Partial Encryption Of Video For Communication And Storage

Yuksel, Turan

01 September 2003

In this study, a new method is proposed to protect video data through partial encryption. Unlike previous methods, the bit rate of the encrypted portion can be controlled. In order to accomplish this task, a simple model for the time to break the partial encryption by a chipertext-only attack is defined. Then, the encrypted bit budget distribution strategy maximizing the time subject to the bitrate constraint is found. An algorithm to estimate the model parameters is constructed and it isthen implemented over an MPEG-4 natural video codec together with the bit budget distribution strategy. The encoder is tested with various image sequences and the output is analyzed. In addition to the developed video encryption method, a file format is defined to store encryption related side information.

Video Encryption, MPEG-4, IPMP

Secure Wavelet-based Coding of Images, and Application to Privacy Protected Video Surveillance

Martin, Karl

16 February 2011

The protection of digital images and video from unauthorized access is important for a number of applications, including privacy protection in video surveillance and digital rights management for consumer applications. However, traditional cryptographic methods are not well suited to digital visual content. Applying standard encryption approaches to the entire content can require significant computational resources due to the large size of the data. Furthermore, digital images and video often need to be manipulated,such as by resizing or transcoding, which traditional encryption would hinder. A number of image and video-specific encryption approaches have been proposed in the literature, but many of the them have significant negative impact on the ability to compress the data, which is a necessary requirement of most imaging systems. In this work, a secure image coder, called Secure Set Partitioning in Hierarchical Trees (SecSPIHT), is proposed. It combines wavelet-based image coding (compression) with efficient encryption. The encryption is applied to a small number of selected bits in the code domain, to achieve complete confidentiality of all the content while having no negative impact on compression performance. The output of the system is a secure code that cannot be decrypted and decoded without the provision of a secret key. It has superior rate-distortion performance compared to JPEG and JPEG2000, and the bit-rate can be easily scaled via a simple truncation operation. The computational overhead of the encryption operation is very low, typically requiring less than 1% of the coded image data to be encrypted. A related secure object-based coding approach is also presented. Called Secure Shape and Texture Set Partitioning in Hierarchical Trees (SecST-SPIHT), it codes and encrypts arbitrarily-shaped visual objects. A privacy protection system for video surveillance is proposed, using SecST-SPIHT to protect private data, such as face and body images appearing in surveillance footage. During normal operation of the system, the private data objects are protected via SecST-SPIHT. If an incident occurs that requires access to the data (e.g., for investigation), a designated authority must release the key. This is superior to other methods of privacy protection which irreversibly blur or mask the private data.

wavelet

image coding

encryption

security

privacy

video coding

secure image coding

secure object coding

0544

Light-Weight Authentication Schemes with Applications to RFID Systems

Malek, Behzad

03 May 2011

The first line of defence against wireless attacks in Radio Frequency Identi cation (RFID) systems is authentication of tags and readers. RFID tags are very constrained in terms of power, memory and size of circuit. Therefore, RFID tags are not capable of performing sophisticated cryptographic operations. In this dissertation, we have designed light-weight authentication schemes to securely identify the RFID tags to readers and vice versa. The authentication schemes require simple binary operations and can be readily implemented in resource-constrained Radio Frequency Identi cation (RFID) tags. We provide a formal proof of security based on the di culty of solving the Syndrome Decoding (SD) problem. Authentication veri es the unique identity of an RFID tag making it possible to track a tag across multiple readers. We further protect the identity of RFID tags by a light-weight privacy protecting identifi cation scheme based on the di culty of the Learning Parity with Noise (LPN) complexity assumption. To protect RFID tags authentication against the relay attacks, we have designed a resistance scheme in the analog realm that does not have the practicality issues of existing solutions. Our scheme is based on the chaos-suppression theory and it is robust to inconsistencies, such as noise and parameters mismatch. Furthermore, our solutions are based on asymmetric-key algorithms that better facilitate the distribution of cryptographic keys in large systems. We have provided a secure broadcast encryption protocol to effi ciently distribute cryptographic keys throughout the system with minimal communication overheads. The security of the proposed protocol is formally proven in the adaptive adversary model, which simulates the attacker in the real world.

