GB2398210A - Encryption using a binary tree structure - Google Patents

Encryption using a binary tree structure Download PDF

Info

Publication number
GB2398210A
GB2398210A GB0302651A GB0302651A GB2398210A GB 2398210 A GB2398210 A GB 2398210A GB 0302651 A GB0302651 A GB 0302651A GB 0302651 A GB0302651 A GB 0302651A GB 2398210 A GB2398210 A GB 2398210A
Authority
GB
United Kingdom
Prior art keywords
data
decryption
portions
codes
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0302651A
Other versions
GB0302651D0 (en
Inventor
Jason Charles Pelly
Andrew Robert Taylor
Daniel Luke Hooper
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Europe Ltd
Original Assignee
Sony United Kingdom Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony United Kingdom Ltd filed Critical Sony United Kingdom Ltd
Priority to GB0302651A priority Critical patent/GB2398210A/en
Publication of GB0302651D0 publication Critical patent/GB0302651D0/en
Publication of GB2398210A publication Critical patent/GB2398210A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/608Watermarking

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Signal Processing For Digital Recording And Reproducing (AREA)

Abstract

A method of applying encryption to a set of ordinally numbered portions of data, comprises: producing an ordinally numbered set of encryption codes in accordance with a binary tree structure having L levels l where l is 0, 1, 2 ....L, each level having 2<l> nodes, each node in level l being linked to two nodes in the next higher level l + 1 and one node in the next lower level l - 1, the number of levels L being such that level L has a number 2<L> nodes not less than the number of said portions of data, each node of level l having associated therewith an encryption code generated from the encryption code associated with the node of level l-1 with which it is linked; and applying the respective encryption codes of level L to respective ones of the said portions of data. A method of decrypting a predetermined subset of portions of data encrypted by the encryption comprises specifying a sub-set of the ordinally numbered portions; generating decryption codes for decrypting the said subset of encrypted portions receiving the said decryption data; generating from the said decryption data the decryption codes of the said subset of portions of data; and decrypting the said portions of the said subset using the generated decryption codes.

