Presented at ACM Multimedia 1998, September 12-16, 1998, Bristol Uk
1. ABSTRACT
Various on-demand systems require that large
numbers of customers are provided with the
same multimedia stream content or different
but closely related content in short temporary
sequence but not at exactly the same time. This
includes video on demand and news on
demand. A typical approach to increase the
performance of such systems is caching. How-
ever in current commercial on-demand stream-
ing applications in the Internet caches are used
very rarely because a mechanism to protect the
content from resale by the cache owners does
not exist. A typical solution is to transfer all
content via protected unicast transmissions,
which is an approach that does not scale.
We want to present a trivial scheme that pro-
vides similar protection for the content but be
used efficiently with multicasting and caching.
In this approach, the major part of the video is
intentionally corrupted and can be distributed
via multicast connections, while the part for
reconstruction of the original is delivered to
each receiver individually. We propose also
means to discourage resale of the multimedia
content by customers. One proposal introduces
receiver-sided introduction of watermarks into
the video, the other uses infrequent corrupt
bytes to achieve uniqueness of each copy.
1.1 Keywords
Multimedia, video-on-demand, copyright protection,
corruption
2. INTRODUCTION
Many on-demand applications require that the same content
is delivered to many different receivers in short sequence. In
both VoD and NoD applications, the goal of the content
provider is the frequent and rapid sale of contents in the
most popular phase of their life cycle. The restriction of
access to a small group of receivers is not intended for this
type of content redistribution. In video-on-demand systems,
for example, advertisements and current trends raise the
popularity of certain video titles, and thus, the rate of
requests to the specific title. In fact, videos exhibit certain
long-term aging characteristics that are verified in [5]. This
could be exploited in a distribution system by the
introduction of caching and prefetching techniques.
However, to prevent data theft, the delivery of commercially
relevant content from the sender to the receiver is currently
protected by encrypted point-to-point (unicast)
transmissions. As we can see in current not-quite digital
applications such as broadcast television or video rental,
ensuring copyrights is not necessarily a technical issue but it
is sufficient for the content provider to be able to verify and
prove that the copyright has been violated after the actual
violation. This is typically the case for applications that
concern distribution of non-confidential content to mass
markets, such as news-on-demand, audio- or video-on-
demand. To support the tracking and proof of data theft,
watermarking techniques are under development which
identify the individual receiver of the content.
For the wide-spread sale of a multimedia content, the use of
caching is necessary because neither the network
infrastructure nor any content provider’s servers can support
an arbitrary number of unicast connections with content that
is encrypted in real-time.
This conflict between copyright protection and scalability
inhibits effectively the deployment of caching and
prefetching in the area of commercially sold multimedia
content, although the profit that could be gained from
reducing the network constraints would be considerable (as
demonstrated by the sex business, which is protected from
redistribution on a large scale by the privacy needs of its
customers).
In this paper, we do not try to provide a generic solution but
we address a specific application area. For some commercial
multimedia applications such as video conferencing, perfect
protection is a major requirement of the communicating
Protecting VoD the Easier Way
Carsten Griwodz, Oliver Merkel
Industrial Process and System Communications
Dept. of Electrical Eng. & Information Technology
Darmstadt University of Technology
Merckstr. 25 • D-64283 Darmstadt • Germany
Tel.: (49) 6151 / 166159
{griff,merkel}@kom.tu-darmstadt.de
Jana Dittmann, Ralf Steinmetz
GMD IPSI
German National Research Center
for Information Technology
Dolivostr. 15 • D-64293 Darmstadt • Germany
Tel.: (49) 6151 / 869845
{dittmann,steinmetz}@darmstadt.gmd.de
Presented at ACM Multimedia 1998, September 12-16, 1998, Bristol Uk
partners. In some multimedia applications, not the perfect
protection of content is a necessity but instead, ensuring the
copyright of the content owner is the primary issue.
For such multimedia applications, which can take major
advantage of caching or prefetching mechanisms, we want
to provide a simple approach that is able to protect the
content owner from the service provider in a wide area
network while protecting the infrastructure from an
unnecessary number of retransmissions.