RFID

Security

Authentication

Privacy

Chaos

Chaotic

Light-weight

Broadcast

Encryption

Relay

Replay

A Security Analysis of Some Physical Content Distribution Systems

Jiayuan, Sui

January 2008

Content distribution systems are essentially content protection systems that protect premium multimedia content from being illegally distributed. Physical content distribution systems form a subset of content distribution systems with which the content is distributed via physical media such as CDs, Blu-ray discs, etc. This thesis studies physical content distribution systems. Specifically, we concentrate our study on the design and analysis of three key components of the system: broadcast encryption for stateless receivers, mutual authentication with key agreement, and traitor tracing. The context in which we study these components is the Advanced Access Content System (AACS). We identify weaknesses present in AACS, and we also propose improvements to make the original system more secure, flexible and efficient.

Content Distribution Systems

DRM

AACS

Broadcast Encryption

Authentication

Traitor Tracing

Computer Science

Energy Efficiency Analysis and Implementation of AES on an FPGA

Kenney, David

January 2008

The Advanced Encryption Standard (AES) was developed by Joan Daemen and Vincent Rjimen and endorsed by the National Institute of Standards and Technology in 2001. It was designed to replace the aging Data Encryption Standard (DES) and be useful for a wide range of applications with varying throughput, area, power dissipation and energy consumption requirements. Field Programmable Gate Arrays (FPGAs) are flexible and reconfigurable integrated circuits that are useful for many different applications including the implementation of AES. Though they are highly flexible, FPGAs are often less efficient than Application Specific Integrated Circuits (ASICs); they tend to operate slower, take up more space and dissipate more power. There have been many FPGA AES implementations that focus on obtaining high throughput or low area usage, but very little research done in the area of low power or energy efficient FPGA based AES; in fact, it is rare for estimates on power dissipation to be made at all. This thesis presents a methodology to evaluate the energy efficiency of FPGA based AES designs and proposes a novel FPGA AES implementation which is highly flexible and energy efficient. The proposed methodology is implemented as part of a novel scripting tool, the AES Energy Analyzer, which is able to fully characterize the power dissipation and energy efficiency of FPGA based AES designs. Additionally, this thesis introduces a new FPGA power reduction technique called Opportunistic Combinational Operand Gating (OCOG) which is used in the proposed energy efficient implementation. The AES Energy Analyzer was able to estimate the power dissipation and energy efficiency of the proposed AES design during its most commonly performed operations. It was found that the proposed implementation consumes less energy per operation than any previous FPGA based AES implementations that included power estimations. Finally, the use of Opportunistic Combinational Operand Gating on an AES cipher was found to reduce its dynamic power consumption by up to 17% when compared to an identical design that did not employ the technique.

FPGA

AES

Field Programmable Gate Array

Advanced Encryption Standard

Power analysis

Energy analysis

Electrical and Computer Engineering

A Security Analysis of Some Physical Content Distribution Systems

Jiayuan, Sui

January 2008

Content distribution systems are essentially content protection systems that protect premium multimedia content from being illegally distributed. Physical content distribution systems form a subset of content distribution systems with which the content is distributed via physical media such as CDs, Blu-ray discs, etc. This thesis studies physical content distribution systems. Specifically, we concentrate our study on the design and analysis of three key components of the system: broadcast encryption for stateless receivers, mutual authentication with key agreement, and traitor tracing. The context in which we study these components is the Advanced Access Content System (AACS). We identify weaknesses present in AACS, and we also propose improvements to make the original system more secure, flexible and efficient.

Content Distribution Systems

DRM

AACS

Broadcast Encryption

Authentication

Traitor Tracing

Computer Science

Energy Efficiency Analysis and Implementation of AES on an FPGA

Kenney, David

January 2008

The Advanced Encryption Standard (AES) was developed by Joan Daemen and Vincent Rjimen and endorsed by the National Institute of Standards and Technology in 2001. It was designed to replace the aging Data Encryption Standard (DES) and be useful for a wide range of applications with varying throughput, area, power dissipation and energy consumption requirements. Field Programmable Gate Arrays (FPGAs) are flexible and reconfigurable integrated circuits that are useful for many different applications including the implementation of AES. Though they are highly flexible, FPGAs are often less efficient than Application Specific Integrated Circuits (ASICs); they tend to operate slower, take up more space and dissipate more power. There have been many FPGA AES implementations that focus on obtaining high throughput or low area usage, but very little research done in the area of low power or energy efficient FPGA based AES; in fact, it is rare for estimates on power dissipation to be made at all. This thesis presents a methodology to evaluate the energy efficiency of FPGA based AES designs and proposes a novel FPGA AES implementation which is highly flexible and energy efficient. The proposed methodology is implemented as part of a novel scripting tool, the AES Energy Analyzer, which is able to fully characterize the power dissipation and energy efficiency of FPGA based AES designs. Additionally, this thesis introduces a new FPGA power reduction technique called Opportunistic Combinational Operand Gating (OCOG) which is used in the proposed energy efficient implementation. The AES Energy Analyzer was able to estimate the power dissipation and energy efficiency of the proposed AES design during its most commonly performed operations. It was found that the proposed implementation consumes less energy per operation than any previous FPGA based AES implementations that included power estimations. Finally, the use of Opportunistic Combinational Operand Gating on an AES cipher was found to reduce its dynamic power consumption by up to 17% when compared to an identical design that did not employ the technique.

