Downloaded Through the Air CAS Platform Or Communication Channels After Shipment

Paper Security Technologies for Enriched Broadcasting Services

† Kazuto Ogawa (member)

Abstract A lot of new broadcasting services using communication channels have been developed and structures of conventional content distribution and broadcasting services have been gradually changed. For example, broadcasting services were not bi-directional, but now, TV sets have Internet connection. This means that bi-directional and enriched broadcasting services may be possible. Content copyright protection is an issue also in such services. Several protection techniques have been applied for the purpose, but often broken. In addition, according to the change of the service structures, new security requirements have arisen and new security technologies are required. New security technologies developed to improve the current ones and to meet the requirements of new services are described in this paper. Moreover, trends in state-of -the-art studies and future outlook are described.

Key words: security, enriched services, privacy, copyright protection, encryption

1. Introduction TV station Receiver Scrambled Content Scramble Content Descramble Content Copyright protection is a major issue on distributing content in broadcasting services and several techniques ks Encryption ECM Decryption ks have been applied for the purpose. However, the tech- 7) niques have been often broken. For example, Friio kw Encryption EMM Decryption kw makes it possible to copy broadcasting content without

kkmd k䡉 any restriction. Some secret data in smart cards used kd in current broadcasting services was overwritten to dis- Fig. 1 Current CAS able copy control by the card8). New technologies to protect copyrights are required. In addition, current TV receivers have Internet standardized for digital broadcasting services and the connection, but broadcasting services were not bi- new technologies were added for ultra-high-deﬁnition- directional. This means, bi-directional and enriched TV services. broadcasting services may be possible. New security 2. 1 Current Technologies requirements have emerged towards such new services We ﬁrst revisit the current technologies. TV services and new security technologies are required. through the air and cable-TV services use a conditional This paper describes concept of the new services, access system (CAS) to control the subscribers’ access their security requirements and the new technologies to their content and protect copyrights related to the meeting the requirements. In addition, trends in state- content. Each country or each broadcasting company of-the-art studies and future outlook are described. employs its own CAS, but as far as the author knows, all CAS uses some encryption schemes. The encryption 2. Copyright Protection of Broadcasting schemes is used to encrypt content and to encrypt its Content encryption key. The most important procedure is the Broadcasting stations encrypt their content to pro- way to transmit the encryption key. tect their copyrights and distribute the content to their Figure 1 shows Japanese standardized CAS1)2) for subscribers. The details of the current technologies are broadcasting services through the air. It uses only symmetric encryption schemes, not asymmetric encryption Received ; Revised ; Accepted scheme and the encryption key is distributed after it is Received May 31, 2017; Accepted June 29, 2017 encrypted. † Japan Broadcasting Corporation (Tokyo, Japan) In the system, each receiver has its own decryption

53 ITE Trans. on MTA Vol. 6, No. 1 (2018)

CAS CAS CAS worksontheCASplatform. Program Program 䞉䞉䞉 Program Some CAS programs are pre-installed before ship- 䠄ID:1) 䠄ID:䠎) 䠄ID:N) ment and some others are downloaded through the air CAS Platform or communication channels after shipment. The CAS CAS ID platform therefore includes a downloader to acquire new

Receiver CAS programs and an authentication function. The authentication function is used when a new CAS program Fig. 2 Downloadable CAS is downloaded to conﬁrm the program provider is cer- tiﬁcated. A CAS program among those installed in the module and the module has a distinct master key km receiver can be selected by content provider. that is assigned by a trusted third party (TTP) and 2. 2 Update of Scramble Scheme that is embedded at a trusted manufacturer. The rep- If a cryptanalysis is developed36)50)51), the encryption resentative of the security module is a smart card and scheme for the scrambling and the decryption modules is called “CAS card”. The km is set in the card. Con- should be updated. The method of update is an espe- tent is encrypted (scrambled) by using a content key cially important issue for pay-TV service providers. ks at a TV station. ks is updated every 2 seconds Pay-TV service providers do not want to use any vul- or so at the TV station, and it is encrypted by us- nerable encryption scheme and they want to use a new ingaworkkeykw. kw is encrypted by using each and secure encryption scheme as soon as possible. How- k ∈{k ,k , ···} k master key m m1 m2 . The encrypted w ever, there are a lot of receivers that cannot recover is included in the individual information, Entitlement content encrypted with a new encryption scheme.