Description

J
23982 1 0 _ 1 Encryption Systems The present invention relates generally to encryption systems. The present invention relates more specifically to: a method and apparatus for producing encryption code; a method and apparatus for encrypting data; a method and apparatus for decrypting encrypted data; programs including data processing code for carrying out the methods; and providing media for providing the data processing code.
It is well known to provide digital data to users on recorded media such as tapes, CDs, floppy discs etc or via communications systems such as the Internet. The digital data may be text, still images, video, games, and application programs amongst many other examples. The digital data is easily copied unless protected. It is known to protect data from illegitimate copying by encrypting the data.
EP-A-1215844, EP-A-1187390 and EP-A-1176754 all disclose systems in which data is protected by encryption. The encrypted data is for example recorded on a disc or other recording medium. A large number of reproducing devices exist in the systems. Keys used by the reproducing devices are allocated to the devices according to a binary tree structure having L levels ( L= 0, 1, 2, 3..) where each level l has 2i nodes, where l=O, 1, 2...L, each node being associated with a key. The nodes of the highest level L are associated with respective reproducers. Each reproducer is thus associated with a group of keys being the keys of the nodes in the path of tree branches connecting the reproducer's node at level l to the root node of level 0. A reproducer at a node of level L is able to reproduce only data encrypted according to one or more of the keys in the said path connecting it to the root node of level 0.
US-A-5963909 and US-A-6005940 both disclose the encryption of video, in which all frames are encrypted with respective different keys. Alternatively, groups of frames may be encrypted with respective different keys. The encrypted video is recorded on for example a disc with decryption data. In US-A-5963909, every frame is encrypted or every group of frames is encrypted with respective different keys and all the keys are recorded on the disc in a manner which is imperceptible and secure. For example the keys are embedded in high frequency DCT coefficients. This increases the data to be recorded on the disc and/or reduces the quality of the video by increasing the noise (i.e. the keys) in the DCT coefficients. In US-A-6005940 every frame has f decryption information recorded on the disc. A reader reads the encrypted frame and the decryption data. It has a transceiver which transmits the decryption data to a transponder which deciphers it into a decryption key which it transmits back to the reader to decrypt the frames. The transponder is in the form of a chip fixed to the disc.
This complicates to production of discs and increases the amount of data recorded on the disc.
WO 95/03655 provides copy protection of CD-ROMs and allows only portions of the protected data to be decrypted for particular users. Sections of data, for example different programs, are encrypted with different keys. The encrypted data is recorded on the disc as Read Only data. A high power laser is used to destroy sectors of the disc to produce a pattern of destroyed and un-destroyed sectors representing passwords associated with different portions of the protected data. A reproducer reads the passwords to produce decryption keys. A manufacturer may record all the data on the disc and later produce the patterns representing only password(s) of the portion(s) intended by the manufacturer to be accessed by a particular customer. This requires special equipment to physically modify CD ROMs after manufacture.
The present invention seeks to allow the protection of data, for example video, by encryption; and to allow many portions of encrypted data to be provided to a user but only one or more selected portions of the data to be decrypted by the user and using only a small amount of decryption data.
According to one aspect of the present invention' there is provided a method of applying encryption to a set of ordinally numbered portions of data, comprising: producing an ordinally numbered set of encryption codes in accordance with a binary tree structure having L levels I where I is 0, 1, 2, ....L, each level having 2i nodes, each node in level I being linked to two nodes in the next higher level I + 1 and one node in the next lower level I - 1, the number of levels L being such that level L has a number 2L nodes not less than the number of said portions of data, each node of level I having associated therewith an encryption code generated from the encryption code associated with the node of level 1-1 with which it is linked; and applying the respective encryption codes of level L to respective ones of the said portions of data.
The ordinal numbering of the said portions may be identical to the ordinal numbering of the nodes of level L. Alternatively the ordinal numbering of the said l 3 portions is related by a linear function to the ordinal numbering of the nodes of level L, and comprising the step of converting the numbering of the portions to the numbering of the nodes to apply the encryption codes to the portions.
In one embodiment, the step of applying encryption to a portion of data comprises encrypting the whole of that portion of data. If the portions of data are for example video frames then a whole frame is encrypted.
In another embodiment, the step of applying encryption to a portion of data comprises encrypting a part of that portion of data. If the portions of data are for example video frames then only part of a frame is encrypted.
The said set of ordinally numbered portions of data to which encryption is applied may be portions selected from a larger set of portions of data. For example if the data is compressed video having intra-encoded frames and inter-encoded frames, the selected portions are the intra-encoded frames.
An embodiment of the method may comprise the steps of: receiving a set of portions of data, and ordinally numbering the portions of the set to produce the said set of ordinally numbered portions of data.
The said one aspect of the invention allows a subset of the encrypted data to be decrypted with decryption codes related only to the subset.
Another aspect of the invention provides a method of generating decryption codes for decrypting data encrypted by the method of any preceding claim, comprising specifying a sub-set of the ordinally numbered portions; and generating decryption codes for decrypting the said subset of encrypted portions.
In a preferred embodiment of the decryption code generating method the step of generating decryption codes comprises determining the minimum set of nodes of the tree linked only to the nodes at level L corresponding to the said sub-set of ordinally numbered portions and generating the codes corresponding to that minimum set of nodes.
The invention further comprises decrypting encrypted data using the generated decryption codes.
A further aspect of the invention provides apparatus for applying encryption to a set of ordinally numbered portions of data, comprising: a code generator for producing an ordinally numbered set of encryption codes in accordance with a binary 4 tree structure having L levels I where I is 0, 1, 2, ....L, each level having 2i nodes, each node in level I being linked to two nodes in the next higher level I + 1 and one node in the next lower level 1- 1, the number of levels L being such that level L has a number 2 nodes not less than the number of said portions of data, each node of level I having associated therewith an encryption code generated from the encryption code associated with the node of level 1-1 with which it is linked; and an encryptor for applying the respective encryption codes of level L to respective ones of the said portions of data.
A preferred embodiment of the encryption apparatus comprises a memory having 2L + 1 storage locations for storing encryption codes for supply to the encryptor. A consequence of the tree structure is that such a relatively small memory is sufficient for generating all the codes of the tree and supplying them to the encryptor.
It is possible to have a smaller memory but that reduces the performance of the encryption apparatus. It is possible to have a larger memory but that is wasteful. 2L + 1 storage locations is optimal.
A yet further aspect of the invention provides a decryption apparatus for decrypting a predetermined subset of portions of data using decryption data produced by the decryption method specified above the apparatus comprising a receiver for receiving the said decryption data; a code generator for generating from the said decryption data the decryption codes of the said subset of portions of data; and a decrypter for decrypting the said portions of the said subset using the generated decryption codes.
An embodiment of the decryption apparatus may further comprise a device for specifying the said subset. For example, a potential user of the apparatus may browse samples of data, e.g. low resolution video and select a particular video sequence or section of a sequence. The specifying device allows the user to specify the sequence he wishes to decrypt from a high resolution copy of encrypted video.
Preferably the apparatus comprises a memory having 2L + 1 storage locations for storing decryption codes for supply to the decrypter. A consequence of the tree structure of encryption codes is that such a relatively small memory is sufficient for generating all the codes needed to decrypt the subset and supplying them to the decrypter. It is possible to have a smaller memory but that reduces the performance of the decryption apparatus. It is possible to have a larger memory but that is wasteful. 2L + 1 storage locations is optimal.
In an embodiment of the invention, the said two nodes in the next higher level 1+1 linked to one node in level I have associated therewith codes Dl+1,1 and Dl+l,0 related to the code Dl associated with said one node in level 1, where Dl+1,0 = E(DI) and Dl+1,1 = DIEXOR Dl+1,0 where D is an encryption code or a decryption code, and E((DI) is a predetermined function of Dl.
These and other aspects of the invention are set out in the claims to which attention is invited.
The use of the encryption tree and the corresponding decryption data allows the encryption of many items of data without allowing decryption of all the items and with the use of a relatively small amount of decryption data.
For a better understanding of the present invention, reference wild now be made by way of example to the accompanying drawings in which: Figure I is a schematic block diagram of an illustrative system for producing, encrypting and subsequently decrypting video and within which the invention may be implemented; Figure 2 is a representation of a tree structure of encryption codes; Figure 3 is a representation of a video sequence of ordinally numbered video frames; Figure 4 is a schematic block diagram of a system for selecting a portion of a video sequence and producing decryption data therefor; Figure 5 is a flow chart describing the production of decryption data for the selected portion of the video sequence of Figure 4; Figure 6 is a schematic diagram of a data carrier storing decryption data; Figure 7 is a schematic block diagram of a system for decrypting a video sequence; Figure 8 is a flow chart describing the decryption of the encrypted video sequence using the decryption data of Figure 6; Figures 9 A to F show the contents of a memory storing decryption data during decryption of the video sequence; Figure 10 is a schematic block diagram of a system for encrypting a video sequence; Figures 11 A to E show the contents of a memory storing encryption code during encryption of the video sequence; Figure 12 is a schematic block diagram of a system for applying a watermark to a video sequence; Figure 13 is a schematic illustration of a template defining an illustrative watermark; Figure 14 is a schematic diagram of a macroblock of a compressed video frame; Figure 15 is a schematic diagram of the format of compressed picture data; Figure 16 is a flow chart of a process for embedding a watermark;
J 7
Figure 17 is a schematic diagram of a compressed video sequence to which a watermark has been applied; Figure 18 is a flow chart of a process for removing a watermark from a compressed video sequence; Figure 19 is a diagram of a system for providing video sequences to users via a communications system and in which the invention may be implemented; and Figure 20 illustrates an alternative encryption tree..
Backeround The present invention will be described firstly with reference to video data but it will be appreciated that the invention may be applied to other data and is not limited to video data. Furthermore the invention will be described firstly with reference to applying encryption to every frame of a video sequence using respective different encryption code for each frame. However the invention may be applied to groups of frames the groups being encrypted with respective different encryption code.
