1: INTRODUCTION

Plaintext Ciphertext Plaintext Encryption Decryption

Key1 Key2

FIGURE 5.2: Encryption and decryption.

confidentiality. Therefore, if Alice wants to send the message to Bob in a secret way, Alice could encrypt the message before sending it.

• Symmetric key/public key: In Figure 5.2, if it is computationally “easy”

to determine Key2 from Key1 and to determine Key1 from Key2, the encryption scheme is a symmetric key encryption scheme. In a public key encryption scheme, the known key is called a public key, and the unknown key is called a private key; it is computationally “infeasible” to get the pri- vate key from the public key. Symmetric key and public key encryption schemes have a number of complementary advantages. Usually, the public key scheme is efficient in signatures (especially non-repudiation) and key management, and the symmetric key scheme is efficient in encryption and data integrity applications.

• One-way hash function. A one-way hash function is a hash function that

works in one direction. It has the properties of both a one-way function and a hash function. A good one-way hash function should fulfill the following requirements:

• Given a variable-length input string (called amessage), the output (called ahash digest) is a fixed-length string.

• Given messagemand a hash functionH, it should be easy and fast to compute the hash digesth=H(m).

• Given hash digesth, it should be hard to compute messagemsuch that

h=H(m).

• Given messagem, it should be hard to find another messagemsuch thatH(m)=H(m) (i.e., collision free).

These properties ensure the security of a one-way hash function against various attacks on both message and hash digest. The security is proportional to the length of the hash digest. For example, SHA-1 is a typical one-way hash function with a 160-bit output; an attacker would have to try an average of 280 random messages to obtain two messages with an identical hash digest (birthday attack). Another property of a one-way hash function is that the hash digest is not dependent on the input message in any discernible way; even a one-bit change in the message will result in a totally different hash digest.

• Message Authentication Code (MAC). MAC, also known as DAC (Data Authentication Code), is a one-way hash function with an additional secret key. The theory of MAC is exactly the same as that of a hash function, except only someone with the key can verify the hash digest.

• Digital Signature Schemes (DSS). A digital signature is a bit string which

associates the message with some originating entity. A DSS system, shown in Figure 5.3, consists of signature generation and signature verification. To protect the integrity of the data, a digital signature is dependent on the data to be signed. To meet the non-repudiation requirement, all digital signature algorithms are public key algorithms. The sender’s private key is employed to generate the signature, and the sender’s public key is used by recipients to verify the integrity of data and the sender’s identity. If a dispute arises as to whether a party signed a document (caused by either a lying signer trying to repudiate a signature he did create or a fraudulent claimant), an unbiased third party can resolve the matter equitably, without accessing the signer’s secret information.

Typical public key DSS include RSA (named for its creators-Rivest, Shamir and Adleman) and DSA (Digital Signature Algorithm, used as part of the Digital Sig- nature Standard) [1, 2]. In practical implementation, since public key algorithms are too inefficient to sign large size data, a digital signature is usually generated by signing the hash digest of the original data instead of the original data. The original data associated with its digital signature are then sent to the intended recipients. At the receiving site, the recipient can verify whether (i) the received data were altered and (ii) the data were really sent from the sender by using the sender’s public key to authenticate the validity of the attached signature. The authentication result is

Signature Generation Hash Hash Encryption Decryption Signature Public Key Received Data Signature Bit-by-bit Comparison Authentic/ Unauthentic Signature Verification Data Private Key

Section 5.1: INTRODUCTION 115

based on a bit-by-bit comparison between two hash digests (one is decrypted from the signature and the other is obtained by hashing the received data) by the crite- rion that the received data is deemed to be unauthentic even if a one-bit difference exists.