Management Message (EMM) and the encrypted ks is When a decryption module is a hardware one, the up- included in program information, Entitlement Control date is not easy. Only when the decryption module has Message (ECM). The encrypted content, ECM, and a rewritable memory, such as a ﬂash memory, and when EMM are multiplexed and transmitted from the TV its decryption algorithm is installed in the memory, the station to the receivers. Each receiver demultiplexes update of the algorithm is possible. them and gets the encrypted content, ECM, and EMM. There are a lot of cases that the module does not have

It uses the kmj in the CAS card, decrypts the encrypted enough memory. In addition, there are a lot of decryp- kw in the EMM, and obtains kw. It then uses the kw, tion modules that do not have any rewritable memory. decrypts the encrypted ks in the ECM, and obtains ks. Naturally, such modules cannot update the algorithm in

It ﬁnally uses ks to decrypt the encrypted content and real-time or quickly. In such cases, the receiver, which obtains the plaintext content. has the decryption module, must be sent to its man- The security module, such as CAS card, takes EMM ufacturer, the module is replaced, and the receiver is and ECM as its input, outputs ks, and transmits ks to sent back to its owner. It needs a lot of cost and time. the receiver. The plain ks is transmitted from the mod- It may result in the suspend of the services. The sub- ule to the receiver in the current broadcasting system. scribers like neither such cost and time nor abeyance of This is the security hole. That is, it is not hard to read the services. the plain data from the module to the receiver. Some- The decryption module used in Japanese TV services, one reads the ks data and distributes the ks to certain for example, is an LSI circuit in the TV set (receiver). It pirate receivers through Internet. The data can be used should be noted that the module is used also by pay-TV to descramble the scrambled content. services. Replacing the decryption modules in Japan’s As a countermeasure, the next generation CAS stan- more than 126 million TV sets9) would be a troublesome 2) dard standardizes that the ks is re-encrypted in the job and would take a long time. security module and transmitted to the receiver. When Even if the job is not easy and a long time period is some security holes are found in a CAS, the system has necessary, all decryption modules must be updated to to be updated. For this purpose, the method to up- protect copyrighted content. date the CAS was introduced116) and standardized2) as The research for updating scrambling scheme started a downloadable CAS. The structure of the download- as that for partial encryption schemes. As described able CAS is shown in Fig. 2. It includes multiple CAS later, only small parts of compressed content have to programs and a CAS platform. Each CAS programs be encrypted for the update of scrambling scheme. The