Furthermore the invention may be applied only to selected frames of a video sequence, the selected frames being encrypted with respective different encryption code.
Referring to Figure 1, a content provider A, provides content to one or more users C (only one shown) via a system B. System B may be: a transmission system for example a wireless communications system; a distribution system, for example the Post or a Courier, which distributes recording media for example tapes, discs and other storage media; a communications network, for example the Internet, over which content can be downloaded by a user (a pull system) or distributed to users (a push system); or a broadcasting system (push system); amongst other examples.
In this example the user is studio having a post-production facility which processes video provided by the content provider. The user could be any other person or organisation which uses video, including the public.
The content provider A may be: a studio which produces original video content; a cameraman who produces original video content; a news organization; any other organization (e.g. a film maker) which produces original content; or an organization which has old content which they provide to a user; amongst other
examples.
Assume for the present that the content provider in this example creates a video sequence using a camcorder 2. The camcorder includes a video processor 4 which outputs digitised frames of video which are ordinally numbered in known manner using for example time codes. Frames or groups of frames may alternatively be identified in other ways, for example by use of unique identifiers such as UMIDs or \ quasi-unique identifiers. An encryption engine 6 encrypts the frames in a manner described below using respective different encryption codes for the frames. A recorder 8 records the encrypted frames on a recording medium which may be a disc or tape for
example.
Assume the recording medium is sent to a user C via system B using the Post or Courier. The user C reproduces the encrypted video from the recording medium using a reproducer 12. A decryption engine 14 decrypts video frames in a manner described below. The decrypted video is displayed on a display 18 and/or a processor 16 processes the decrypted frames.
In the example discussed below, the content provider A creates a disc containing a video sequence only part of which he wishes to make available to the user C. Other parts may be for use by other users. The example discussed below allows the content provider to encrypt the whole video sequence and allow only a part or parts of the whole sequence to be decrypted and thus used by a user even though that user has the whole encrypted sequence.
Assume a video sequence has a frame rate of 25 frames per second. The number of frames in a sequence of 3 hours duration is 3 hours x 60 minutes x 60 seconds x 25 frames per second; that is 270000 frames which just over 28 frames.
Thus to ordinally number the frames in binary code requires l9 bits. 6 hours of video requires 20 bits.
Overview of the encryption and decryption scheme of the present example of the invention, Figure 2 Referring to Figure 2, the encryption scheme uses a tree structure of encryption code. The tree is a binary tree having L levels L0, Ll, L2, L3, L4...LI... where l is l, 2, 3, 4....L. Each node in a level Ll has a branch to one node in a lower level L(l-l) and two branches, labelled binary 0 and binary 1, to respective nodes in the next higher level L(1+1). Each level has 2' nodes. Thus level 20 has 220 nodes. For ease of representation Figure 2 shows only 4 levels L0 to L4.
The encryption engine 6 starts at level L0 with a root encryption code which is a key and an initialization vector. Keys and initialization vectors are known: see for example Handbook of Applied Cryptography, Chapter 7 Section 7.2.2.. The root encryption code causes the encryption engine to output two new encryption codes, lo each comprising a key and an initialization vector, to provide the encryption code of two nodes O and I at level L1. Those two nodes are linked to the root node via branches O and 1. The encryption code of node O at level 1 is fed back into the encryption engine 6 to produce the codes of nodes 00 and 01 at level L2. The encryption codes of nodes 10 and 11 of level L2 are produced in the same way from the codes of node 1 of level L1. The same procedure is followed to produce all the nodes of the tree until a level Ll is reached having sufficient nodes in that one level to provide encryption codes for all frames of a sequence. In the example given above, for 6 hours of video that would be level 20 having 220 nodes.
From inspection of Figure 2 it will be seen that by labelling the pairs of branches emanating from each node, binary O for the left hand branch and binary 1 for the right hand branch, each node is identified by a code which is made up of the sequence of branch labels describing the path from the root to that node. It will also be seen that the codes of the nodes in each level are ordinally numbered the nodes from left to right. Thus level L4 has 16 nodes labelled by L=4-bit codes 0000 to 1111.
Conversely, the number of bits in each code represent the level.
Assume a video sequence of 16 frames is numbered in the same way as shown in Figure 3. The content provider provides the user with the whole encrypted sequence of 16 frames but the content provider A wishes to allow the user C to decrypt only frames 2 to 10 of the sequence.
The present example avoids storing on the disc all the decryption codes (as has been done in the prior art) because that is too great an overhead, but the present example provides the user with sufficient decryption data to allow the user access to the desired portion of the video. Referring to Figures 2 and 3, assume that the nodes of level L4 of the tree correspond to the frames 0 to 15 of the video sequence of Figure 3.
To decode only frames 2 and 3 the user needs the code K1 of node 001 in level 3.
From inspection of Figure 2, to decode only frames 4 to 7 the user needs the code K2 of node 01 in level 2. To decode only frames 8 and 9 the user needs the code K3 of node 100 in level L3 and finally to decode only frame 10 the user needs the code K4 of node 1010 in level L4. Thus, by providing codes 001, 01, 100 and 1010, only frames 2 to 10 and no others can be decrypted. It will be seen that the minimum set of nodes are the nodes at the lowest levels of the tree which are connected only to the part (frames 2 to 10) of the video sequence to be decrypted. That is the minimum set of codes which need to be provided. The user does not need any other decryption codes. In particular the user does not need the root code.
The content provider thus provides the user with the disc containing the whole sequence together with the minimum set of decryption codes needed to decode the part intended by the provider to be used by the user and other decryption data (which will be described below) needed to enable the user to access the part of video.
The decryption codes and other decryption data are sent out in a secure manner to the user(s). For example, the decryption codes and other decryption data may be stored in a secure carrier for example a smart card SC. The decryption codes and other decryption data may be encrypted and sent by e-mail or any other suitable communication means to a user. The decryption codes and other decryption data may be encrypted and stored on the recording medium, for example on disc 2O, separately from the encrypted video. The decryption codes and other decryption data may be encrypted and stored on one data carrier and the encrypted video stored on another data carrier.
Encryption of the decryption codes and other decryption data may be done by any suitable means, preferably public key encryption.
The following description assumes the decryption codes and other decryption data are stored on a smart card but the invention is not limited to that. Other ways of storing the decryption codes and other decryption data may be used depending on the circumstances.
Determining the decrvotion data for decrvatina part of a video sequence, Figures 4 and 5.
Referring to Figure 4, assume a disc 20 contains a video sequence in which all the frames are encrypted with encryption codes organised in a binary tree structure as shown in Figure 2. Assume a content provider A wishes to review the video to determine which part he wishes to allow a user to use. Assume a smart card SC contains the root code for creating the encryption codes and that the decryption codes are identical to the encryption codes. In other embodiments of the invention, the encryption codes differ from the decryption codes. A player 22 reproduces the encrypted video from the disc 20. A processor 24 includes a decryption engine 31 which decrypts the video to enable the whole decrypted video to be displayed on a display device to enable the content provider to review the video. The decryption engine 31 uses the root to re-create the whole binary tree thus enabling the whole video to be decrypted. The content provider has a controller and input device 28 which interacts with the player 22 in known manner to select the start S and finish F points of the part of the video to be made available to the user. That can be done using techniques well known in video editing. The start point S and finish point F may be designated by the time codes of the video recorded on the disc 20. It is assumed for ease of description that the numbering of the frames is identical to the numbering of the nodes of the highest level of the binary tree. S and F are provided to a node processor 34 of the processor 24 to determine the minimum set of nodes of the tree connected only to the portion of the video defined by S and F. The node processor 34 interacts with the code generator 32 of the decryption engine via a memory 33 to generate the codes associated with the minimum set of nodes. The node processor records on a smart card SC, via an interface 36, decryption data comprising: the number L of levels in the tree;; the minimum set of decryption codes ( Keys and Initialisation Vectors) in order of occurrence; S and F; and optionally other data ( e.g. a template which will be described below).
The node processor 34 operates as follows once it has the values of S and F. The following assumes data is stored on the smart card. Reference is invited to Figures 2, 3 and 5. Assume the portion P of video to be made available to a user consists of frames 2 to 10 inclusive of the video sequence of Figure 3. Thus S = 2 and F=10. It will be noted that the node processor needs only those numbers: it does not require the video at all.
Assume a variable X represents a number to be processed. The process starts at step S2. At step S4, the values of S and F are determined as described above and stored on the smart card. Step S 12 assigns the start value S to X. S 14 determines whether X = S is even or odd. If S is even then the following steps occur.
At step S18, the binary zeros of the number X=S below the least significant binary one of the original number X are changed to produce a modified odd number Xmod and to find the highest odd number Xmod less than or equal to F and to find from Xmod the identifier, herein called the "index", of the node called herein the "principal node" to which all the nodes at the highest level L numbered S to Xmod are linked. Step S 18 is described in more detail with respect to Figure 5B.
At step S20 the decryption data (Key and Initialisation vector) of the principal node is produced by the code generator 32 and stored in the smart card SC. Step S20 is described in more detail with respect to Figure 5B If S is odd (S14) then the principal node is node S is selected and the decryption code is that of the node S. That decryption code is stored on the smart card.
It will be seen from Figure 2 that if the start node S is odd, then only that node is unique to the portion P At step S22 the next number X is produced. X = the previous Xmod + 1. Step S23 determines whether X is still in the range S to F inclusive. Step S24 determines whether Xmod + 1 = F. i.e. it is the last frame. If Xmod + 1 = F. then at step S26, the principal node is F and the decryption key stored on the smart card is that of node F. If Xmod + 1 is not equal to F. then steps S28 and S30 occur. Step S28 is the same as step S18 and step S30 is the same as step S20.
The process of steps S22, S24, S28 and S30 repeats until either Xmod+ 1 is out of range or Xmod + 1 = F. whereupon the process ends at step S32.
The process operates on successive Xmod + 1 because, as is seen from inspection of Figure2. all nodes in the range S to Xmod are connected to the same principal node. Likewise the next set of nodes from the Xmod + 1 to the next Xmod are connected to the same principal node.