FPGA

AES

Field Programmable Gate Array

Advanced Encryption Standard

Power analysis

Energy analysis

Electrical and Computer Engineering

Distributed Key Generation and Its Applications

Kate, Aniket

25 June 2010

Numerous cryptographic applications require a trusted authority to hold a secret. With a plethora of malicious attacks over the Internet, however, it is difficult to establish and maintain such an authority in online systems. Secret-sharing schemes attempt to solve this problem by distributing the required trust to hold and use the secret over multiple servers; however, they still require a trusted {\em dealer} to choose and share the secret, and have problems related to single points of failure and key escrow. A distributed key generation (DKG) scheme overcomes these hurdles by removing the requirement of a dealer in secret sharing. A (threshold) DKG scheme achieves this using a complete distribution of the trust among a number of servers such that any subset of servers of size greater than a given threshold can reveal or use the shared secret, while any smaller subset cannot. In this thesis, we make contributions to DKG in the computational security setting and describe three applications of it. We first define a constant-size commitment scheme for univariate polynomials over finite fields and use it to reduce the size of broadcasts required for DKG protocols in the synchronous communication model by a linear factor. Further, we observe that the existing (synchronous) DKG protocols do not provide a liveness guarantee over the Internet and design the first DKG protocol for use over the Internet. Observing the necessity of long-term stability, we then present proactive security and group modification protocols for our DKG system. We also demonstrate the practicality of our DKG protocol over the Internet by testing our implementation over PlanetLab. For the applications, we use our DKG protocol to define IND-ID-CCA secure distributed private-key generators (PKGs) for three important identity-based encryption (IBE) schemes: Boneh and Franklin's BF-IBE, Sakai and Kasahara's SK-IBE, and Boneh and Boyen's BB1-IBE. These IBE schemes cover all three important IBE frameworks: full-domain-hash IBEs, exponent-inversion IBEs and commutative-blinding IBEs respectively, and our distributed PKG constructions can easily be modified for other IBE schemes in these frameworks. As the second application, we use our distributed PKG for BF-IBE to define an onion routing circuit construction mechanism in the identity-based setting, which solves the scalability problem in single-pass onion routing circuit construction without hampering forward secrecy. As the final application, we use our DKG implementation to design a threshold signature architecture for quorum-based distributed hash tables and use it to define two robust communication protocols in these peer-to-peer systems.