54 Invited Paper » Security Technologies for Enriched Broadcasting Services

related works addressed such partial encryption. The increase the PEE22). works are called selective encryption technique and the Such selective encryption techniques are useful for main target of the works was to reduce the computa- updating cryptographic schemes. The concept was de- tional costs for encryption or decryption of content. scribed in 109). A method that uses multiple encryp- That is, when encryption or decryption is performed tion schemes is described in the patent of Candelore, with CPU in PCs or some portable devices, the CPU Unger and Derovanessian64) without any security analy- ability is sometimes small and the cost of encryption sis. The method encrypts only headers of Packetized El- or decryption should be small. For the purposes, such ementary Streams (PES) in MPEG compressed stream selective encryption techniques are proposed. and the other parts of the compressed stream are not The selective encryption technique is the one to en- encrypted. Ogawa and Inoue proposed two concrete crypt only a part of content. Spanos and Maples constructions119)120) with their security analysis. They proposed the first selective encryption technique for encrypts not only headers of MPEG compressed stream MPEG-1 video146). Following this, a lot of selective en- and the data around the headers. Its main target is to cryption techniques22)–24)71)81)82)97)106)129)–131)142)143)146)150) update encryption and decryption schemes in practical 165) have been proposed. Li et al. focused on the pic- ways that have backward compatibility. ture layer of MPEG video encoding and proposed a With regarding to reducing CPU costs of broadcast- technique that encrypts only I-pictures106). Shi and ing services, encryption or decryption of broadcasting Bhargava’s technique encrypts motion vectors of B- services are performed in an LSI chip-set and it is al- and P-pictures142). The AC-coefficients of low frequen- most meaningless to encrypt a part of content for reduc- cies are encrypted in Kunlemann and Reinema’s tech- ing its computational cost. However, a lot of sensing de- nique97) and those of high frequencies are encrypted vices for big data and IoT devices have been developed, in Cheng and Li’s technique71). Shi and Bhargava re- and some of those devices do not have high performance duced the computational cost by encrypting only sign CPU. This leads that the researches of selective encryp- bits of all DCT coefficient143).Tangmodifiedtheor- tion are being activated19)88)139)161). The trend of these der of coefficient scanning to make the technique more researches is to reduce overheads of encryption and de- secure150). However, Uehara and Safavi-Naini153),and cryption without reducing data confidentiality. Espe- Qiao, Nahrstedt and Tam129) developed efficient attacks cially as for the video data, H.264/AVC compression on Tang’s technique. Qiao and Nahrstedt uses one time and PEE become most important factors18)80)91)140)155). pad instead of symmetric encryption schemes130)131). 2. 3 Traitor Tracing Tosun and Feng proposed a technique that makes multi- There are pirate receivers PR that can decrypt the ple layers in encoded content and encrypts only certain broadcast content illegally. A PR has at least one de- layers. Yu proposed a similar technique that has scal- cryption key extracted from an authenticated receiver. ability165). Lookabaugh et al. proposed a combination Traitor tracing encryption (TTE) schemes have been method of encryption and compression109). developed as countermeasures against such PRsand Main targets of aforementioned results were con- have a function to trace the authenticated receiver that fidentiality of contents and reduction of computa- holds the decryption key used in the PR. tion overhead. After that, perceptual encryption Chor, Fiat and Naor proposed the first TTE effectiveness (PEE) has been taken into considera- scheme69) based on combinatorics. Following this, nu- tion22)54)73)91)135)137)138)152)156)159)161)163)164). merous TTE schemes48)49)55)–58)69)92)95)96)98)99)110)–112)115) Dufaux et al. proposed a scheme that flips of signs of 117)147)151) have been proposed. Kiayias and Yung pro- coefficient of MPEG compressed video stream73) consid- posed another scheme with improved security95). Naor, ering PEE, but it was not efficient regarding to the com- Naor and Lotspiech’s scheme112) uses a tree-based key putational overhead. To improve its efficiency, Tong et derivation. Kurosawa and Desmedt proposed an alge- al. proposed a scheme that encrypts coefficients exclud- braic method based on an ElGamal-like structure98). ing DC164). Shahid et al.’s scheme uses non-zero coeffi- This proposal was followed by those of, e.g. 55)72) cients and it showed an adequate point of computation 110)113). Mitsunari, Sakai and Kasahara proposed an- overhead and PEE137). Almarashada et al. evaluated other algebraic construction111) in which a bilinear map the schemes by peak signal to noise ratio and proposed is used, and their proposal was followed by those of, a scheme that can reduce computation overhead and

