A Survey of H.264 AVC/SVC Encryption

More documents

Recommendations

Info

115) Preserved Functionality: All functionality can be preservedwith the appropriate encryption scheme. DCT coefficientwatermarking can be conducted if the access to thecoefficient data is possible (see table III).D. Transparent EncryptionThe main additional requirement of transparent encryptionis quality control.1) Suitable Video Encryption Schemes and Proposed Solutions:Though many schemes have been proposed under thelabel perceptual encryption, quality control of the encrypteddata is only discussed in a few contributions [44], [43]. Incase of AVC, a transparent encryption approach has beenproposed in [44], employing restricted MVD encryption andthe encryption of less important bitplanes of DCT coefficients.Furthermore previous DCT sign and coefficient encryptionproposals can be extended by an explicit quality control,which controls the quality by restricting the sign (CAVLCand CABAC) and magnitude (CABAC) encryption to certaincoefficients and additionally only the magnitude could beencrypted.In [59] it is proposed to employ SVC for transparentencryption and if format-compliance is targeted to force adecoder to ignore the encrypted data by signalling in the NAL(unspecified NUTs). If the application of SVC is possible theencryption of the enhancement layers is the recommendedsolution (see figure 1(b) for an illustration of the approach).2) Security: Security of transparent encryption schemesrelies on the inability of an adversary to compute higherquality versions than already made public. Thus specificallytailored algorithms, inspired by super-resolution and denoisingalgorithms, are the main threat. Additionally, the preservedinformation in the ciphertext may be exploited. However,currently there are no known attacks against the recommendedschemes and in case of the SVC-based transparent encryptionalgorithm the existence of such an efficient algorithm wouldalso give efficient quality enhancement tools for ordinary AVCstreams.3) Compression: There is no compression overhead for theSVC-based encryption scheme.In [44] only slight bitrate increases of less then 1% arereported.4) Complexity: In case of the SVC encryption approachthe qualities of the substreams have to be determined inthe SVC compression process, which highly depends on thedesired scalability properties of the SVC bitstream and is morecomplex then AVC encoding. If an SVC bitstream is availablethe scheme is efficient.Only a small increase of complexity (similar to othercompression-integrated schemes) is present in the online scenario.However, in an offline scenario costly parts of thedecompression pipeline have to be performed.5) Preserved Functionality: Commonly format-complianceis considered a necessity for the transparent encryption scenarioand thus has to preserved. The proposed DCT watermarkingschemes can not be applied, stream substitutionwatermarking can still be applied.E. ROI EncryptionROI encryption has been primarily proposed for privacypreserving encryption schemes.1) Suitable Video Encryption Schemes: In [12], [14] signencryption and permutations is proposed and reported to bemeet the security constraints [14].2) Security: According to [14] sign encryption and permutationprevents automatic face recognition and this is theirproposed security metric for privacy preserving encryption.The goal of an adversary for this security notion is thedevelopment of a face recognition system that can identifyfaces even when encrypted. An adversary will try to combineattacks against the video encryption scheme and improvedface recognition systems, e.g., permutations are known to besusceptible to known plaintext attacks [35].3) Compression: Only small decreases in compressioncomplexity are reported.4) Complexity: As the privacy-threatening regions (faces)have to be detected, which is done on the raw video data oncan assume an online scenario. Thus the impact of the overallsystem complexity is small.5) Preserved Functionality: An important feature for ROIencryption is that the remaining video can be decoded insufficient quality, such that privacy-preserving surveillance ispossible. The recommended schemes have this property andare also format-compliant.F. DiscussionThe current state-of-the-art in H.264 video encryption canoffer solutions for all of the security and application scenarios,content confidentiality and sufficient encryption only makesense if additional functionality, such as transcodability orwatermarking, is preserved. H.264 encryption schemes arecapable to preserve diverse functionality, but naturally atsome cost in terms of security, runtime performance andcompression performance. Table III summarizes importantaspects and properties of the diverse encryption algorithms.Naive denotes AES in cipher feedback mode, MPV denotesan encryption algorithm that is MP-secure on the videodata, CF denotes schemes that employ container formats, FCdenotes schemes that NAL-compliantly encrypt NALUs andsignal the encrypted data in the H.264 syntax, NC denotesschemes that NAL-compliantly encrypt NALUs but do notsignal the encrypted data (semantics are preserved), S denotesDCT coefficient sign encryption, L denotes DCT coefficientlevel encryption (only applicable with CABAC), SDCT denotessecret DCT transforms, MVD denotes motion vectordifference encryption, SSO denotes secret scan orders, Interdenotes inter prediction mode encryption and Intra denotesintra prediction mode encryption. The first rows identify thesuitable encryption schemes for a security and applicationscenario. Additionally the table identifies whether schemescan be combined and whether they are format-compliant.The row labelled “Compliant packetization” indicates thatconventional packaging tools and protocols can be employed.“Compliant adaptation” (for SVC) identifies schemes thatallow conventional H.264 SVC adaptation, while “Adaptation”
