A Real-time MPEG Video Encryption Algorithm using AES

Jayshri Nehete* , K. Bhagyalakshmi, M. B. Manjunath, Shashikant Chaudhari, T. R. Ramamohan

Central Research Laboratory
Bharat Electronics Ltd., Bangalore-560013, Phone : +91-80-8381125.
E-mail: {bhagya, manju, shashi, rmohan}@crlbel.ernet.in

Abstract
MPEG video stream is quite different from traditional textual data because interframe dependencies exists in MPEG video. Special MPEG
video encryption algorithms are required because
of their special characteristics, such as coding
structure, large amount of data and real-time constraints. We present a real-time MPEG video encryption algorithm based on AES which is fast
enough to meet the real-time requirements.

Introduction

One way to secure distributed multimedia applications is to encrypt multimedia data using secret
key cryptography algorithms such as Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), and Advanced Encryption
Standard (AES) [2]. These algorithms involves
complex computations. Heavy-weight encryption
is performed on almost whole data while lightweight encryption is performed on partial or selective data. Heavy-weight encryption/decryption algorithm aggravates the problem and increases the
latency while light-weight encryption/decryption
algorithm provides sufcient security level and has
an acceptable computation cost to MPEG video
applications. In this paper, we present an efcient MPEG video encryption algorithm based
on AES for real-time video transmission. It is a
light-weight selective encryption scheme for secure MPEG transmission. It is based on RVEA
[3] which is light-weight selective encryption algorithm based on DES/IDEA. The security is signicantly improved by adopting AES to encrypt
data. This algorithm reduces and bounds its computation time by limiting the maximum number of
bits selected.

MPEG [1] is an industrial standard for video processing. Multimedia applications such as Videoon-Demand, video broadcast, multimedia mail
and video-conferencing must be provided with secure transmission. Secure video transmission is a
method in which video can be sent to a receiver
with the assurance that any unapproved eavesdroppers along the way will not be able to get any information from video i.e it is desirable that only
those who have paid for the services can view their
videos or movies. The high amount of redundancy
in the video gives an attacker more clues to reconstruct the original video. Normal data, such 2 Various Methods for MPEG video encrypas program code or text, has much less reduntion
dancy in its structure. These factors make providing secure MPEG video a challenge. Adding There are several already existing encryption alsecurity to MPEG transmission usually involves gorithms based on DES/IDEA for secure MPEG
encrypting parts or the entire MPEG bit stream. video transmission. Each of them has its strength
and weakness in terms of security level, speed,
*Student of M. E. at Government College of Engineering, Pune, currently doing M. E. project at Central Research and resulting stream size matrices. The existLaboratory, Bangalore.
ing algorithms are Naive algorithm, selective algo

rithm, Zig-Zag-Permutation algorithm, Pure Permutation Algorithm and Video Encryption Algorithm (VEA) [4].
The straight-forward method is to encrypt the
entire MPEG stream using standard encryption
method such as DES. This is called the Naive algorithm approach. Naive algorithm treats the MPEG
bit-stream as the traditional text data and does not
make use of the special MPEG structures. This
is the most secure algorithm but it is very slow.
The size of the bit stream does not change because
most standard encryption algorithms preserves the
size.
There are several proposals for selective algorithm
which use the features of MPEG layered structures. The basic selective algorithm encrypts only
I frames [5] because P and B frames are useless
without knowing the corresponding I frames. But
great portions of the video could be visible because some of the P and B frames may contain
intra-coded I blocks. Encrypting only I frames
can save 30-50% of encryption/decryption time.
The size of the encrypted stream does not change.
One selection scheme proposed is to encrypt only
MPEG video headers. This is not effective because
the headers contains mostly standard information
and a video stream is indexed by frame in order to
perform synchronization so that the beginning of
each frame is known.
Zig-Zag-Permutation algorithm [6] presents a
method where the encryption is an integral part of
the MPEG compression process. Instead of mapping 8x8 block to a 1x64 vector in zig-zag order,
it uses a random permutation list to map the individual 8x8 block to a 1x64 vector. This algorithm
cannot withstand the known plaintext attack and is
also vulnerable to the ciphertext only attack. The
speed is very fast and is almost the same as the
MPEG encoding/decoding time and the size of encrypted MPEG stream will increase by a signicant factor.
Video Encryption Algorithm (VEA) uses secret
key to randomly change the sign bits of all DCT
coefcients of MPEG video. Extension to VEA is
Real-time VEA (RVEA). To encrypt selected sign
bits, RVEA uses DES/IDEA while VEA uses only

XOR operation. The security of RVEA is signicantly improved by adopting secret key cryptography algorithms to encrypt the data. RVEA reduces
and bounds its computation time by limiting the
maximum number of bits selected.
Pure Permutation algorithm simply scrambles the
byte stream by permutation. The cardinality of the
permutation key can be varied and depends on the
security level and the application requirement. The
problem of Pure Permutation algorithm is that it
is vulnerable to the known plaintext attack. Bytewise permutation is very fast. Pure Permutation
algorithm does not increase the stream size unless
we change keys for each frame.

