial correlation of the source [2] G. Spanos and T. Maples, “Performance study of a selective
data since “almost sorted” frames on average have a better encryption scheme for the security of networked, real-time
spatial sample-to-sample correlation than the actual frames. video,” in Proceedings of the 4th International Conference on
Therefore, spatial-only video codecs can be enhanced with Computer Communications and Networks (ICCCN ’95), pp. 2–
an encryption-equipped preprocessor and a decryption- 10, IEEE Press, Las Vegas, Nev, USA, September 1995.
[3] B. Bhargava, C. Shi, and S.-Y. Wang, “MPEG video encryption
equipped postprocessor that can result in similar or im-
algorithms,” Multimedia Tools and Applications, vol. 24, no. 1,
proved compression performance but in the same time pro- pp. 57–79, 2004.
viding a significant level of computationally provable se- [4] S. Li, G. Chen, A. Cheung, B. Bhargava, and K.-T. Lo, “On
curity. In effect, the algorithms produce fully application- the design of perceptual MPEG-Video encryption algorithms,”
friendly output and require no modification to the codec IEEE Transactions on Circuits and Systems for Video Technology,
modules. Both security and performance analysis of the vol. 17, no. 2, pp. 214–223, 2005.
proposed methodology show that the algorithms are com- [5] I. Agi and L. Gong, “An empirical study of secure MPEG
putationally efficient and resistant to typical cryptanalytic video transmissions,” in Proceedings of the Symposium on Net-
attacks. work and Distributed System Security (SNDSS ’96), pp. 137–
There are several obvious applications in practice for 144, IEEE Computer Society, San Diego, Calif, USA, February
which the proposed algorithms are suitable. Industrial and 1996.
business-related video telephony and videoconferencing of- [6] C.-P. Wu and C.-C. J. Kuo, “Fast encryption methods for au-
diovisual data confidentiality,” in Multimedia Systems and Ap-
ten requires confidentiality. The types of videos and price of
plications III, vol. 4209 of Proceedings of SPIE, pp. 284–295,
spatial-only codecs, such as M-JPEG, clearly suit the require- Boston, Mass, USA, November 2000.
ments of the proposed encryption approaches. Surveillance [7] J. Wen, M. Severa, W. Zeng, M. Luttrell, and W. Jin, “A format-
video monitoring is also a suitable application. In this appli- compliant configurable encryption framework for access con-
cation it is important not to use motion-based coding since trol of multimedia,” in Proceedings of the 4th IEEE Workshop
motion coding tends to reduce the spatial resolution, but on Multimedia Signal Processing (MMSP ’01), pp. 435–440,
more importantly, interpolated video is inadmissible as ev- Cannes, France, October 2001.
idence in many legal jurisdictions. Due to recent terrorist at- [8] T. Lookabaugh, D. C. Sicker, D. M. Keaton, W. Y. Guo, and
tacks on western countries such as United States and United I. Vedula, “Security analysis of selectively encrypted MPEG-2
Kingdom, airplane cockpits and other public transportation streams,” in Multimedia Systems and Applications VI, vol. 5241
places are monitored by their governments. Here, M-JPEG of Proceedings of SPIE, pp. 10–21, Orlando, Fla, USA, Septem-
ber 2003.
is currently the preferred method as it allows each picture
[9] S. Li, X. Zheng, X. Mou, and Y. Cai, “Chaotic encryption
to be wholly compressed into a data file, whereas MPEG de- scheme for real-time digital video,” in Real-Time Imaging VI,
rives frames from a sequence, storing mainly the differences vol. 4666 of Proceedings of SPIE, pp. 149–160, San Jose, Calif,
and use interpolated frames which really do not stand up USA, January 2002.
in court [33]. Digital multimedia captured for medical pur- [10] S. Li, G. Chen, and X. Zheng, “Chaos-based encryption for
poses is likely to be encoded with lossless video coding and digital images and videos,” in Multimedia Security Handbook,
without any kind of interpolation since the highest precision vol. 4 of Internet and Communications Series, pp. 133–167,
is necessary for correct diagnosis, and many medical multi- CRC Press, Boca Raton, Fla, USA, 2004.
media videos are indeed represented by a single scene with [11] B. Furht, E. Muharemagic, and D. Socek, Multimedia Encryp-
low-motion. tion and Watermarking, vol. 28 of Multimedia Systems and Ap-
Future directions should include an investigation of ex- plications, Springer, Berlin, Germany, 2005.
[12] D. Guo, L. M. Cheng, and L. L. Cheng, “A new symmetric
tending or modifying the proposed principle to achieve ef-
probabilistic encryption scheme based on chaotic attractors of
ficiency in exploiting temporal correlation as well, in order neural networks,” Applied Intelligence, vol. 10, no. 1, pp. 71–84,
to achieve applicability to more advanced video codecs such 1999.
as H.26x and MPEG family. The proposed algorithms could [13] D. Socek and D. Ćulibrk, “On the security of a clipped hopfield
be combined with an object segmentation approach to im- neural network-based cryptosystem,” in Proceedings of the 7th
prove their robustness against movement of objects within ACM Workshop on Multimedia and Security (MM-Sec ’05), pp.
the scene, for instance, by using the sorting permutations 71–76, New York, NY, USA, August 2005.
of each object from the previous frame (including back- [14] X. Yi, C. H. Tan, C. K. Siew, and M. R. Syed, “Fast encryption
ground). Another possibility for future research include the for multimedia,” IEEE Transactions on Consumer Electronics,
extension to spatial selectivity (e.g., to achieve anonymity) vol. 47, no. 1, pp. 101–107, 2001.
where only objects of interest (such as human face, etc.) are [15] A. M. Youssef and S. E. Tavares, “Comments on the security
encrypted, while other objects are kept unencrypted. of fast encryption algorithm for multimedia (FEA-M),” IEEE
Transactions on Consumer Electronics, vol. 49, no. 1, pp. 168–
170, 2003.
[16] M. J. Mihaljević, “On vulnerabilities and improvements of fast
REFERENCES encryption algorithm for multimedia FEA-M,” IEEE Transac-
tions on Consumer Electronics, vol. 49, no. 4, pp. 1199–1207,
2003.
[1] J. Meyer and F. Gadegast, “Security mechanisms for multime- [17] M. Pazarci and V. Dipçin, “A MPEG2-transparent scrambling
dia data with the example MPEG-1 video,” Project Description technique,” IEEE Transactions on Consumer Electronics, vol. 48,
of SECMPEG, Technical University of Berlin, 1995. no. 2, pp. 345–355, 2002.
Daniel Socek et al. 15