Threshold cyptography

Distributed trust

Distributed key generation

Identity-based encryption

Anonymity

Distributed hash tables

Computer Science

Secure Schemes for Semi-Trusted Environment

Tassanaviboon, Anuchart

January 2011

In recent years, two distributed system technologies have emerged: Peer-to-Peer (P2P) and cloud computing. For the former, the computers at the edge of networks share their resources, i.e., computing power, data, and network bandwidth, and obtain resources from other peers in the same community. Although this technology enables efficiency, scalability, and availability at low cost of ownership and maintenance, peers defined as ``like each other'' are not wholly controlled by one another or by the same authority. In addition, resources and functionality in P2P systems depend on peer contribution, i.e., storing, computing, routing, etc. These specific aspects raise security concerns and attacks that many researchers try to address. Most solutions proposed by researchers rely on public-key certificates from an external Certificate Authority (CA) or a centralized Public Key Infrastructure (PKI). However, both CA and PKI are contradictory to fully decentralized P2P systems that are self-organizing and infrastructureless. To avoid this contradiction, this thesis concerns the provisioning of public-key certificates in P2P communities, which is a crucial foundation for securing P2P functionalities and applications. We create a framework, named the Self-Organizing and Self-Healing CA group (SOHCG), that can provide certificates without a centralized Trusted Third Party (TTP). In our framework, a CA group is initialized in a Content Addressable Network (CAN) by trusted bootstrap nodes and then grows to a mature state by itself. Based on our group management policies and predefined parameters, the membership in a CA group is dynamic and has a uniform distribution over the P2P community; the size of a CA group is kept to a level that balances performance and acceptable security. The muticast group over an underlying CA group is constructed to reduce communication and computation overhead from collaboration among CA members. To maintain the quality of the CA group, the honest majority of members is maintained by a Byzantine agreement algorithm, and all shares are refreshed gradually and continuously. Our CA framework has been designed to meet all design goals, being self-organizing, self-healing, scalable, resilient, and efficient. A security analysis shows that the framework enables key registration and certificate issue with resistance to external attacks, i.e., node impersonation, man-in-the-middle (MITM), Sybil, and a specific form of DoS, as well as internal attacks, i.e., CA functionality interference and CA group subversion. Cloud computing is the most recent evolution of distributed systems that enable shared resources like P2P systems. Unlike P2P systems, cloud entities are asymmetric in roles like client-server models, i.e., end-users collaborate with Cloud Service Providers (CSPs) through Web interfaces or Web portals. Cloud computing is a combination of technologies, e.g., SOA services, virtualization, grid computing, clustering, P2P overlay networks, management automation, and the Internet, etc. With these technologies, cloud computing can deliver services with specific properties: on-demand self-service, broad network access, resource pooling, rapid elasticity, measured services. However, theses core technologies have their own intrinsic vulnerabilities, so they induce specific attacks to cloud computing. Furthermore, since public clouds are a form of outsourcing, the security of users' resources must rely on CSPs' administration. This situation raises two crucial security concerns for users: locking data into a single CSP and losing control of resources. Providing inter-operations between Application Service Providers (ASPs) and untrusted cloud storage is a countermeasure that can protect users from lock-in with a vendor and losing control of their data. To meet the above challenge, this thesis proposed a new authorization scheme, named OAuth and ABE based authorization (AAuth), that is built on the OAuth standard and leverages Ciphertext-Policy Attribute Based Encryption (CP-ABE) and ElGamal-like masks to construct ABE-based tokens. The ABE-tokens can facilitate a user-centric approach, end-to-end encryption and end-to-end authorization in semi-trusted clouds. With these facilities, owners can take control of their data resting in semi-untrusted clouds and safely use services from unknown ASPs. To this end, our scheme divides the attribute universe into two disjointed sets: confined attributes defined by owners to limit the lifetime and scope of tokens and descriptive attributes defined by authority(s) to certify the characteristic of ASPs. Security analysis shows that AAuth maintains the same security level as the original CP-ABE scheme and protects users from exposing their credentials to ASP, as OAuth does. Moreover, AAuth can resist both external and internal attacks, including untrusted cloud storage. Since most cryptographic functions are delegated from owners to CSPs, AAuth gains computing power from clouds. In our extensive simulation, AAuth's greater overhead was balanced by greater security than OAuth's. Furthermore, our scheme works seamlessly with storage providers by retaining the providers' APIs in the usual way.

Security

Cloud Computing

Access Control

Authorization

OAuth

Attribute Based Encryption

Electrical and Computer Engineering

Low-Density Parity-Check Codes with Erasures and Puncturing

Ha, Jeongseok Ha

01 December 2003

In this thesis, we extend applications of Low-Density Parity-Check (LDPC) codes to a combination of constituent sub-channels, which is a mixture of Gaussian channels with erasures. This model, for example, represents a common channel in magnetic recordings where thermal asperities in the system are detected and represented at the decoder as erasures. Although this channel is practically useful, we cannot find any previous work that evaluates performance of LDPC codes over this channel. We are also interested in practical issues such as designing robust LDPC codes for the mixture channel and predicting performance variations due to erasure patterns (random and burst), and finite block lengths. On time varying channels, a common error control strategy is to adapt the coding rate according to available channel state information (CSI). An effective way to realize this coding strategy is to use a single code and puncture it in a rate-compatible fashion, a so-called rate-compatible punctured code (RCPC). We are interested in the existence of good puncturing patterns for rate-changes that minimize performance loss. We show the existence of good puncturing patterns with analysis and verify the results with simulations. Universality of a channel code across a broad range of coding rates is a theoretically interesting topic. We are interested in the possibility of using the puncturing technique proposed in this thesis for designing universal LDPC codes. We also consider how to design high rate LDPC codes by puncturing low rate LDPC codes. The new design method can take advantage of longer effect block lengths, sparser parity-check matrices, and larger minimum distances of low rate LDPC codes.

Erasures

Low-density parity-check codes

Puncturing

Gaussian processes

Coding theory

Data encryption (Computer science)