Background

This section describes the MPEG-1 video standard

and AES.

3.1 Introduction to MPEG-1 video

MPEG-1 video is composed of a sequence of
group of pictures (GOPs). Each GOP is composed of series of I, P, and B frames. I frames are
intra-frame coded without any reference to other
frames; P frames are predictively coded using a
previous I or P frames; and B frames are bidirectionally interpolated from both the previous and
following I and/or P frame.
MPEG-1 video coding uses three techniques to
compress the video data. The rst technique is
transform coding. Each frame is represented as
a two dimensional array of RGB triplets. Each
RGB triplet is transformed into YCrCb triplet. The
Y value is luminance (black and white) level and
Cr/Cb values are chrominance (color information)
levels. Each frame is divided into macroblocks.
Each macroblock corresponds to a 16x16 pixel
area of original image. A macroblock is composed of a set of 8x8 pixel blocks, four from Y
plane and one from each of the Cr and Cb planes.
Macroblocks belonging to I frames are spatially
encoded and macroblocks belonging to P and B
frames are temporally interpolated from the corresponding reference frames and the difference be-

Our Algorithm

MPEG video encryption aims to prevent unauthorized receivers from decoding the video programs
by encrypting them. The general scheme is to
to video
apply an invertible transformation
stream S called plaintext that produces a bitstream
C called ciphertext,
(1)

An authorized receiver who has a secret key k2 can

decrypt the video by the transformation,



 

(2)

The decryption process is,

 " !     
 


(3)

where k1 is called as encryption key and k2 is

called as decryption key. Our MPEG encryption algorithm is a selective encryption algorithm
which only operates on the sign bits of DCT coefcients and motion vectors of a MPEG compressed
video. A MPEG compressed video S is a bitstream
which can be represented as
...
...
.....
...
.......
S= ... ... .....
where (i=1,2,3.....) are all of the sign bits of
DCT and motion vector coefcients. For DC coefcients of I frames, these sign bits are differential
values since they are differentially coded. The 128
sign bits are selected from macroblock and AES
algorithm is applied on them. Secret key kused is
a randomly generated bit stream of 128 bits. The
input to the cipher is a one dimensional array of
128 sign bits arranged as a 4*4 state matrix. The
cipher output is extracted after 10 rounds of repeated application of round transformation on the
state. The expanded key for each round shall always be derived from the cipher key. Resulting
128 bits are kept in their respective position from
where they were collected. The AES encryption

1) 0)
2" # "" #

(' & %
"$ # "$ # "$ #

3#
# #

AES (Rijndael) is chosen by the National Institute

of Standards and Technology (NIST) as the cryptography algorithm for use by U.S. Government
organizations to protect sensitive information. The
cipher has a variable block length and key length
of 128, 192, or 256 bits.
AES is a key-iterated block cipher. The algorithm
is same at encryption and decryption side except at
the time of decryption, inverse operations are performed. The input to the cipher is one dimentional
array of plaintext which is converted as state matrix. For each round, transformation round key is
derived using cipher key and never specied directly. Each round transformation is composed
of four different transformations such as ByteSub,
ShiftRow, MixColumn, and AddRoundKey. The
repeated application 10 rounds of transformation
is performed on the state. The ByteSub Transformation is a non-linear byte substitution, operating
on each of the state bytes independently. The inverse of ByteSub is the byte substitution where the
inverse table is applied. In ShiftRow, the rows of
the state are cyclically shifted over different offsets. Row 0 is not shifted, Row 1, 2, and 3 are
shifted over 1, 2, and 3 bytes respectively. The inverse ShiftRow is cyclic shift of the 3 bottom rows
over 3, 2, 1 bytes respectively. In MixColumn, every column is transformed by multiplying it with
specic multiplication polynomial. The inverse of

 


3.2 Introduction to AES

MixColumn is same. In AddRoundKey, a round

key is applied to the state by a simple bitwise EXOR. AddRoundKey is self inverse.

tween the actual and reference value is encoded.