Referring to Figure 5B, steps S18 and S20 are shown in more detail. A count Ct indicates the number of bit positions below the least significant 'one'. Initially, Ct = 1 so it indicates the bit position immediately adjacent the least significant '1'. Step S181 takes a number X and initially changes all binary 'O's below the least significant 1' to ' 1'. Step S 182 determines whether the resultant odd number Xmod_t is less than F. If it is then Xmod = Xmod_t at step S 184. If Xmod_t is greater than F the count Ct is incremented by one and step S181 is repeated on X but changing all the zeros Ct=2 or more positions below the least significant '1' of X.. Step S182 is repeated. The process of steps S 182 and S 183 are repeated until the first occurrence of Xmod_t less than F. That is the biggest Xmod less than or equal to F. At step S185, the number, called the index, identifying the principal node is determined by ignoring the number of least significant bits of Xmod which are different from the original number X. In the example of Figure 2, S = 0010 (with the LSB on the right). Xmod is 0011. F is 1010. 0011 is less than F. One bit has been changed. Xmod omitting the changed bit is 001 which is the principal node identified as K1 in Figure 2. As another example, if X = 1000 (node 8) Xmod_t is initially 1111 which is greater than F. Successive applications of steps S 181, S 182 and S 183 results in Xmod of 1001. The number of changed bits is then 1 and so the principal node is 100, K3.
In step S121 the code generator generates the decryption code K of the principal node, e.g. K3 for node 100 and Kl for node 001. The codes K are stored in order of occurrence in the smart card at step S 122.
Thus as shown in Figure 6 the smart card or disc stores S. F. the number of levels L of the tree and the decryption codes K of the principal nodes in order of occurrence.
Decrypting a defined portion of an encrypted video sequence, Figures 7 and 8. Referring to Figure 7 an apparatus for decrypting a video sequence
encrypted as described above comprises a reproducer 38 which reproduces the encrypted video from the disc 20. The encrypted video is supplied to a decryption processor 14, including a node processor 45, a decryption engine 41, and a smart card interface 46.
The decryption processor 14 decrypts the portion of the video sequence defined by the start and finish numbers S and F. As described above S and F. the number of levels L and the decryption data K are stored in a smart card SC. The numbers S and F and the decryption data are downloaded from the card SC via the interface 46 into the decryption engine 41. The node processor 45 deduces from the numbers S and F the indexes of the principal nodes as described above with respect to step S 18. Assume the video sequence is that of Figures 2 and 3 and the data stored in the card SC is that shown in Figure 6.
The decryption engine has a code generator 42 which interacts with a memory 44 (which will be described below with reference to Figure 9) to provide decryption codes to a decrypter 40. The node processor deduces the principal nodes and deduces from the decryption codes of the principal nodes the decryption codes needed to decrypt the frames S to F. It loads the decryption codes into locations in the memory defined by the indexes to enable the code generator to generate the codes of level L needed to decrypt the video frames S to F. The following assumes the frame numbering of the encrypted video is identical to that of the nodes of level L4 of the tree structure of Figure 2. The decryption data stored on the smart card SC comprises the start number S. the finish number F and the decryption codes of the principal nodes in the order of their occurrence; i.e. K1, K2, K3 and K4 in this example.
Referring to Figure 8, a step S48 deduces from the start and finish numbers S and F the indexes of the principal nodes K1 to K4 using the method of Figures 5A and 5B. At steps S49, S50 and S51 frames are received successively but not decrypted until the start frame S is received. Then at step S52, the first principal decryption code K1 is obtained from the smart card but not put into the memory 44 yet. At step S54 for frame number X, the number of binary zeros, from and including the LSB up until the first binary one, is got. (This cannot be greater than the number of LSBs to ignore when deducing the index of the current principal node). In this case X = S= 0010, the number of zeros is one, and thus the least significant zero is ignored giving an identifier or index 001 and the decryption code is Kl in Figures 2 and 6. A number X', which is X ignoring the least significant zero(s), is determined: in this case X'= 001. In this case, as tested at step S56, X' is the same as index of the current principal node (that is the node waiting to be put in the memory 44) so at step S58, the code K1 is placed in the memory 44 in a location defined by the index as will be described with reference to Figure 9. At step S60 the next principal node K2 is obtained from the smart card but not yet stored in the memory 44. In step S62 the code generator generates, from code K1 in the memory location indexed 001, the decryption code of node S which is placed in memory location 0010 and the decryption code of frame 0111 which is placed in the corresponding location in the memory of 44. Also, the initialization vectors IV are generated at the same time and stored in the memory 44.
Step S64 receives the next frame, step S66 checks it is in the range S to F inclusive and, if it is in the range, processing resumes through steps S54 to S64 until the end of the range is reached after which decryption ceases (S68).
For the next frame X= 0011, the LSB is '1' and the number of zeros to ignore zero. So at step S56 X'= 0011 which is not the same as the index 001 of the current principal node K2( waiting to be put in memory 44). Thus steps S58 and S60 are by passed so the currents principal nodes remains Kl and K2is not yet put in the memory 44. Step S62 determines the key and IV pair of X= 001] is already in the memory 44: it was computed previously from K1 as described above.
Steps S64 and S66 get the next frame X= 0100. X' = 01 as deduced at step S54.X' thus = the index 01 of the current principal node K2 which is thus put into the memory 44 at step s 58. The answer to step S56is yes so code K2is loaded into the memory at the index 01 in step S58. Step S60 gets the next code K3 (index 100) but does not load it into the memory 44. Step S62 generates key, IV pairs for node 010 and nodes 0100 and 0101 from K2.
For frame X= 0101 the LSB is '1' so the index is 0 and therefore, as follows from the preceding discussion its key, IV pair is already in the memory 44.
Steps S64 and S66 then get frame X= 0]10. In step S54 the LSB '0' is ignored giving a code X'= 011, which, as will be seen, identifies a memory location.
Code X'= 011 is not the same as K3 index 100 so in step S62 the key, IV pairs 011, 0110 and 0111 are generated from K2. It will be apparent then that the key, IV pair of frame 0111 is already in memory when that frame is obtained.
Frame 1000 is obtained (S64, S66). The index for that frame is 100. The number of binary zeros to ignore is apparently 3 but that is greater than the number (one) of zeros, to ignore to deduce the index. Therefore the number X' is deemed to equal the index of K3 satisfying step S56. K3is then loaded (S58) into the memory 44 and the next code K4is got (S60). The key, IV pairs for frames 1000 and 1001 are derived from K3.
In this example, finally frame 1010 is processed.
Operation of the memory 43 for decrvotion. Figure 9 The memory 44 has 2L + 1 storage locations where L is the number identifying the highest level of the binary tree. The memory is shown schematically in Figure 9A having pairs of storage locations L1 to Ll arranged in a column with the left hand column labelled binary O and the right hand column labelled binary 1, plus a further 5single location LO. Each row of the memory corresponds to a level Ll of the tree. The O column stores the nodes of branches denoted O in Figure 2 and the right hand column stores nodes of the branches denoted I in Figure 2. Referring to Figure 2, and to Figure 9A, the memory can store all the codes of all nodes within for example the box M from LO to the highest level Ll. At level Ll above level LO, the memory can store a pair 10of codes generated from the single node of level L(l-l) to which the pair are connected.
In the following Ll, O or I indicates a storage location and codes x to xxxx where x is O or I denote nodes of the tree and also the corresponding decryption codes.
For an I level tree and I level memory having, in each level, locations O and 1, a route 15can be traced through the locations from level LO to any location, the route defining a sequence of l's and O's according to the locations it passes through which bear a "1-to 1" correspondence with the route through the tree from level LO to any particular node.
Assume the portion P of the video sequence of Figure 3 is to be decoded using the decryption data of Figure 6 as described with reference to Figure 8. Referring to 20Figure 9B, at step S58,to decode frames 2 and 3, the first code K1 having index 001 is stored in row L3 (because the index has 3 bits) in the I column because the LSB is 1.
The path in Figure 2 from LO to Kl is 0, 0, 1 which is mirrored by (hypothetical) route R in Figure 9B. Placing Kl in the storage location L3, 1 allows the code generator to generate a pair of level L4 codes which are placed in the 0 and I columns of level L4 25corresponding to the nodes 0010 and 0011 of Figure 2.
For frames 4 and 5, referring to Figure 9C, code K2 having index 01 is placed in location L2, I corresponding to node 01 enabling the code generator to generate the code of node 010 which is placed in the corresponding location L3,0. The codes of nodes 0100 and 0101 are generated from 010 and are placed in the L4 storage 30locations L4, 0 and L4, 1.
Referring to Figure 9D, the codes of frames 6 and 7 are generated from code 011 placed in L3, 1 and which is generated from code K2 in L2, 1. Code 011 may be . _ 18 generated with L3,0 and placed in location L3,1 at the same time as code 010 in L3,0 or it may be generated after 010 depending on the operation of the code generator.
However, the level 4 codes of nodes 0110 and 0111 which are generated from code 011 in L3,1 are generated after the codes of nodes 0100 and 0101 have been used because they overwrite those codes in locations L4,0 and L4,1.
Referring to Figure 9E, once code 010 in L3,0 has been used it is overwritten by code 100 (K3) which is used to generate codes 1000 and 1001 (frames 8 and 9) which overwrite the codes in L4,0 and L4,1.
Finally code K4lOlOis placed directly in location L4,0 for decoding frame 10 using code 1010 as shown in Figure 9F.
Encrvotion engine. Fieure 10 The encryption engine 6 of Figure 1 is used to encrypt a whole video sequence.
An example of such an engine is shown in Figure 10. It comprises an encryption code generator 50, a memory 52 an encryptor 54, a smart card interface 55, an input device 56 and a timer 57. The encryption code generator is initialised with a root key and initialization vector, which in this example are derived from root data stored in a smart card SC. The root key and initialization vector are derived from the stored root data by modifying the stored data with a password entered using the input device and/or by a time stamp produced by the timer. Other ways of generating the root may be used.
The root data stored on the smart card may be encrypted and decrypted for use. The encryption engine generates encryption codes according to the tree structure of Figure 2 as described above. The codes are transferred to the memory 52, as they are produced, for: 1) application to the encryptor 52 to encrypt the frames of the video sequence and 2) feeding back to the code generator for generating further codes.
The memory 52 has the same structure as the decoder memory 44 of Figure 9.
The following description uses the same notation as used for Figure 9.
Oneration of memory 52. Fieure 11 Referring to Figure 11 and to Figure 2 box M, the root is initially stored in location LO. The generator 50 generates the pair of codes 0 and 1 of level L1 code 0 first followed by code 1. They are placed on locations Ll,O and Ll,l. Each node in level 11 generates a pair of codes of level I with the code of branch 0 produced first because it is the seed for generating the code of branch 1. Thus, code 0 is used to generate the pair of codes 00 and 01 of level L2 placed in L2,0 and 1. Code 00 of level 2 is used to generate codes 000 and 001 of level 3. Code 00 0 of level 3 is used to generate codes 0000 and 0001 placed in location L4,0 and 1 for encrypting the first two frames (frames numbered binary 0000 and 0001 and decimal 0 and 1).
Codes 0010 and 0011 for encrypting the next two frames (frames 2 and 3) are generated from code 001 in location L3,1 and overwrite the previous contents of locations L4,0 and 1 as shown in Figure 11B.
Once the codes for frames 2 and 3 are generated, the level 3 codes in locations L3,0 and I are overwritten. A new code 010 is derived from code 01 in L2,1 to generate the codes 0100 and 0101 for encrypting frames 4 and 5 as shown in Figure 1 1 C. code 01 1 is generated from code 010 and placed in location L3, 1.