12Naive MPV CF FC NC S L SDCT MVD SSO Inter IntraHighest level security # ! # # # # # # # # # #Content confidentiality ! ! ! ! ! # # # # # # #Sufficient encryption ! ! ! ! ! ! ! ! ! ! ! !Transparent encryption # # # SVC SVC ∼ ∼ ∼ ∼ ∼ ∼ ∼FC transparent encryption # # # SVC # ∼ ∼ ∼ ∼ ∼ ∼ ∼ROI encryption # # # # ! ! ! ! # ! # !Combinable # # # # # ! ! ! ! ! ! !Format-compliant # # # ! # ! ! ! ! ! ! !Compliant packetization # # # ! ! ! ! ! ! ! ! !Compliant adaptation # # ! ! ! ! ! ! ! ! ! !Adaptation # ! ! ! ! ! ! ! ! ! ! !Transcodability # # # # # ! # ! ! # ! #DCT Watermarking # # # # # ! # ! ! ∼ ! !BSS Watermarking # ! ! ! ! ! ! ! ! ! ! !Complexity (online) bpp bpp + ɛ bpp bpp bpp < 1 ≈ bpp 1 < 1 ≈ 1 < 1 < 1Add. Comp. (offline) 0 0 0 0 0 +H +H +H +H +H +H +HCompression pres. ! ∼ ∼ ! ! ∼ ! ! ∼ ∼ ! !Error propagation H.264-Full H.264 H.264 H.264 H.264 H.264 H.264 H.264 H.264 H.264 H.264 H.264TABLE IIIOVERVIEW OF H.264 ENCRYPTION APPROACHESindicates schemes which require changes in the adaptationtools. Note that format-compliance and compliant adaptationcan not be met simultaneously with bitstream oriented approaches.“Transcodability” refers to H.264 transcoding byrequantization of the coefficients [64]. The encryption schemesare evaluated for their interoperability with watermarkingsystems, namely DCT watermarking and BSS (bitstreamstream substitution) watermarking. Only some compressionintegratedschemes can be combined with DCT watermarking.All schemes that employ encryption with additive ciphers(and no cipher feedback mechanisms) can be used with BSSwatermarking. The online complexity is given in necessarypseudo-random bits per input pixel; bpp denotes the bit perpixel after compression. The offline complexity of bitstreamorientedschemes is almost the same as the online complexity,compression-integrated schemes, however, have to performparts of the decompression / compression pipeline, which isindicated by the entry “+H”. The preservation of compressionefficiency is evaluated in the row labelled “Compression pres.”.Error propagation is also analyzed, only the Naive scheme issusceptible to propagate errors, however, a bit error in the CBCmode corrupts only two blocks (with the size of the blocks ofthe employed block cipher). Thus even for the Naive schemeerror propagation is very limited for common cipher / modechoices and only if exotic modes, such as PCBC (propagatingcipher block chaining) are employed the entire bitstream willbe corrupted. However, all schemes, as presented here, aresensitive to loss of synchronization, as a secure PRNG isemployed. Packet loss is a realistic threat in the case ofUDP-based RTP transmission; the straight-forward solution ofrepeatedly sending synchronization information, i.e., IV for thesecure PRNG (e.g., AES in counter mode), has been shownto only have a very small impact on compression efficiency[19].Many of H.264 encryption approaches have been proposedwithout an analysis and discussion of the functionality theypreserve and of their interplay with other protocols andoperations defined for H.264. The survey bridges this gapand provide an overview especially considering the aspectof preserved and additional functionality of H.264 encryptionapproaches.Considering that most of the proposed H.264 encryptionschemes leak visual information, we have to state the lackof sufficiently evaluated objective quality / intelligibility /security metrics to assess the amount of leaked visible information.Although a few proposals for quality / intelligibility/ security metrics have been made [45], [63], none actuallyevaluates the performance of the proposed metrics with respectto the correlation to human perceived quality / intelligibility.Currently there are no suitable and evaluated metrics availableand thus we have deliberately omitted results in this survey([15, figure 9] shows an example where the security metricESS indicates no visual information leakage, while an edgeimage is clearly visible). Given that many encryption schemesare brought forward with the claim that they severely reducequality and intelligibility (their security is based on this quality/ intelligibility reduction) the algorithmic inassessibility of thisclaim is certainly of great discontent. The lack of appropriateassessment tools for video encryption may also be partlyresponsible for the lack of schemes where the quality can becontrolled. Apart from a some contributions [44], [17], [59],few approaches offer the ajustability of visual quality.VI. OUTLOOK AND FURTHER RESEARCH DIRECTIONSThe most apparent deficit in the current research is that,although security in the context of video encryption is definedwith respect to quality and intelligibility, neither quality norintelligibility can be assessed. The lack of objective assessmentmethods makes video encryption schemes incomparable; theanalysis on the basis of a visual inspection of single frames,
Page 1 and 2: A Survey of H.264 AVC/SVC Encryptio
Page 3 and 4: 2(b)Figure 2: Scrambling for “Hal
Page 5 and 6: 4ciphertext. If one considers the r
Page 7 and 8: 6Online / Offline Scenario: The com
Page 9 and 10: 8Compression-oriented encryption sc
Page 11: 10Partial encryption schemes that e
Page 15 and 16: 14[24] Razib Iqbal, Shervin Shirmoh

A Survey of H.264 AVC/SVC Encryption

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?