A%20System%20for%20End-to-end%20Authentication%20of%20Adaptive%20Multimedia%20Content

1
A System for End-to-end Authentication of
Adaptive Multimedia Content

• T. Suzuki1, Z. Ramzan2, H. Fujimoto1, C. Gentry2,
  T. Nakayama1, and R. Jain2
• 1NTT DoCoMo, Inc.
• 2DoCoMo Communication Laboratories, USA

2
Background

• Adaptive (derivative) content distribution
  systems
• Application examples
• Content customization
• Based on preference, device capability, location,
  etc
• Personalized advertisement insertion
• Content creation
• Create original content using commercially
  available content
• Add Flash/movie clip to music clip
• Extract movie/music clip for audio/visual ring
  tone

Tier-1 Provider
Tier-2 Provider
Content User
Original Content
Derived Content
3
Benefit of content adaptation services

• for Tier-1 providers
• Revenue from both original and derived content
• Content reuse
• for Tier-2 providers
• High quality content from tier-1 providers
• Revenue from value-added content
• for End-user
• Value-added content from tier-2 provider

4
Objective of this study

• Achieve adaptive content distribution, with
  end-to-end authenticity of content.
• Tier-1 provider can protect original content and
  its usage policy from illegitimate modification.
• Tier-2 provider can protect value-added content
  and additional policy.
• End-user can verify the authenticity of both
  original and derived content.

5
Challenge contribution

• Challenge
• Achieve end-to-end authenticity while allowing
  insertion of content as well as deletion by
  authorized tier-2 providers
• Control the place for content insertion
• Avoid deletion of the inserted content without
  detection
• Low communication and computation overhead
• Contribution
• Place-holder extension to Merkle-tree based
  signature scheme
• Embodiment of the extension using trapdoor hash
  function

6
Merkle tree, signing
ve
Signature ltve, Sig0(ve)gt
vi hash ( xi vi0 vi1 )
v0
v1
Construct
Verify
v00
v01
v10
v11
v000
v001
v010
v011
v100
v101
v110
v111
x000
x001
x010
x011
x100
x101
x110
X111
X
7
Merkle tree, deletion
ve
Signature ltve, Sig0(ve)gt
vi hash ( xi vi0 vi1 )
v0
v1
Construct
Verify
v00
v01
v10
v11
v000
v001
v010
v011
v100
v101
v110
v111
x000
x001
x010
x011
x100
x101
x110
X111
X
8
Merkle tree, placeholder extension

• Signer allocates placeholder in hash tree, so
  that Proxy can insert content and commit to it.

ve
Signature ltve, Sig0(ve)gt
vn
Placeholder
Information specifying the placeholder
vn0
vn1
9
Realization using conventional signature scheme
(CS)

• Signer places Proxys public key in the
  placeholder.
• Proxy attaches its content and signs it
  separately.

Signer
Proxy
Signature ltve, Sig0(ve)gt
ltProxys signgt
ve
vn
Placeholder
Placeholder
Public key of Proxy
Public key of Proxy
vn0
vn1
vn1
m
10
Realization using hash-sign-switch (HSS)

• Trapdoor hash function
• A special type of hash functions
• The owner of trapdoor key can find collision of
  hash.
• Trapdoor hash TH HY(m, r)
• Trapdoor key X and public key Y
• If X is unknown, there is no efficient algorithm
• to find (m1, r1) and (m2, r2), (m1?m2)
• such that HY(m1, r1) HY(m2, r2)
• If X is known, there is an efficient algorithm
  given m1, m2(?m1), r2
• to find r2
• such that HY(m1, r1) HY(m2, r2)

11
Realization using hash-sign-switch

• Signer places TH and Y generated by Proxy in the
  placeholder.
• Proxy attaches its content m and its commitment r.