To encrypt frames 6 and 7, as shown in Figure 11D, the contents of L4, 0 and 1 are overwritten by codes 0110 and 0111 which are generated from code 011. Thee level 2 codes are overwritten by new codes 10 and 11 generated from code] in location L1,1, and code 100 is written into location L3,0 in preparation for encrypting the next two frames 8 and 9 (1000 and 1001).
As shown in Figure I IE, codes 1000 and 1001 are generated from code 100 for encrypting frames 8 and 9. Code 101 is generated from 10 and placed in L3,1 overwriting the previous contents thereof.
The operation of the memory proceeds in similar manner until the whole sequence is encrypted. The memory has 2L + I locations where L is the number identifying the highest level of the tree. Each location stores a key and Initialisation vector. The storage needed is small which is advantageous in for example a camcorder.
Relationship of frame numbers to tree node numbers.
In the foregoing description, for ease of description, the node numbering at the highest level of the tree and the frame numbering of the video sequence are identical.
That may be true in practice. However, the numbering may be different provided there is a known "I-to-l" relationship between the frame numbering En and the node numbering Nn. The relationship is defined by a linear transform, for example Nn = kFn + c, or Nn = c + Fn/k where k and c are constants. Preferably the numbering of the frames is converted to the node numbering using the linear transform.
Variants of the invention In the foregoing description, for ease of description, it is assumed that every frame is encrypted with a different encryption code. That may be true in practice but it is not essential to the invention. Consider a digital video sequence compressed according to a compression algorithm (e.g. MPEG2) having groups of pictures (GOPs) comprising intra encoded frames (I frames) and inter-encoded frames dependent on the I frames. In an embodiment of the invention, only the I frames are encrypted, making it impossible to reconstruct the dependent inter-encoded frames without first decrypting the I frames. If the GOPs have a constant length, typically 12 or 15 in MPEG2, and if the frames are numbered sequentially, then the I frames correspond to the nodes by Nn = Fn/k where k = 12 or 15 for example except for the first I frame in the sequence where Nn may equal Fn. Alternatively, assuming only one I frame per GOP and the GOPs are numbered On, Nn = Gn.
The invention may be applied to frames or other data compressed by a los less compression technique. An example of such a technique is DPCM (differential pulse code modulation). In the case of video frames it may be applied spatially and/or temporally.
In another example, GOPs form portions of data and the whole of each GOP is encrypted with the same encryption code, different GOPs being encrypted with different encryption codes.
In the foregoing description, for ease of description, it is assumed the whole of each frame in the portion P is encrypted. That may be true in practice but the invention is not limited to that. In an embodiment of the invention, only a part of a frame is encrypted and furthermore all frames of a sequence may be partially encrypted or only some frames of a sequence may be partially encrypted as will be described by way of example in the following section entitled Watermarking.
Number Systems The foregoing discussion assumed that the frame numbering and the node numbering are identical, both using plain binary numbering. However, the number system used to number frames may be different to that of the nodes. Examples of other numbering systems include 2's complement, and floating point. The tree is numbered in plain binary. It is possible to work with 2's complement by having two binary trees, one for negative numbers and one for positive numbers. However it is currently preferred that whatever number system is used to number frames is converted by a linear transform to plain binary to work with a single tree.
Watermarkine. Figures 12 to 16 Applications of the present invention to watermarking will now be described by way of example. It will be appreciated that the invention is not limited to watermarking. In the following examples, a visible and removable watermark is applied to a video sequence using encryption. Use of the encryption tree allows the removal of the watermark and restoration of the original video using corresponding decryption codes and other decryption data which is applicable to a selected portion of the video thereby preventing access to the unselected portions. These techniques allow selective decryption and removal of a watermark from sub-sections of video. Different customers may be allowed access to different sub-sections of video.
First Example
Referring to Figure 12, a video processor 4 produces uncompressed digital video. A watermark embedder 64 encrypts parts 70 of each frame which are defined by a template 68 as shown in Figure 13. Different encryption codes used for the successive frames are generated by an encryption code generator 66 which operates according to the binary tree structure of Figure 2.The template is stored on a smart card together with decryption codes and other decryption data as shown in Figure 6 for example.
That allows the removal of the watermark and the restoration of the original video of a portion of the original video sequence defined by the start S and finish F frame numbers. The template 68 is a bit map indicating the area or areas of each frame to be encrypted. The area 70, which illustratively is in the form of a stylised S. indicates blocks 71 of pixels (only one block is labelled 71) to be encrypted, thus creating a visible modification of the frame. For example as described in pending UK patent application GB-A-2369943 the bits of codes representing individual pixels or groups of pixels in the area 70 may be scrambled according to the encryption code.
Second Example
This example is a modification of the watermarking scheme described in co pending UK patent application 0202737.3 filed 6 February 2002 attorney references P13458GB, I-02-002, S02P5015GBOO. Referring to Figure 4, the video processor includes a compressor 60 which in this example compresses the digital bitstream according to MPEG2 to produce a bitstream having intra-encoded frames (I frames) and inter-encoded frames (P and B frames) arranged in groups of pictures (GOPs), in known manner. Referring to Figure 13, in this example the template defines the watermark to the resolution of a DCT block.
Figure 15 illustrates the data format of what is referred to herein as picture data. Picture data herein includes all data between picture start codes and includes headers (HDR), userdata (UD) and the image data 116 representing one frame of the image. MPEG2 allows user data (UD) to be placed in the picture data ahead of the image data 116. There may be no user data fields UD or one or more user data fields.
The DCT blocks and macroblocks are formatted as shown in Figure 14 in the image data 116. Each block includes a DC coefficient followed by AC coefficients.
Blocks are separated by End of Block codes FOB.
In I frames the DC coefficients are differentially encoded. The differential values are referred to herein as DC differentials. The AC coefficients are run length encoded and represented by Variable Length Codes (VLCs) and are referred to herein as AC VLCs.
Referring to Figure 16, in overview, this example of the invention may operate as follows. These operations are performed only on I frames in this example but the invention is not limited to performing these operations only on I frames.
In step S72, the macroblocks which fall within the watermark S are selected and all the DC differential and AC VLCs of those macroblocks are removed and in step S74 stored.
In step S76, new DC differentials which represent the watermark are put into the blocks of the template macroblocks in place of the ones which were removed. (The AC VLCs are not replaced in those blocks). The DC coefficients in I frames are differentially encoded and so the new DC differentials need to be calculated in dependence on the DC differentials of the macroblocks spatially preceding and following the macroblocks at the edges of the template.
In step S78 the number of bits Nr removed from an I frame by removing the original DC differentials and AC VLCs is determined and the number of bits Na added to the I frame by the new DC differentials is determined. The difference Nr-Na indicates the amount of spare data space in the picture data. If that space exceeds a threshold amount (5 bytes for MPEG2) then referring to Figure 15 a visible watermark user data space 120 is created in the picture data. At least some of the stored DC differentials and AC VLCs are placed in that data space 120. To ensure that the bit rate of the picture data is not changed zero padding 122 may be added to the picture data.
If insufficient spare space is available to create the data space 120 then zero padding 22 is added. The coefficients placed in the data space 120 are encrypted before they are placed in the space 120 to ensure that only authorised persons can reconstruct the original image.
That process is repeated (S80) for each I frame in a video sequence. Referring to Figure 17, a portion of a video sequence is shown. Figure 17 shows only I frames for ease of explanation. The picture data frames are shown in simplified form for ease of explanation. If the sequence comprises P and/or B frames, the I frames would be separated by such frames. The first I frame PI of the sequence includes watermark user data space 120 which contains as many as possible, in encrypted form, of the removed coefficients of frame Pi. Likewise, frame P2 has a data space 120 which contains as many as possible, in encrypted form, of the removed coefficients of the frame P2. The same applies to frame P3. Frame P4 is shown as having no spare capacity for a user data space 120.. Thus as illustrated by Figures 16 and 17, the coefficients removed in serial order from the image data space of the frames of a video sequence are taken from store, encrypted and put, in the same serial order, into watermark user data spaces 120 created in the frames of picture data but without increasing the bit rate of the picture data. The coefficients of any one frame Pi are placed in the user data space of only that frame Pi. The end of the video sequence is indicated by an end of sequence code 126.
The user data spaces created in any one frame Pi of the video sequence may not provide sufficient spare capacity to contain all the removed coefficients of that frame Pi. Thus as shown in step S82 of Figure 16, the remaining (excess) coefficients are taken from the store, encrypted and appended to the end of the video sequence after the end of sequence code 126 as shown at 128 in figure 18. The encrypted data appended to the end of the MPEG2 bitstream is part of the MPEG2 bitstream but because it is not prefaced by a start code, the appended data is ignored by an MPEG2 decoder.
Alternatively, the excess coefficients may be stored, encrypted, in a separate file. The file may be appended to the start or finish end of the bitstream.
As shown in Figure 17, for every frame there is produced a residual data field 291 including a code representing the number of bytes B of encrypted AC VLCs and DC differentials which are not included in the user data space 120 of that frame together with the encrypted AC VLCs and DC differentials. If there are no residual AC VLCs and DC differentials, the number B for that frame is zero.
Although the process has so far been described only with reference to I frames, a compressed video sequence typically also includes P and B frames. Some P and B frames may include zero padding. If so the zero padding may be removed and used for a watermark user data block and the removed original coefficients may be placed in the user data block. The zero padding is reinstated in the process of restoring the original bitstream.
The watermark data as it appears in the watermarked MPEG-2 file must not contain MPEG start codes since they will terminate userdata areas prematurely or cause other undesirable decoder behaviour. The nature of the codes used to represent DC differentials and AC VLCs is such that start codes cannot be accidentally generated within the displayed image data. It should not therefore be possible to generate them in the watermark data either providing care is exercised when generating flag information. However, the encryption of the watermark data may result in start codes being produced. It is therefore necessary to check the encrypted data for start codes and where they occur revert to the unencrypted watermark data (this does not affect security since it is only possible to determine which bytes have been left unencrypted when decrypting with the correct key). Where it has been necessary to revert to the unencrypted watermark data, a check must also be performed to ensure that this did not result in the generation of another start code across the encrypted/unencrypted data boundary.