55 ITE Trans. on MTA Vol. 6, No. 1 (2018)

e.g. 70)72)151). Boneh, Sahai and Waters proposed a STT’s. TrTT requires fewer dynamic computations scheme57) based on a bilinear map of composite order, than DTT does, and it does not need to make a dynamic which is secure against collusion attacks involving N −1 computation in real time. Jin and Lotspiech claimed traitors, where N denotes the number of users. Boneh that a protection should not increase the bandwidth and Naor proposed a scheme with a constant-size ci- by more than 10% and proposed a tracing method for phertext56); this scheme employs an index (bit position) several pieces of content92). Kiayias and Pehlivanoglu selection and fingerprinting codes. Moreover, there are proposed a message-trace and revoke scheme that does numerous attribute-based encryption and functional en- not have any limitation in regard to revoked users96). cryption schemes33)79)124)125)132)157) that can be used for Phan, Pointcheval, and Strefler proposed a scheme with this purpose. Boneh and Zhandry58) showed that traitor a constant ciphertext size128). tracing schemes can be constructed by using indis- Recent trends are to construct systems combining wa- tinguishability obfuscation39). Nishimaki, Wichs, and termarking, collusion-resistant codes, and traitor trac- Zhandry proposed a scheme that employs a functional ing scheme65)66)86)118), and the way to combine them de- encryption and can handle an exponentially large num- pends on its application’s requirements. ber of users115). The research trend of this topic is to 2. 4 Security Technologies related to Broad- construct indistinguishability obfuscation. Its concept casting Services was proposed by Barak et al.39), but there is no secure A lot of recordable machines, such as DVD, Blu- concrete construction. ray, HDD recorders, and etc., have network connec- There is the one that was standardized in Japan1) and tions, and can transmit recorded content to the other it uses multiple symmetric encryption keys. Its CPU machines in the home network. At that transmission, cost would be low because only symmetric encryption the content copyright must be protected and a technol- schemes are used. A maximum of 254 encrypted ver- ogy, Digital Transmission Content Protection (DTCP), sions of ks can be generated and transmitted to every was standardized. Every machine connected under the receiver. However, each receiver can decrypt only one DTCP standard has its own certificate and controls con- version of encrypted ks. When tracing one decryption tent transmission. That is, the machine without certifi- keyinstalledinaPR, ks that is different from ks is cate does not get any content through the network. used. That is, the receivers that receives encrypted ks Recordable medias, such as DVD, Blu-ray, and etc., cannot recover content and the other receivers can re- have its own content protection methods, which protect cover the content. If the PR can recover the content, content from illegal copy. CSS was developed for DVD the decryption key installed in the PR is included in and AACS was developed for Blu-Ray. the receivers that can recover content. Like this, the 3. Privacy Preserving for Bi-directional group size of suspicious receivers is lessen and finally, Broadcasting Services the decryption key used in PR is specified. Another kind of traitor tracing schemes has been de- Several hybrid services combining the functionalities veloped for tracing traitors that decrypt content and and resources of broadcasting and communications net- rebroadcast it to a third party illegally through com- workshavebeendeveloped.Hulu12) intheUSisanon- munication networks. They use watermarked content line video service that offers TV programs and movies to identify traitors (TTW scheme). Fiat and Tassa through the Internet. All content is provided by broad- proposed a framework for a dynamic TTW scheme casters, such as NBC, FOX, and ABC, and movie com- (DTT)74). DTT assigns each user to a certain subset panies. HbbTV10)11) is a pan-European initiative aimed in order to trace illegal redistributors dynamically in at harmonizing broadcast and broadband delivery of real-time in accordance with the illegally redistributed entertainment through digital TVs and set-top boxes. content. Safavi-Naini and Wang took an alternative Its services include video on demand (VoD) as well as approach (STT) that uses predefined watermark alloca- program-related services such as digital text and elec- tion. It does not need to dynamically assign watermarks tronic program guides (EPGs). The founding members and is secure against a delayed redistribution attack133). of the HbbTV consortium consist of European tele- Ogawa et al. improved STT and proposed an another vision broadcasters and consumer electronics compa- scheme (TrTT)122), whose network cost is lower than nies. YouView17) in the UK is a hybrid service that offers high-definition TV, catch-up TV, and Internet