Signer
Proxy
r
Signature ltve, Sig0(ve)gt
ve
vn
Placeholder
Placeholder
TH and Y generated by Proxy
TH and Y generated by Proxy
vn0
vn1
vn1
m
12
Block diagram of HSS scheme
Tier-2 provider
Tier-1 provider
End User
Generate parameters X, Y, r, m
Trapdoor Hash TH HY(m, r)
TH, Y, r, m
Set Placeholder in hash tree
Commitment r TH HY(m, r)
X, r, m
TH
m
r
Sign
Verify

Sign TH
Sign TH r
r
SignTH
TH
TH
m
13
Construction of a trapdoor hash function

• Based on discrete logarithm assumption (DLA)
• Let q, p be primes such that q p-1
• Let g be an element of order q in Zp
• Trapdoor key x is random number from Zq
• Public key y gx mod p
• Hy(m, r) gmyr
• To find r2 such that Hy(m1, r1) Hy(m2, r2)
  byr2 ( m1 - m2 ) x -1 r1

14
Limited reuse of placeholder

• In DLA based hash-sign-switch, a placeholder can
  be used only once, otherwise trapdoor key x
  leaks.
• Modification to enable k-time reuse
• Generate k public keysyi gxi (mod p) 1 i
  k
• Compute hash TH gmy1r (mod p)
• To insert i-th content mi, Proxy computesri
  (m rx1 mi) xi-1 mod q
• Verifier checks gmiyiri TH

15
Preventing removal of inserted content m

• Proxy signs each of its placeholders regardless
  of whether it wishes to insert content into it.
• Then, any placeholder without a signature
  constitutes evidence that Proxys content was
  illegitimately deleted.
• Proxy aggregates its signature with Signers
  signature.
• Since it is impossible for a third party to
  disaggregate the signatures, Proxy can ensure
  that m cannot be removed without detection.
• Example BGLS aggregate signature scheme 19

16
Prototype System
Meta-data level adaptation
Original Meta-data
Tier-1 Provider
Tier-2 Provider
Modified Meta-data
Primary Media File
Secondary Media File
Modified Media File/Stream
Media Servers
Content User

• Apply the proposed signature scheme for meta-data
  level adaptation

17
Assumptions in our prototype

• User device (e.g., mobile phone) is trusted by
  tier-1, tier-2 providers, and end users.
• To detect modification against usage rule.
• To detect modification against commitment.
• To verify content authenticity.
• To take appropriate response upon detection of .

18
Information flow
Tier-1 provider
Tier-2 provider
User device
Tier-2 provider
Tier-2 provider
Placeholder provisioning service
Space for Ad. phidm
Information for placeholder
Request Placeholder
Space for Ad. phidn
Build hash tree with placeholder
Insert elements
Commit
Sign
Verify
Equivalent to SMIL document structure
19
Implementation

• Content of meta-data
• Scene description written in W3C/SMIL
• Usage policy and evaluation of modification
• OASIS/XACML
• Signature on meta-data
• W3C/XML-DSIG with extension to support hash tree
  and placeholder extension
• Placeholder request from tier-2 to tier-1
  provider
• W3C/SOAP
• Verification module
• HTTP proxy which evaluates a signed SMIL
  document, and outputs a normal SMIL document.

20
SMIL document to be signed
lt?xml version1.0?gt ltsmilgt lthead/gt ltbodygt lts
eqgt ltpargt ltvideo srcrtsp//tyer-1/video1.
rm/gt ltvideo srcrtsp//tyer-1/music1.rm/gt