Overview of restoring original image data (Figure 18! When received at a decoder, the watermarked frames will be displayed unless the original frames are restored. Figure 18 illustrates, by way of example, an overview of a process for restoring the original image.
In step S120, the watermarked bitstream is stored and parsed. In step S122, the encrypted watermark userdata is extracted from the bitstream and stored. Also, any data appended to the end of the bitstream is stored. In step S 124, the stored encrypted watermark user data is decrypted to restore the original DC differentials and the AC VLCs. In step S126, restored original DC and AC VLCs replace the DC differentials which represented the watermark. The resultant bitstream is an MPEG2 compressed bitstream but omitting watermarking data. In step S128, the restored bitstream is decompressed in conventional MPEG2 manner.
Because all the original coefficients were retained as user data and/or either appended to the end of the bitstream or stored in a separate file, the original bitstream is exactly restorable. The resulting washed file is a bit for bit match to the original unwatermarked file.
The encryption of the coefficients of the area 70 uses different encryption codes for each frame, the codes being generated according to the binary tree structure of Figure 2. To decrypt the frames for removing the watermark, the decryption codes are produced as discussed above with reference to Figures 6, 7 and 8. To remove the watermark the decoder needs the template which may be stored in the smart card SC as indicated by "template" in Figure 6, together with other decryption data. The decryption data allows the removal of the watermark and the restoration of the original video of a portion of the original video sequence defined by the start S and finish F frame numbers.
To decrypt any part of the bitstream requires the whole MPEG sequence to be played from the beginning. The frames are counted until the start frame S is reached. A
like number of residual data fields 291 is skipped
The bitstream Pi to Pn is stored and parsed. The residual data comprising the codes B and the AC VLCs and DC differentials is retrieved from the appended data in the parsing process or from the file and stored. For each frame, the data in the user data field 20 is decrypted and used to replace the modification data in the bitstream. The number of bytes B is read for that frame. If it is greater than zero, then the residual data for that frame is decrypted and used to replace the remaining modification data of that frame.
In the example of an MPEG bitstream the frames are not numbered nor are the residual data fields 291. Such numbering is not needed: every frame and its associated residual data field are processed in succession. Such numbering could be provided in other examples of the invention.
Content Brokerine Overview Figure 19 shows an example of a system for selling and buying video. It is described in more detail in EP-A-1215907. It comprises a transaction server 101, one or more seller clients 112, 112N, one or more buyer clients 113, 113N and a communications network 100 linking the clients to the server.
The owner of material, i.e. a seller, controls a seller client 112. A buyer controls a buyer client 113. A third party owns and controls the transaction server 101. The system allows material to be acquired, securely and visibly
watermarked, and transferred to the buyer for the buyer to preview (107) the watermarked material. If the buyer then wants to buy the material, the buyer obtains the data needed to remove the watermark. In this example, the seller and buyer both register (103, 106) with the transaction server. The data for removal of the watermark is sent to the buyer only when the buyer has paid for the material. The payment is monitored by the transaction server 101 which communicates with a financial institution 102. Payment is made via the server 101 and/or via the institution 102.
The seller obtains seller software, and registers with the transaction server. The seller client processor watermarks the material generating watermark removal data.
The seller client processor informs the transaction server of watermark removal data and of identifiers associated with the material. The seller sends watermarked material to potential buyers.
Seller Registration-Figure 12 Someone who wishes to be a seller firstly acquires seller software. This may be done in any conventional manner: for example by downloading it from the server 1, or by acquiring a stand alone software package. The seller registers with the server 1, providing to the transaction server 1 a) passwords, b) bank account details of the seller and c) any other information. 27
Apply watermark The seller then needs to apply visible watermarks to the material he/she wishes to make available to buyers. In this example assume the material is a video sequence.
The seller loads the material into the seller client to apply the watermark. The seller client is used to design and apply the watermark The seller client downloads from the transaction server watermark design software The seller uses the software off-line to design the form of the watermark: e.g. the template. This results in watermark configuration data and removal data. The removal data is downloaded to the transaction server 1 and/or to a smart card as described above. The watermark configuration data is sent to a watermarking processor which in the preferred embodiment is in the seller client. The watermarked video may be stored on a storage medium 7 for example a tape, disc or solid state store. In this example the medium is a tape as shown in Figure 7.
The watermark is applied using an invertible algorithm which uses encryption codes generated as described above with reference to Figure 2.
Apply identifier An identifier is applied to the material. An example of an identifier is a Unique Material Identifier or UMID. UMIDs are described in more detail in SMPTE Journal March 2000. The UMID is generated in the seller client 1 12. One or more UMIDs may be applied to a video sequence. A UMID uniquely identifies the video sequence to which it applies. The UMID may be applied as an invisible watermark and/or may be stored on the storage medium e.g. 20 with the video. Alternatively, the UMID may be attached to, or otherwise associated with, the storage medium.
The seller client processor 1 12 informs the transaction server 101 of the algorithm, decryption data, template(s), used to generate the watermark and of the UMID(s) applied to the video sequence.
Buver searches for video of interest.
The transaction server provides means for allowing a potential buyer to look for video which interests him. That may be picture stamps, lowresolution video, word searching or any other way. The buyer accesses the transaction server to look for video which interests him. If the buyer finds video which may interest him he then expresses an interest in the video sequence. The transaction server 101 informs the seller client 112 and a visibly watermarked copy is sent to the buyer. In a currently preferred example, the copy is sent to the buyer on the storage medium, e. g. a tape 20' or disc 20 by post or courier. However it could be sent in other ways; for example electronically via the network 100 especially if the network supports 'broad-band' transmission of video. The transaction server 101 may automatically send an e-mail to the seller client to inform the seller of the buyers interest and to prompt them to send the video to the buyer. Alternatively, the request could be processed by an automated warehouse (117 in Figure 19) in response to an order from the server 101 or from the seller client 112.
The warehouse 117 would dispatch a storage medium 20, 20' containing the desired video to the buyer.
The interest of the buyer is registered with a transaction log 105.
The following description assumes the buyer stores the video electronically in a storage medium associated with his client processor 113.
The buyer pays for the video and removes the watermark.
The buyer reviews the watermarked copy. If he wishes to buy it he indicates his interest. The buyer client 113 identifies the video from the identifier (UMID) associated therewith. The identifier is transmitted to the transaction server 101. The server 101 then electronically provides the buyer with the decryption data which is, for example, in the form shown in Figure 6 and allows the removal of the watermark and the restoration of the original video of a portion of the original video sequence defined by the start S and finish F frame numbers.. The electronic transfer is by secure means, using known techniques. Alternatively, the decryption data could be sent on a smart card SC as described above.
Alternatively, the seller may record on a recording medium 20, 20' many different watermarked video sequences, all of which are sent to the buyer watermarked. The watermark uses encryption as described above. The buyer when buying one selected sequence receives only the decryption data relating to the selected sequence.
Encrvotion Systems The foregoing does not specify any particular encryption system for use with the tree structure because any suitable encryption system may be used. Examples include AES, RSA amongst others. Currently, AES is preferred. B 29
The root encryption code is preferably encrypted separately from the video using a key different to any key used to encrypt the video. The encryption key used to encrypt the root may be a private key of a public key encryption system.
I - es of Data Whilst the invention has been described with reference to video it may be applied to any other digital data including audio, audio/visual material, still images, text, computer programs, and games.
Recordine medium The present invention provides a recording medium on which data encrypted as described above is recorded. The medium may also have recorded on it the decryption data for decrypting a subset of the encrypted data, the decryption data being generated as described above. In addition, the root encryption code may be recorded on the medium separately from the encrypted data and decryption codes. The root code is encrypted separately from the encrypted data using a private key. The medium may be for example a tape or disc or a solid state memory.
Sets, portions and parts of data In the foregoing for ease of description the invention is described as applied to a video sequence as a set of data having frames as portions thereof. Also parts of frames, e.g. DCT blocks or blocks of pixels or pixels, are described by way of example. The invention could be applied to whole video fields or parts of fields instead of frames.
The invention may be applied to portions and/or parts of sets of other data. It could be applied: to portions of a video sequence defined by shot markers, time duration, or GOPs; and/or to parts defined by pixels, blocks of pixels, DCT blocks or macroblocks.
The invention may be applied to data sets, portions and parts thereof, common in computing for example: files, folders, directories, virtual drives and records in a database.
The invention may be applied to CDs, and DVDs and data portions thereon defined by tracks, chapters and index points for example. It may be applied to data sets defined by different record layers in multilayer optical discs. _B 30
The invention may be applied to several sections of a data set, each section being encrypted separately. As a result a smart card for example may contain several sets of decryption data, one for each encrypted section of data. For example a single DVD may contain many encrypted video sequences and a single smart card loaded with decryption data for several of the sequences may be provided to a user.
Alternative encryption tree In the foregoing the key K and initialisation vector IV of a node at one level is used to generate a pair of keys K and initialisation venctor IV at the next higher level each key K and initialisation vector IV of the pair being generated independently of the other but from the same key K and initialisation vector IV of the lower level. In a modification shown in Figure 20, each pair of keys K and initialisation vectors IV at the higher level are generated as follows. One key K and initialisation vector IV e.g. K2,1 IV2,1 is derived as E(K1, 1., IVl,1) where E is a predetermined function and K1, 1, IV1, 1 is the key K and initialisation vector of the lower level. The other key K and initialisation vector IV K2,2 IV2,2 is derived as K2,2 = K1,1 EXOR K2,1 and IV2,2 = IV2, 1 EXOR IV2, 1 where EXOR is a logical Exclusive-OR operation.
Computer Programs The invention also provides computer programs which when run on a suitable processors causes the processor to: generate encryption codes as described above; encrypt data as described above; generate decryption codes as described above; and decrypt data as described above.