We want to provide a straightforward mechanism for these
applications which can interoperate with simple caching
systems in the service providers’ domain as well as
reasonably powerful multimedia servers of the content
providers. The mechanism should be computationally
cheap, in order not to overloaded the server with the task of
modifying (e.g. watermarking or encryption) the content for
an arbitrary number of concurrent unicast transmissions
which would make the application unscalable. We propose
the unencrypted transmission of the bulk of data, which
allows the use of caching, and the additional encrypted
point-to-point transmission of a minimal amount of data
that is necessary to reconstruct the complete multimedia
content. Furthermore, ideas are presented for the
introduction of personal watermarking into the
reconstructed video at the client side.
The digital watermarking technology enables the possibility
to add copyright or customer information into digital data,
like video, to protect the content from resale by an original
customer. There are two major approaches: adding visible,
perceptual marks or embedding invisible, imperceptible
(hidden) information using steganographical schemes.
Usually digital watermarks are additional hidden
information, labels, holographically inlaid in the
multimedia data and perceptually undetectable (invisible).
Those concepts result from a direct work on the data.
Ideally it is impossible to remove the embedded information
(owner identification, customer information or other
information about the multimedia data) without damaging
the data. The embedded information is embedded with a
secret key and can be retrieved using the same secret key.
The technique de-motivates the illegal re-use of distributed
digital data. Labelling-based protection strategies intend to
enable the proof of ownership on copyrighted material, to
detect the originator of illegal reproductions, to monitor the
usage of the copyrighted multimedia data and to analyse the
spread spectrum of the data over networks and servers. It
should be noted, though, that the embedded signalling can
be used for a variety of purposes other than copyright
control.
We combine the theft and resale protection of data during
transmission with a watermarking scheme that embeds
specific customer information into the video to track the use
of the reconstructed video, and to prove data theft and to de-
motivate resale by regular customers.
Our ideas were primarily directed at MPEG-1 video but
tests (on AVI, Quicktime and MPEG audio layer 3) show
that other audio and video formats are protectable in the
same way.
3. RELATED WORK
Current approaches to wide area video distribution in the
Internet assume either that content is free (and probably
worthless) or alternatively, that the distribution system is
strictly controlled. These alternative commercial video
delivery approaches use encrypted point-to-point delivery to
ensure that only paying users receive the service. To ensure
that copyright violations can be proved, the delivered
content is watermarked with information about the content’s
seller as well as the customer.
The approaches to encryption that we have found in the
literature are specifically implemented for MPEG-1, which
was also in the focus of our tests. However, we have found
only examples that can not be combined with partial or
complete reuse of the video data that is stored in caches. For
each transmission, encryption keys are selected and the
manipulation of the video is repeated, which requires a
relevant amount of resources at the sender side.
The initial approach towards video encryption was the
simple DES or RSA encryption of the whole stream.
Various more efficient encryption algorithms were
implemented recently, typically in a way that makes an
involvement of an MPEG parser necessary. Maples and
Spanos present in [9] an approach of partial encryption
exclusively of I-frames of MPEG movies. Tang proposes in
[11] a scheme of reordered DCT coefficients, which is
considered insecure as well as criticized because of the
penalty to the compression ratio in later papers. Qiao et.al.
propose in [10] a scheme called VEA (video encryption
algorithm) that works exclusively on the data bytes and
does not interpret the MPEG data. They exploit the entropy
in the MPEG data stream to reduce the number of XOR
operations in comparison to a full encryption by 47%. Still,
each byte of the video data is manipulated once for each
transmission. Kunkelmann et.al. present in [8] a variety of
approaches to the partial encryption of the complete video
stream, for use with a security gateway, and come to the
conclusion that a mix of partial bit stream encryption and
variable length code encryption is the most efficient for
their application. They consider a partial encryption of 10%
of the data appropriate for VoD applications, while full
protection requires a major part of all data to be encrypted
to prevent reconstruction.