lt/pargt ltpargt ltvideo
phid1/gt lt/pargt lt/seqgt lt/bodygt lt/smilgt
URLs of multimedia content which construct the
scene
Placeholder with ID (phid) of 1
21
Signed SMIL document
lt?xml version1.0?gt ltDocumentRootgt ltPolicy/gt
ltsmil/gt ltSignaturegt ltSignedInfogt ltCanonic
alizationMethod/gt ltSignatureMethod/gt ltReferenc
e URI/DocumentRoot/Policy /gt ltReference
URI/DocumentRoot/smil/head /gt ltReference
URI/DocumentRoot/smil/bodygt ltDigestMethod
AlgorithmHashTreeConstruction/gt ltDigestValue
gt root_node_of_hash_tree lt/DigestValuegt lt/Refere
ncegt ltTrapdoorHashMethod AlgorithmDiscrete
Log phid1gt ltPublicValuegt
public_values_of_trapdoor_hash lt/PublicValuegt lt
TrapdoorHashValuegt trapdoor_hash_value
lt/TrapdoorHashValuegt lt/TrapdoorHashMethodgt lt/Si
gnedInfogt ltSignatureValuegt Signature
lt/SignatureValuegt lt/Signaturegt lt/DocumentRootgt
Contains XACML policy document
XML-DSIG with extension
22
SMIL element after adaptation

• One video URL is deleted
• One video URL is inserted

ltsmilgt lthead/gt ltbodygt ltseqgt ltpargt ltvideo
srcrtsp//tyer-1/video1.rm/gt ltvideo
adaptationdelete/gt lt/pargt ltpargt
ltvideo phid1 srcrtsp//tyer-2/xxx.rm
adaptationadd/gt lt/pargt lt/seqgt
lt/bodygt lt/smilgt
23
Signature element after commitment

• Add commitment value corresponding to the
  inserted content (identified by phid)

ltSignaturegt ltSignedInfogt ltCanonicalizationMetho
d/gt ltSignatureMethod/gt ltReference
URI/DocumentRoot/Policy /gt ltReference
URI/DocumentRoot/smil/head /gt ltReference
URI/DocumentRoot/smil/body /gt ltTrapdoorHashMeth
od AlgorithmDiscrete Log phid1/gt
lt/SignedInfogt ltSignatureValue/gt ltAdditiveSigna
ture phid1gt ltCommitmentValuegtCommitment_Value
_of_TrapdoorHash lt/CommitmentValuegt lt/AdditiveSig
naturegt lt/Signaturegt
24
Performance evaluation

• Platforms
• Modules in tier-2 provider (SMIL document
  adaptation, policy check, commitment)
• 3GHZ Pentium 4 with 1GB memory, running Redhat
  Linux 2.4.20.
• Modules in user device (signature and commitment
  verification, policy check)
• 866MHz Pentium III machine with 512 MB memory,
  running Windows XP.
• Parameter of public key signature
• 1024-bit DSA-SHA1 in XML-DSIG
• 1024-bit modulus for trapdoor hash (DLA)

25
Computational overhead in tier-2 provider

• HSS can reduce commitment overhead by 95
  compared to CS.

26
Computational overhead in user device

• The verification overhead of HSS is higher than
  CS by 32.

27
Overall computational overhead
28
Alternative approach for secure adaptive content
distribution

• Trusted content sharing system10 Content
  adaptation on a trusted host
• Tier-1 provider trusts the host to enforce access
  policy.
• Tier-1 provider trusts the host to sign the
  content on its behalf.
• In our system, we assume weak trust between
  tier-1 and tier-2 providers.
• Tier-2 buys original content subject to its usage
  rule.
• Tier-1 presumes tier-2 might try to perform
  illegal modification of content and its usage
  rule.
• (We assume strong trust on user devices.)

29
Related works

• Homomorphic signature scheme 12
• Permit selective content removal
• Merkle trees are used to create message digest
• Deletions involve creating a small cover for the
  subset of the removed data items
• We proposed placeholder extension to the Merkle
  tree based signature scheme, and proposed two
  schemes to realize the placeholder.

30
Future works

• Other components to realize adaptive content
  protection
• Content encryption
• Key management
• Media data protection (streaming, mp4 file, etc)
• Etc

31
Conclusion

• Presented adaptive content distribution system
  with end-to-end authenticity.
• Proposed a Merkle tree based signature scheme
  with placeholder extension.
• Proposed two scheme to realize the placeholder
• Conventional signature (CS)
• Hash-sign-switch (HSS)
• HSS can reduce commitment overhead at Proxy at
  the cost of verification overhead.