Claims (54)

1. A method of applying encryption to a set of ordinally numbered portions of data, comprising: producing an ordinally numbered set of encryption codes in accordance with a binary tree structure having L levels I where I is 0, 1, 2, ....L, each level having 2i nodes, each node in level I being linked to two nodes in the next higher level I + I and one node in the next lower level I - 1, the number of levels L being such that level L has a number 2t nodes not less than the number of said portions of data, each node of level I having associated therewith an encryption code generated from the encryption code associated with the node of level 1-1 with which it is linked; and applying the respective encryption codes of level L to respective ones of the said portions of data.
2. A method according to claim 1, wherein the ordinal numbering of the said portions is identical to the ordinal numbering of the nodes of level L.
3. A method according to claim 1, wherein the ordinal numbering of the said portions is related by a linear function to the ordinal numbering of the nodes of level L, and comprising the step of converting the numbering of the portions to the numbering of the nodes to apply the encryption codes to the portions.
4. A method according to claim 1, comprising the steps of: receiving a set of portions of data, and ordinally numbering the portions of the set to produce the said set of ordinally numbered portions of data.
5. A method according to claim 1, 2, 3 or 4, wherein the step of applying encryption to a portion of data comprises encrypting the whole of that portion of data.
6. A method according to claim 1, 2, 3 or 4, wherein the step of applying encryption to a portion of data comprises encrypting a part of that portion of data.
7. A method according to any preceding claim, wherein the said set of ordinally numbered portions of data to which encryption is applied are portions selected from a larger set of portions of data.
8. A method according to any preceding claim, wherein the said set is a portion of a larger set of data.
9. A method of generating decryption codes for decrypting data encrypted by the method of any preceding claim, comprising specifying a sub-set of the ordinally numbered portions; and generating decryption codes for decrypting the said subset of encrypted portions.
10. A method according to claim 9, wherein the said decryption codes are stored on a data carrier.
11. A method according to claim 9 wherein the said set of ordinally numbered portions of encrypted data is stored on a recording medium.
12. A method according to claim 11, wherein the said decryption codes of the said subset are stored on the said recording medium.
13. A method according to claim 9 or 10, comprising transmitting the said set of ordinally numbered portions of encrypted data to a user via a communications network.
14. A method according to claim 9, 10, 9 or 11, comprising transmitting the decryption codes to a user via a communications network.
15. A method according to any one of claims 9 to 14, wherein the step of generating decryption codes comprises determining the minimum set of nodes of the tree linked only to the nodes at level L corresponding to the said sub-set of ordinally numbered portions and generating the codes corresponding to that minimum set of nodes.
16. A method according to claim 15, wherein the said subset of portions is numbered S to F inclusive where S is the lowest ordinal number of the subset and F is the highest ordinal number of the subset, and the step of determining the minimum set of nodes comprises for a portion having binary number X where S< X< F: a) determining whether X is odd or even; b) if even, changing the binary zeros less significant than the least significant binary one to produce a modified odd number Xmod; c) finding the largest resultant Xmod less than F; d) deriving, from Xmod and the number of bits changed in X to produce Xmod, an index identifying a principal node to which all the nodes numbered X to Xmod are connected; and e) producing as decryption data the decryption code of the node identified by the said index,
17. A method according to claim 16, wherein if a portion of number Y where S < Y < F follows a portion X which has decryption data assigned to it and X< Y < Xmod, then the same decryption data is assigned to Y as was assigned to X.
18. A method according to claim 16 or 17, wherein if X = S and S is odd, the corresponding portion of data is assigned as decryption data the decryption code of node S per se.
19. A method according to claim 16, 17 or 18, wherein if X = F then it is assigned the decryption data of the node F per se.
20. A method according to any preceding claim, wherein the said data is video data.
21. A method according to claim 20, wherein the said portions are video frames.
22. A method according to claim 20 wherein the said portions are groups of frames.
23. A method according to claim 20, wherein the video data is compressed video data comprising intra-encoded frames and the said portions of data to which encryption is applied are the intra-encoded frames.
24. A method according to claim 2O, 21, 22 or 23, when not dependent on claim 5, wherein encryption is applied only to a part, or parts, of each frame.
25. A method according to any one of claims I to 19, wherein the said data is selected from the group comprising: audio data, video data, computer programs, and other types of digital data.
26. Apparatus arranged to implement the method of one of the preceding claims.
27. A computer program, which when run on a suitable processor, implements the method of one of claims 1 to 25.
28. A providing medium providing the program of claim 27.
29. A medium according to claim 28 which is a transmission medium.
30. A medium according to claim 28 which is a recording medium.
31. Apparatus for applying encryption to a set of ordinally numbered portions of data, comprising: a code generator for producing an ordinally numbered set of encryption codes in accordance with a binary tree structure having L levels I where I is 0, 1, 2, ....L, each level having 2i nodes, each node in level I being linked to two nodes in the next higher level I + I and one node in the next lower level I - 1, the number of levels L being such that level L has a number 2L nodes not less than the number of said portions of data, each node of level I having associated therewith an encryption code generated from the encryption code associated with the node of level 1-1 with which it is linked; and an encryptor for applying the respective encryption codes of level L to respective ones of the said portions of data.
32. Apparatus according to claim 31, comprising a memory having 2L + I storage locations for storing encryption codes for supply to the encryptor.
33. Apparatus according to claim 31 or 32, further comprising a specifier for specifying a sub-set of the ordinally numbered portions; and a decryption code generator for generating decryption codes for decrypting the said subset of encrypted portions.
34. Apparatus according to claim 33, wherein decryption code generator is arranged to determine the minimum set of nodes of the tree linked only to the nodes at level L corresponding to the said sub-set of ordinally numbered portions and generate the codes corresponding to that minimum set of nodes.
35. A data carrier storing data defining: a) the start number S and finish number F of a subset of ordinally numbered portions of data to which encryption codes have been applied by the method of any one of claims 1 to 6, b) the number L of levels in the tree, and c) an ordered list of decryption codes.
36. A data carrier according to claim 35, which further stores data defining a part of a said portion to which encryption is applied.
37. A method of decrypting a predetermined subset of portions of data using decryption data produced by the method of any one of claims 9 to 19, the method comprising receiving the said decryption data; generating from the said decryption data the decryption codes of the said subset of portions of data; and decrypting the said portions of the said subset using the generated decryption codes.
38. A method according to claim 37 comprising the further step of defining the said subset.
39. A method of decrypting a predetermined subset of portions of data encrypted by the method of any one of claims 1 to 8, comprising specifying a sub-set of the ordinally numbered portions; generating decryption codes for decrypting the said subset of encrypted portions receiving the said decryption data; generating from the said decryption data the decryption codes of the said sunset of portions of data; and decrypting the said portions of the said subset using the generated decryption codes.
40. A method according to claim 39, wherein the step of generating decryption codes comprises determining the minimum set of nodes of the tree linked only to the nodes at level L corresponding to the said subset of ordinally numbered portions and generating the codes corresponding to that minimum set of nodes.
41. A method according to claim 39, wherein the said subset of portions is numbered S to F inclusive where S is the lowest ordinal number of the subset and F is the highest ordinal number of the subset, and the step of determining the minimum set of nodes comprises for a portion having binary number X where S< X< F: a) determining whether X is odd or even; b) if even, changing the binary zeros less significant than the least significant binary one to produce a modified odd number Xmod; c) finding the largest resultant Xmod less than F.; d) deriving, from Xmod and the number of bits changed in X to produce Xmod, an index identifying a principal node to which all the nodes numbered X to Xmod are connected; and e) applying the received decryption data identified by the said index,
42. A method according to claim 39, wherein if a portion of number Y where S < Y < F follows a portion X which has decryption data applied to it and X< Y < Xmod, then the same decryption data is applied to Y as was applied to X.
43. A method according to claim 41 or 42, wherein if X = S and S is odd the decryption code of node S per se is applied to it.
44. A method according to claim 41, 42 or 43, wherein if X = F then the decryption data of the node F per se is applied to it.
wherein the said subset of portions is numbered S to F inclusive where S is the lowest ordinal number of the subset and F is the highest ordinal number of the subset, and the step of determining the minimum set of nodes comprises for a portion having binary number X where S< X< F: a) determining whether X is odd or even; b) if even, sequentially changing the binary zeros less significant than the least significant binary one to produce a modified odd number Xmod; c) finding the largest resultant Xmod less than F; and d) producing as decryption data i) the number of binary zeros changed to produce the said largest Xmod, ii) the decryption code of the node identified by the unmodified bits of number X, iii) the unmodified portion of X, and iv) X 40. A method according to claim 39, wherein if X = S and S is odd, the corresponding portion of data is assigned as decryption data the decryption code of node S per se.
41. A method according to claim 39 or 40, wherein if a portion of number Y where S < Y < F follows a portion X which has decryption data assigned to it and X< Y < Xmod, then the same decryption data is assigned to Y as was assigned to X. 42. A method according to claim 39, 40 or 41, wherein if X = F and F is even then it is assigned the decryption data of the node F per se, and if F is odd then it is assigned the decryption data of node (F - 1).
45. Decryption apparatus arranged to carry out the method of one of claims 39 to 44.
46. A decryption apparatus for decrypting a predetermined subset of portions of data using decryption data produced by the method of any one of claims 9 to 19, the apparatus comprising a receiver for receiving the said decryption data; a code generator for generating from the said decryption data the decryption codes of the said subset of portions of data; and a decrypter for decrypting the said portions of the said subset using the generated decryption codes.
47. Apparatus according to claim 46 comprising a device for specifying the said subset.
48. Apparatus according to claim 46 or 47, further comprising a memory having 2L + 1 storage locations for storing decryption codes for supply to the decrypter.
49. A recording medium on which is recorded data encrypted by the method of any one of claims 1 to 8.
50. A medium according to claim 49, on which is also recorded decryption data for decrypting a subset of the recorded data.
51. A signal comprising an encrypted set of ordinally numbered portions of data, the portions being encrypted by respective encrypted codes produced in accordance with a binary tree structure having L levels I where I is 0, 1, 2, ....L, each level having 2i nodes, each node in level I being linked to two nodes in the next higher level I + 1 and one node in the next lower level I - 1, the number of levels L being such that level L has a number 2 nodes not less than the number of said portions of data, each node of level I having associated therewith an encryption code generated from the encryption code associated with the node of level 1-1 with which it is linked.
52. A signal comprising data defining: a) the start number S and finish number F of a subset of ordinally numbered portions of data to which encryption codes have been applied by the method of any one of claims I to 6, b) the number L of levels in the tree, and c) an ordered list of decryption codes.
53. A signal according to claim 52, which further includes data defining a part of a said portion to which encryption is applied.
54. The invention of any one of claims I to 53, wherein the said two nodes in the next higher level 1+1 linked to one node in level I have associated therewith codes Dl+l,l and Dl+1,0 related to the code Dl associated with said one node in level 1, where Dl+1,0 = E(DI) and Dl+l,l = DIEXOR Dl+1,0 where D is an encryption code or a decryption code, and E (Dl) is a predetermined function ofDI.
GB0302651A 2003-02-05 2003-02-05 Encryption using a binary tree structure Withdrawn GB2398210A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0302651A GB2398210A (en) 2003-02-05 2003-02-05 Encryption using a binary tree structure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0302651A GB2398210A (en) 2003-02-05 2003-02-05 Encryption using a binary tree structure