56 Invited Paper » Security Technologies for Enriched Broadcasting Services

ᵠᶐᶍᵿᶂᶁᵿᶑᶒᶃᶐ scribers through the air, and arbitrary content providers may transmit content to their subscribers through ᵡᶍᶌᶒᶃᶌᶒ ᵮᶐᶍᶔᶇᶂᶃᶐ the network. The viewing history of each subscriber is stored in his/her set-top-box (STB). Some service ᵱᶓᶀᶑᶁᶐᶇᶀᶃᶐ ᵟ providers including broadcasters and content providers ᵱᶃᶐᶔᶇᶁᶃ ᵮᶐᶍᶔᶇᶂᶃᶐᴾᵟ get the viewing history and analyze it to know the subscriber’s preferences. The providers then recommend specific services to each subscriber according to his/her ᶔᶇᶃᶕᶇᶌᶅᴾᶆᶇᶑᶒᶍᶐᶗ preferences. ᵱᶃᶐᶔᶇᶁᶃ ᵮᶐᶍᶔᶇᶂᶃᶐᴾᵸ ᶐᶃᶁᶍᶋᶋᶃᶌᶂᵿᶒᶇᶍᶌ 3. 2 Security Requirements Fig. 3 Bi-Directional Broadcasting Service Model Even if it is a new service, copyright has to be preserved. Hence, conventional copyright protection techniques continue to be used. This is the first security services such as YouTube and Facebook through digi- requirement. tal TVs and set-top boxes. YouView is jointly being In addition, for the copyright protection, access con- developed by broadcasters (BBC, ITV, Channel 4, and trol to the content is effective. In particular, when net- Channel 5) and information and communication compa- work connection is used for the service, user authen- nies (TalkTalk, BT, and Arqiva). Korean broadcasters tication is often used for this purpose. Conventional (KBS, MBC, SBS, and EBS) started Open Hybrid TV user authentication schemes are improved and should (OHTV) in 2013 that combines terrestrial digital TV be used for the new services. Subsequently, effective and Internet14)101). They are cooperating with TV man- user authentication is the second requirement. ufacturers, such as Samsung Electronics, LG Electron- Moreover, preserving privacy information may be im- ics, and Net&TV, and academia in standardization of portant. The viewing history in Fig. 3 may be critical OHTV. In OHTV, broadcasters provide users with ser- private information and be preserved from the view- vices such as advanced EPGs, VoD, video bookmarking, point of privacy preserving. Service providers cannot advertising, etc. In Japan, NHK and commercial broad- provide personal services to each user if they cannot casters have launched Hybridcast4)5)13)37),whichlever- obtain the user’s private information and want as much ages the functions of communications networks to en- private information as possible. However, there are hance existing digital broadcasting services to provide some providers that use the information for the wrong customization, social networking, related program rec- purpose, so the information should not be opened pub- ommendations, and interaction with portable devices. licly. Even when the providers will not use the informa- In addition, other hybrid services, such as Smart TV tion in the wrong way, eventually the stored information Box for cable TV15) and SyncCAST16), are being devel- may be leaked through some security holes in the sys- oped. tem. These cases mean that the private information is In the beginning of these services, catch-up TV ser- useful for the new broadcasting services, and that the vices were provided. Currently, new services that use information should be preserved adequately. Hence, the broadcast and broadband content with accurate syn- third requirement is privacy preserving. chronization are planning to provide. Moreover, the ser- The techniques regarding to the copyright protection vices in which applications in a mobile terminal can ac- were described in Sect. 2. The techniques regarding to cess information related to TV program and subscribers the user authentication and privacy preserving will be can enjoy the applications and TV program simultane- described in Sects. 3. 3 and 3. 4. ously. 3. 3 User Authentication These services have been developed after TV set has Password (PW) authentication schemes are the most Internet connection. This connection leads another TV widely used authentication technologies. In the content services, Bi-directional broadcasting services. distribution business including pay-TV services, such 3. 1 Model of Bi-directional Broadcasting technologies are used. Services Basically, each user’s identifier (ID) and PW are Figure 3 shows a model of bi-directional broadcast- stored in a PW database (PWDB) implemented in a ing services. A broadcaster transmits content to all sub- service provider. The stored PW is not a plaintext but