All of these approaches are relatively computing intensive
and would put a heavy strain when executed by a VoD
server. Since encrypted content can not be re-used for any
two receivers, the operations mentioned above have to be
performed for each receiver of a stream independently.
Kunkelmann et.al. report an increase of CPU utilization by
10.5% for the playback of the video stream when
decryption is necessary. Obviously, another drawback of
these approaches is the effect that optimizations that have
been investigated in video server work such as batching
([1]) are reduced to schemes for unloading the servers’
Presented at ACM Multimedia 1998, September 12-16, 1998, Bristol Uk
disks while memory, CPU and networking requirements
grow linearly with the number of concurrent requests..
We favour an approach that is addressed by researchers in
restoration and reconstruction of images: we don’t encrypt
publicly accessible data. Instead, the unavailable
information is not present in the publicly accessible data at
all.
4. PROTECTION FROM DATA THEFT
One of the basic assumptions of our paper is that we have to
consider the computing speed of video servers as well as
their capacity. Typical design considerations in the slow-
starting video server business are concerned with the
production of machines with high internal I/O throughput,
disk throughput and network throughput because these are
supposed to limit the performance of current video server
applications. The supported number of transactions and the
computing power, on the other hand, are considered
sufficient for the envisioned scenarios. Referring to other
video encryption work, we understand that the assumption
of sufficient server computing power does not hold when
the server is supposed to re-encrypt the content for each
customer of the service in real-time. However, this kind of
protection of the content owners’ copyright and the
maintenance of information about the final receiver of the
information is considered necessary.
4.1 General Approach
Our basic idea is to unload the servers and networks from
the necessity of encrypting and unicasting complete videos
by the use of caching and pre-distribution in wide-area
networks with an acceptable compromise to protection. In
our approach, reconstruction can not break an encryption
algorithm to decode the missing information. Instead, we
destroy the data entirely in the freely distributed part of the
multimedia content. Figure 1 shows a sketch of the
distribution system that we envision for our approach.
The video transmission is performed in two phases. The
bigger part of the video is corrupted and it is made (from the
content provider’s point of view) publically available in
cache servers (“corrupted video”) in the first phase. In the
second phase, a point-to-point transmission is used to
deliver the missing bytes to the customer, encrypting this
missing information when a video is actually requested
(“unicast portion”). This provides the content owner with
the information that a request has taken place and thus the
billing option, and also with customer identification about
the receiver of a perfect copy of the video. The latter
information can be used to trace copyright violators in
conjunction with the appropriate personalized techniques
that we present in Section 5.
The data that is distributed into the wide-area network and
cached on arbitrary nodes along the path is made unusable
by content-independent corruption of data in the file.
Correct replacements for the corrupted part of the data are
transmitted to the customer by means of a point-to-point
connection. Content-independence provides two
advantages.
• First, it allows for a means to a much simpler, on-the-fly
corruption of the data than content-sensitive encryption
techniques.
• Second, no reconstruction strategy can be applied based
on knowledge about the data stream itself.
The unicast portion is encrypted on the server side using a
personal key of the receiver, e.g. a key provided by a trusted
third party. If the unicast portion is small in comparison the
complete video, the computational load of encrypting this
portion of the video is relevantly below that which is
induced by using an MPEG parser. Also, less interaction
with the optimized output paths of video servers or video
cache servers is necessary.
At the receiver’s side, the unicasted data is decrypted using
the personal decryption key, and established
synchronization approaches ([7]) can be applied to
synchronize the unicasted partial transmission with the
Real-time Real-time
Corrupted
Unicast
Resynchro-
Server Client
Cache Servers
Key
Encoder Key
Decoder Key
Encoder Decoder
Distributor
nization
Figure 1. Distribution System
Video
Portion
Unicast Transmission
Presented at ACM Multimedia 1998, September 12-16, 1998, Bristol Uk
main part of the data which is received from a nearby cache
server.