5.1.2 Multimedia Authentication

In data authentication, a one-bit difference between the original data and the received data results in authenticity failure. In most multimedia applications, how- ever, the received data are not an exact copy of the original data, though the meaning of the data is preserved. For example, lossy compression is often employed in video applications, e.g., MPEG-1/2/4 and H.264, to save the transmission bandwidth or storage capacity. The decompressed video is definitely different from the original video in terms of data representation; however, the meaning of the multimedia data remains unchanged so that the integrity of the multimedia content remains unbro- ken. Therefore, an authentication scheme which is different from the data authen- tication should be explored. We call this type of authentication schemecontent

authentication. In this chapter, the termcontentormultimedia contentrepresents

the meaning of the multimedia data, whiledataormultimedia datarefer to its exact representation (e.g., binary bitstream). For convenience,dataandmultimedia data,

contentandmultimedia contentare used interchangeably in this chapter.

In content authentication, multimedia content is considered authentic as long as the meaning of the multimedia data remains unchanged, regardless of any process or transformation the multimedia data has undergone. Contrary to the content authentication, an authentication scheme which does not allow any changes in the multimedia data is defined ascomplete authentication[3]. Obviously, data authentication belongs to complete authentication.

Multimedia authentication includes both complete authentication and content authentication. In practice, the selection of complete authentication or content authentication is application-dependent. For example, complete authentication is often employed in medical or financial applications to prevent each bit of the data from being altered; content authentication is often employed in civil or domestic applications, in which only the meaning of multimedia data is concerned. The requirements for multimedia authentication are similar to those in data authenti- cation, including integrity protection, source identification (non-repudiation), and security. However, definitions of integrity in complete authentication and content authentication are different.

In complete authentication, “integrity” refers to the whole multimedia data; even data with a one-bit alteration will be claimed as unauthentic. Therefore, no robustness is required. The main concern is the security of the authentica- tion scheme. Such criterion motivates researchers to develop signature-based complete authentication schemes whose security level is very high and can be proven mathematically.

In content authentication, integrity refers to the content of the multimedia data; the multimedia content is considered authentic as long as the meaning of the mul- timedia data remains unchanged. Therefore, besides the security requirement, a certain level of robustness to distortions is required. The distortions could be clas- sified into two classes, namelyincidental distortionandintentional distortion. Incidental distortion refers to the distortions introduced from real applications which do not change the content of the multimedia data, such as a noisy trans- mission channel, lossy compression, or video transcoding. Intentional distortion refers to the distortions introduced by the content modifications or attacks from malicious attackers. Content authentication should tolerate all incidental distor- tions while detecting any intentional distortions. In other words, it should be robust to incidental distortion while being sensitive to intentional distortion.

The requirement of a certain level of robustness to distortions is the main dif- ference between complete authentication and content authentication. This makes authenticating multimedia content much more challenging and complex [4].

In multimedia applications, defining acceptable manipulations is usually application-dependent, and different definitions of acceptable manipulations result in different incidental distortions. For example, rotating an object is not allow- able in frame-based image applications, but is allowable in object-based image applications. Therefore, the distortion introduced by the object rotation is an inci- dental distortion in an object-based image authentication system, but an intentional distortion in a frame-based image authentication system.

Even in a specific application, it is still very hard to formalize a clear boundary between incidental distortions and intentional distortions. In other words, it is hard to define a threshold to determine whether the content of the multimedia data is authentic or unauthentic. For example, ifmrepresents a distorted but still authentic version of the original imagem, we can always get a more distorted but still authentic version (m) by just modifying one pixel value ofm. Thus, as shown in Figure 5.4, a fuzzy region, in which the authentication result is “not known,” must exist. It means that certain false acceptance rates and false rejection rates are acceptable in the case of content authentication.

Due to its great success in data authentication, DSS has been directly applied in many multimedia authentication schemes (we denote these types of solutions as

digital signature-based multimedia authenticationsolutions). However, DSS has no robustness to any distortions, and it should only be used in complete authen- tication. To meet the requirement of robustness in content authentication while keeping the good properties of DSS (integrity protection, source identification, and security), a content-based signature, or media signature [5], is proposed. A media signature is robust to content preserving manipulations and sensitive to content modification.

Amedia signature scheme (MSS), as shown in Figure 5.5, is an extension of DSS. The only difference between MSS and DSS is the input to the encryption block.

Section 5.1: INTRODUCTION 117