57 ITE Trans. on MTA Vol. 6, No. 1 (2018)

a hash value of the PW. When a user’s authentication tion of using ID as its PW, use some special characters is necessary, a hash value of the user’s PW is calculated or digits, and etc. Kelley et al. analyzed PW policies in the user’s terminal, and the pair of his/her ID and and showed that 16 characters PWs tend to be more se- the hash value is sent to the provider. If the pair is cure than the ones created under the policy with a lot included in the DB, the user is authenticated. of items, such as at least 8 characters, not included in A lot of attacks have been developed against PW au- dictionary, including both uppercase and lowercase let- thentication schemes. One of the attacks is an on-line ters, including special characters, including digits, and attack, such that the attackers input distinct IDs and etc. In addition, the policy works more effectively than hash values of PWs multiple times in on-line services. the prospectives of NIST. When the attacker obtains a PWDB that stores users’ A PW meter is a measurement tool to strengthen IDs and PWs, another attack, off-line attack, is possi- the security level of the PW. The tool calculates a cer- ble. The off-line attack does not need on-line connec- tain value according to the PW length and its entropy. tion, and the attacker can use the PWDB without any The entropy is calculated based on the characteristics restriction until finding a correct ID and PW pair(s). of the PW, ex. it includes both uppercase and lower- Some of the off-line attacks are very fast by using a case letters, digits, special characters, and etc. Ur et rainbow table that is another DB of IDs and hash val- al. reported154) that the PWs created by using the PW ues of PW. The attacker only needs comparison of the meter are stronger than that by not using the meter. value of rainbow table and that of PWDB. It should be noted that these properties are useful to In addition, social engineering attacks have been de- calculate the strength against brute force attacks. This veloped. The attackers collect certain user’s informa- means that, when the user does not create a PW ran- tion and guess the user’s PW based on the information. domly, there is another efficient attack. The user’s habit Almost users make their PWs based on their experi- is analyzed and be used for the attack. Naturally, the ences or facts related to themselves, and subsequently, function against such attack has been installed into the the social engineering attacks are considerable threat. tool, but the function is not perfect. Countermeasures have been developed. An effective Currently, biometric authentication and belongings countermeasure against on-line attacks is that the ID is authentication in addition to the PW are often intro- frozen after a number of failure of authentication. An duced. effective countermeasure against off-line attacks using 3. 4 Privacy Preserving a rainbow table is to use salt that is used when a hash ( a ) Group Signature value of a PW is calculated. The most useful method to preserve privacy is to use It is not easy to take countermeasures against the so- services anonymously and for this purpose, group sig- cial engineering attacks, and a lot of analysis has been nature (GS) schemes have been developed. tried. National Institute of Standards and Technology The notion of GS schemes was advocated by Chaum (NIST) addresses entropy of PW6). When making a and van Heyst67). Following this seminal work, many PW with 8 characters from 94 printable ISO charac- attempts were made at designing secure and efficient ters, the entropy of the PW chosen randomly is 52.7bit GS schemes, e.g. 25)26)60)–62)67)75)83)114)145). Ca- (948 ≈ 252.7) and that of the PW a user chosen is about menisch and Stadler63) proposed the first GS scheme 18bit. All users are human being and the characters whose efficiency is independent of the number of users, they choose is biased. Weir et al. analyzed thirty-two and Ateniese et al.25) constructed another scheme with million PWs that were leaked actually and showed that such efficiency and provable security. Bellare, Miccian- the entropy of the user chosen PW is less than the value cio and Warinschi42) then proposed a simple security NIST published160). In addition, they analyzed the way definition that was stronger than any previous one. In to create a PW and showed its results. Table 1 shows particular, Bellare, Shi and Zhang43) proposed a vari- the results. Moreover, the rates of used special charac- ant of the definition in which users are allowed to join ters under the condition of containing special characters dynamically. Sakai et al.136) introduced the notion of are in the Table 2. As you see, there are heavily biased. opening soundness, which requires that it is infeasible There are some researches to create a PW with strong to produce a proof of ownership of a valid group signa- security. A lot of Web sites introduce PW policy. The ture for any user except the original signer. This led policy is a rule to create a PW, ex. PW length, prohibi- to research on group signature schemes in which mem-