The decision whether the encrypted data can be consumed
directly from the data stream or whether a download is
necessary depends mainly on the observed throughput. It
can be made independently by the client while the stream is
being received. Assuming that the unicast portion makes up
1% of an MPEG-1 video, the necessary point-to-point
throughput is approximately 2 kilobyte/s, which is
streamable in large parts of the Internet nowadays. For the
bulk of the video data we assume the presence of a cache
server to which a 1.5 MBit/s streaming connection can be
established.
4.2 Specifcs of MPEG-1
To the extent described so far, our approach can be used
with all kinds of streamed media data, but the small subset
of data that we intend to corrupt is not generally sufficient to
confuse an arbitrary encoding algorithm. The reason for this
is not the generic use of encoding formats but the reduction
of the knowledge about the stream which is necessary to
corrupt the data sufficiently to remove perceptible
information. We have applied the scheme to MPEG-1, for
which it is feasible. For other, especially plainly intra-coded
formats, reconstruction by comparison of neighbour frames
can be automatized more easily. In typical MPEG-1 groups
of pictures, however, I-frames, which are the basis for
repairing frames, are sufficiently far apart in time to make
this auttomatic reconstruction difficult for large parts of the
video. D’Ardia et. al. have presented results in [2] that show
a relevant variation between consecutive I-frames in most
kinds of video transmission such as sports, news or movies.
The scheme could probably not by applied to talk-shows
because the low variation between consecutive I-frames
allows reconstruction of the sequence.
We have investigated the percentage of data that needs to be
corrupted in an MPEG-1 video stream to reduce the video
quality to a ‘teaser’ or worse quality. In contrast to other
approaches, which work on the uncompressed images, we
make use of the two vulnerabilities of MPEG to data
corruption or data loss.
The first vulnerability is that the destruction of an MPEG-1
I-frame affects all in the following group of pictures. In a
video that has been compressed with a typical group of
pictures lengths of 15 frames, the error is expanded in time
by the relative decoding in P- and B-frames and affects all
15 frames.
The second vulnerability is introduced by the compression
scheme. MPEG-1’s Huffmann encoding improves the
effectiveness of our intentional corruption of single bytes of
data. Since the Huffmann algorithm is bit-oriented rather
than byte-oriented, a typical Huffmann decoder
implementation is unable to recover from the error for the
rest of a data segment. Furthermore, a complete Huffmann
decoding of the data is necessary before the corruption is
detected because all bytes except for the special values 0xff
and 0x0 are meaningful to the Huffmann decoder. As a
result of this error propagation from a corrupted byte to the
rest of a data segment in a frame, the number of bytes that
need to be destroyed to corrupt a compressed MPEG frame
completely is much lower than the number of bytes
necessary for an uncompressed frame. To verify the second
vulnerability, we have tested various clips and parameter
sets.
Because of the error propagation, the destruction of larger
blocks with the same overall ratio of corrupt to correct bytes
turns out not to be feasible. The reason for this is the effect
that Huffmann decoders generate corrupted data from the
bytes immediately after the first corrupted bit. This effect is
not increased by longer series of corrupted bytes. The
corruption of single bits may be as efficient as the
corruption of bytes, but it is not feasible in our case because
the bit changes increase rather than decrease the number of
CPU operations.
4.3 Hiding Errors in the Stream
A question that arises concerns the option that are available
to a data pirate. Most probably, we have to add additional
security mechanisms. We assume that the encryption
algorithm and the key exchange mechanisms protect the
data from being stolen by an eavesdropper during
transmission and thus, that the encrypted part of the content
remains safe. The primary concern is then whether the
unencrypted data is protected from restauration.
In our experiments we can distinguish the selection of fixed
or variable byte values used for the corruption of the
0
0.005
0.010
0.015
0.020
0.025
0 50 100 150 200 250
byte
original video
0
0.005
0.010
0.015
0.020
0.025
0 50 100 150 200 250
byte
fixed value insertion
0.002
0.004
0.006
0.008
0.010
0.012
80 85 90 95 100105110115120
byte
original vs. fixed value insertion
byte ‘98’
Figure 2. Byte value frequencies in original movie and after fixed corruption
Presented at ACM Multimedia 1998, September 12-16, 1998, Bristol Uk
original stream, and the applications of this corruption at
periodic or variable offsets from each other.