The interpolation process also produces forward
prediction vector for P frame and forward as well
as backward prediction vector for B frame. Each
block is transformed using Discrete Cosine Transform (DCT) and resulting coefcients are quantized. The quantization output is linearized in
a zig-zag order to vector <DC, AC1, AC2,......,
AC63>. Run length encoding and then Huffman
Entropy coding are applied on the vector. The motion vector is also coded using Huffman Entropy
coding. Every Huffman codeword reserves a sign
bit. These sign bits are the exact positions which
we encrypt for secure video transmission.

operation randomly changes the sign bits of coefcients. Based on the used secret key, the sign bit is
either changed or unchanged. Even if only some of
coefcients are changed, these changes will propagate to most of Inverse DCT (IDCT) coefcients
while decoding. Our algorithm achieves the goal
of reducing and bounding its computation time by
limiting the maximum number of bits selected.
For those who have the secret key, they can decrypt
the video le and get the original video. The decryption function is the same as encryption function except that inverse operation is performed.
Encryption and decryption keys are the same. For
those who do not have the secret key, their decoders will play quite different images from the
original video, because most of the image pixel
values would have been changed.
Algorithm for Video Encryption/Decryption
begin
open MPEG video le
create output le
while (not end of MPEG le)
{
read n bytes from input le in buffer
for each byte in buffer
{
if (collected sign bits == 128)
{
/*apply AES encryption algorithm */
Rijndael(state,cipher_key)
{
key_expansion(cipher_key,expanded_key)
add_round_key(state,expaned_key)
/* Nr: Number of rounds,
Nc: No. of columns of state matrix */
for(i=1;i<Nr;i++)
Round(state,expaned_key + Nc*i)
Final_round(state,expanded_key+Nc*Nr)
}
put resulting sign bits in original place
}
}
write n bytes from buffer to output le
}
close input and output le
end

Experiments

The following experiments were conducted on

MPEG-1 video. A secure video streaming system was implemented using client-server model
on Linux platform using C language. In real-time,
encryption is done in at the server side while decryption is done at the client side. It is impossible to include all the image frames here. Instead
we just show one frame from video sequence to
demonstrate our algorithm. Our implementation
uses AES since it is faster and more secure than
DES/IDEA. The original frame is as shown in Figure 1.

Figure 1: Original Frame

1. Encrypting I frame headers: The video image is blurred but still user can determine what is
happening in the video. This is useful in systems
like video-on-demand where unauthorised users
are prevented from watching the movie. This is
the lowest level of encryption. This is as shown in
Figure 2.
2. Encrypting sign bits of all AC and DC
coefcients: The video image is incomprehensible. But one can notice the motion of the objects.
This is the medium level of encryption. This is as
shown in Figure 3.
3. Encrypting sign bits of all AC, DC and motion vector coefcients: This algorithm has been

Figure 2: Encrypted all I frame headers

Discussion and conclusion

Our algorithm selectively encrypts a fraction of

the whole video. It is faster than encrypting the
whole video with AES. We found that in typical
MPEG-1 videos sign-bits occupy less than 10%
of the entire video bitstream. Therefore it can
save up to 90% of encryption time compared to
the algorithm which encrypts the entire video. It
encrypts at most 128 bits, no matter what type
of frame is used. This considerably reduces
encryption computations achieving satisfactory
encryption results. A software implementation is
fast enough to meet the real-time requirements of
MPEG-1 decoding. We believe that this can be
used for secure video-on-demand applications and
pay-per-view programs.
References

Figure 3: Encrypted all ACs and DCs

explained above. The video image is incomprehensible as well as you cant see the motion of the
objects. But playing time is reduced as MPEG1 decoder cannot predict exact forward and backward motion in P and B frames. This is the higher
level of encryption than the previous one. This is
as shown in Figure 4.

1. Le Gall, Didier, "MPEG: A Video Compression Standard for Multimedia Applications,"

Communications of the ACM, vol.34, no.4,
pp. 46-58, April 1991.
2. NIST Home Page
http://csrc.nistgov/encryption/aes
3. C. Shi, Sheng-Yih Wang, and Bharat Bhargava, "MPEG Video Encryption in Real-time
using secret key cryptography", Proc. of
PDPTA 99, Las Vegas, Nevada 1999.
4. C. Shi and Bhargava, "A Fast MPEG Video
Encryption Algorithm", Proceedings of
ACM International Multimedia Conference,
Bristol, UK, pp. 81-88, September 1998.

5. I. Agi and L. Gong, "An Empirical Study of

MPEG Video Transmission", Proceedings of
the Internet Society Symposium on Network
and Distributed Systems Security, pp. 137144. San Diego, CA, Feb. 1996.

Figure 4: Encrypted all ACs, DCs and motion vectors

6. Lei Tang, "Methods for Encrypting and Decrypting MPEG Video Data Efciently", Proceedings of ACM Multimedia 96, pp. 219229, Boston, MA, November 1996.