Publications (2)

Publication Number Publication Date
GB0302651D0 GB0302651D0 (en) 2003-03-12
GB2398210A true GB2398210A (en) 2004-08-11

Family

ID=9952492

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0302651A Withdrawn GB2398210A (en) 2003-02-05 2003-02-05 Encryption using a binary tree structure

Country Status (1)

Country Link
GB (1) GB2398210A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10992955B2 (en) 2011-01-05 2021-04-27 Divx, Llc Systems and methods for performing adaptive bitrate streaming
US11012641B2 (en) 2003-12-08 2021-05-18 Divx, Llc Multimedia distribution system for multimedia files with interleaved media chunks of varying types
US11017816B2 (en) 2003-12-08 2021-05-25 Divx, Llc Multimedia distribution system
US11050808B2 (en) 2007-01-05 2021-06-29 Divx, Llc Systems and methods for seeking within multimedia content during streaming playback
US11102553B2 (en) 2009-12-04 2021-08-24 Divx, Llc Systems and methods for secure playback of encrypted elementary bitstreams
US11115450B2 (en) 2011-08-31 2021-09-07 Divx, Llc Systems, methods, and media for playing back protected video content by using top level index file
US11457054B2 (en) 2011-08-30 2022-09-27 Divx, Llc Selection of resolutions for seamless resolution switching of multimedia content
US11495266B2 (en) 2007-11-16 2022-11-08 Divx, Llc Systems and methods for playing back multimedia files incorporating reduced index structures
US11683542B2 (en) 2011-09-01 2023-06-20 Divx, Llc Systems and methods for distributing content using a common set of encryption keys
US11711410B2 (en) 2015-01-06 2023-07-25 Divx, Llc Systems and methods for encoding and sharing content between devices
US11785066B2 (en) 2012-12-31 2023-10-10 Divx, Llc Systems, methods, and media for controlling delivery of content
US11886545B2 (en) 2006-03-14 2024-01-30 Divx, Llc Federated digital rights management scheme including trusted systems
USRE49990E1 (en) 2012-12-31 2024-05-28 Divx, Llc Use of objective quality measures of streamed content to reduce streaming bandwidth

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001008348A1 (en) * 1999-07-23 2001-02-01 British Telecommunications Public Limited Company Data distribution
EP1215844A2 (en) * 2000-12-18 2002-06-19 Matsushita Electric Industrial Co., Ltd. Key management device/method/program, recording medium, reproducing device/method, recording device, and computer-readable, second recording medium storing the key management program for copyright protection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001008348A1 (en) * 1999-07-23 2001-02-01 British Telecommunications Public Limited Company Data distribution
EP1215844A2 (en) * 2000-12-18 2002-06-19 Matsushita Electric Industrial Co., Ltd. Key management device/method/program, recording medium, reproducing device/method, recording device, and computer-readable, second recording medium storing the key management program for copyright protection

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11012641B2 (en) 2003-12-08 2021-05-18 Divx, Llc Multimedia distribution system for multimedia files with interleaved media chunks of varying types
US11017816B2 (en) 2003-12-08 2021-05-25 Divx, Llc Multimedia distribution system
US11735227B2 (en) 2003-12-08 2023-08-22 Divx, Llc Multimedia distribution system
US11735228B2 (en) 2003-12-08 2023-08-22 Divx, Llc Multimedia distribution system
US11159746B2 (en) 2003-12-08 2021-10-26 Divx, Llc Multimedia distribution system for multimedia files with packed frames
US11297263B2 (en) 2003-12-08 2022-04-05 Divx, Llc Multimedia distribution system for multimedia files with packed frames
US11355159B2 (en) 2003-12-08 2022-06-07 Divx, Llc Multimedia distribution system
US11509839B2 (en) 2003-12-08 2022-11-22 Divx, Llc Multimedia distribution system for multimedia files with packed frames
US11886545B2 (en) 2006-03-14 2024-01-30 Divx, Llc Federated digital rights management scheme including trusted systems
US11050808B2 (en) 2007-01-05 2021-06-29 Divx, Llc Systems and methods for seeking within multimedia content during streaming playback
US11706276B2 (en) 2007-01-05 2023-07-18 Divx, Llc Systems and methods for seeking within multimedia content during streaming playback
US11495266B2 (en) 2007-11-16 2022-11-08 Divx, Llc Systems and methods for playing back multimedia files incorporating reduced index structures
US11102553B2 (en) 2009-12-04 2021-08-24 Divx, Llc Systems and methods for secure playback of encrypted elementary bitstreams
US11638033B2 (en) 2011-01-05 2023-04-25 Divx, Llc Systems and methods for performing adaptive bitrate streaming
US10992955B2 (en) 2011-01-05 2021-04-27 Divx, Llc Systems and methods for performing adaptive bitrate streaming
US11457054B2 (en) 2011-08-30 2022-09-27 Divx, Llc Selection of resolutions for seamless resolution switching of multimedia content
US11115450B2 (en) 2011-08-31 2021-09-07 Divx, Llc Systems, methods, and media for playing back protected video content by using top level index file
US11716371B2 (en) 2011-08-31 2023-08-01 Divx, Llc Systems and methods for automatically generating top level index files
US11683542B2 (en) 2011-09-01 2023-06-20 Divx, Llc Systems and methods for distributing content using a common set of encryption keys
US11785066B2 (en) 2012-12-31 2023-10-10 Divx, Llc Systems, methods, and media for controlling delivery of content
USRE49990E1 (en) 2012-12-31 2024-05-28 Divx, Llc Use of objective quality measures of streamed content to reduce streaming bandwidth
US11711410B2 (en) 2015-01-06 2023-07-25 Divx, Llc Systems and methods for encoding and sharing content between devices

Also Published As

Publication number Publication date
GB0302651D0 (en) 2003-03-12

Similar Documents

Publication Publication Date Title
US7461406B2 (en) Access control for digital content
EP1503590B1 (en) Access control for digital video stream data
US6886098B1 (en) Systems and methods for compression of key sets having multiple keys
US7379549B2 (en) Access control for digital content
EP1505594A2 (en) Access control for digital content
US7826620B2 (en) Information processor, information processing method, and computer program
WO2001013571A1 (en) Systems and methods for compression of key sets having multiple keys
KR20000064791A (en) Method and system for transmitting content information and additional information related thereto
JP4666302B2 (en) Access control for digital content
GB2398210A (en) Encryption using a binary tree structure
US20060029227A1 (en) Storage
US20050038999A1 (en) Access control for digital content
US20070143216A1 (en) Data Signal with a Database and a Compressed Key

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)