An attacker may easily identify both a fixed byte value (by
gathering statistics on frequencies, see Figure 2) and a
periodic offset (by the use of auto-correlation). Both
information should be concealed as good as possible,
obviously. To prevent the possibility of identification it is
necessary and essential to vary both the replacement
distance and the replacement value.
Some of our tests were conducted by corrupting bytes at an
equal distance throughout the video. Such a sequence is
easily detected; this is a potential problem. To eliminate this
problem, we apply the Poisson distribution and a random
seed per movie. We write bytes from the original video to a
file (the unicast portion) and afterwards, destroy those bytes
in the original video. The unicast portion is stored on the
server and encrypted once per request. The seed value is
distributed to the receiver before all other content that is
sent in the unicast transmission. The receiver’s
implementation of the distribution function must be
identical to the sender’s, e.g. we have used the rather
limited, but floating-point free, implementation of the
libg++ with 32 bit signed integers. Under this assumption,
the receiver is able to replace the corrupted bytes with the
decrypted bytes when it receives them over the unicast
connection.
In our first approaches we evaluated the effect of inserting
constant values (bytes) in video streams for simplicity
reasons. However, we found that such bytes were too easily
identified by an attacker. We respond to this by trying to
replace the correct byte with a corrupt byte such that the
chances of identifying this byte as corrupt by statistical
analysis of the stream or part of the stream is minimal. The
most effective approach seems to be to increase the
“chaotic” appearance of the data to an attacker.
To have a measure for “chaos”, we concentrated on the
entropy value of the data and the changes to this value by
the introduction of errors. To achieve the highest possible
entropy in a file, the probability to find a single byte value in
any set of bytes taken from the stream would be equal to
any other value taken from the set.
The entropy is computed as follows: the relevance I of a
byte value depends on the frequency h
i
of that byte i in a
data set ([6]).
Thus, we calculate the entropy H as the average relevance of
all bytes by
Figure 2 is also a demonstration of these results. If the
information difference between old
and new value is negative the entropy decreases. If it is
positive the entropy increases. We can apply this formula to
the data of a video stream as it is streamed. Thus, we are
able to control whether we want a higher or a lower entropy
because we can choose the value of the corrupted byte in the
output stream freely. We want to use this change of entropy
as a possibility to hide the manipulated byets containing
error values.
Control or padding bytes have high frequencies. Thus, their
relevance in the calculation of the entropy value H is low
according to (2). If the goal is to present a less informative
stream you have to present something like a blank paper.
The optimum would be that some special chosen bytes are
presented very often and the frequency of the other values
converge to 0. The probability of finding less frequent
values is low but especially those values should be changed.
However, the most frequent bytes in MPEG are header and
padding bytes. Thus, a byte that assumes either of these
values that is obviously in the wrong place could be
identified quickly, which simplifies reconstruction of the
original. We concluded that lowering the entropy in this
way is ineffective.
To increase entropy is an easier task. Because the high
entropy of compressed video streams is typically very high
from the strart, it is most effective to choose the least
frequent byte from the stream to replace the original value
I h
i
( ) K h
i
log⋅= K
1
256log
-----------------–=; 1( )
H I h
i
I h
i
( )⋅
i 1=
n
∑
K h
i
h
i
log⋅
i 1=
n
∑
⋅= = =
K;
1
256log
-----------------–= 2( )
I∆ I h
new
( ) I h
old
( )–=
0
0.005
0.010
0.015
0.020
0.025
0 50 100 150 200 250
byte
original video
0
0.005
0.010
0.015
0.020
0.025
0 50 100 150 200 250
byte
lowest frequency insertion
entropy choice
0.002
0.004
0.006
0.008
0.010
0.012
80 85 90 95 100105110115120
byte
original vs entropy version
Figure 3. Byte value frequencies in original movie and after statistical corruption