58 Invited Paper » Security Technologies for Enriched Broadcasting Services

Table 1 How to create a password? Condition Results Contain digit 64.28% add digits to the end of a word Contain uppercase letter 53.56% use only uppercase letters 35.69% use an uppercase letter at the top of a word Contain special character 28.50% use a special character at the end of a word

Table 2 Rate of used special characters ber is, the more services the subscriber can obtain, and Special characters Rate . 17.81% it is preferable for the subscriber that the number is 14.72 % large. In this case, it is efficient that the viewing histo- ! 11.34% ries are stored in a server and that any service provider - 10.25% can read the data. However, some subscribers do not want to show their viewing histories freely and want to control access of the providers. The attribute-based bers can join and leave after the group has been ini- encryption (ABE) scheme can control the decryption tially set up43)136). Ogawa et al.121) proposed a scheme of the users and can be used for this purpose. Ohtake, with linkability, which enables to show the services the Ogawa, and Safavi-Naini proposed a access control sys- identical user has obtained. In addition, considering tem using an attribute-based encryption scheme123). security against attacks by using quantum computer, ABE controls the decryption of users according to lattice-based group signature schemes have been stud- the users’ attributes. When certain data is encrypted, ied. the attributes of users that can decrypt the data is set. Gordon, Katz and Vaikuntanathan78) proposed a The concept of ABE was first proposed by Sahai and scheme with linear-size in the number of group mem- Waters 134), which consider threshold access structures. bers. Laguillaumie et al.100) decreased the signature Goyal et al.79) proposed the first key policy ABE (KP- length to be logarithmic of group members. Ling, ABE) for monotone Boolean formulae. The policy is the Nguyen, and Wang108) improved its efficiency and pro- way how to use the attributes, ex. attribute A ‘AND’ posed a scheme with shorter signature. Benhamouda et attribute B, attribute A ‘OR’ attribute B, attribute A al.44) described a signature using two security assump- ‘XOR’ attribute B, and etc. The policy is included tions simultaneously: lattice and discrete-logarithm- in the decryption key in the KP-ABE schemes. There related assumptions. Libert et al.107) proposed a scheme is the other schemes, in which the policy is described with a simple and dynamically joining mechanism. in the ciphertext, and the schemes are called cipher- ( b ) Anonymity of data text policy ABE (CP-ABE) schemes. Bethencourt, Sa- There is another anonymity technology, which pro- hai, and Waters proposed the first CP-ABE47). Subse- ceed data of database anonymously. It is often said quently, many ABE schemes featuring better efficiency, that, deleting users’ identities from the database is more expressive policy, or improved security, are pro- insufficient for the data anonymity. As a counter- posed20)27)–29)31)–34)68)77)87)102)–105)124)–126)132)157)158)162).In measure, a k-anonymity technology was developed by addition, there are ABE schemes that can set the range Sweeney149).Thek-anonymity is a technology that dis- of attributes in the policy30)76)93)94)127)141). able to specify less than k identities from the (modified) data. For example, the modified data does not include 4. Other Technologies for Enriched Broad- anyidentityandmorethank items have the identi- casting Services cal attribute. To be more secure, Pk-anonymity was When considering growth of hybrid TV services such proposed by Ikarashi, Chida, and Takahashi89).Inthis as Hybridcast, a CPU in a TV set has to process a lot technology, before the k-anonymized data, the items are of things. However, various types of CPUs, from ba- randomly shuffled with the probability p. sic to high-end, are used in each TV set. In a TV set, ( c ) Access Control to Database hardware descrambles and decompresses broadcasting In the model of Fig. 3, the subscriber’s viewing his- signals and reproduces audio and video content, while tory is provided service providers directly. When the other processing is performed by a built-in CPU. The number of service providers is small, there is no prob- CPU carries out many tasks almost constantly under lem. On the other hand, when the number is large, full (100%) load. Hence, the CPU resource contention CPU cost of STB becomes large. The larger the num-

59 ITE Trans. on MTA Vol. 6, No. 1 (2018)

between TV functions and applications that must run cryption: Security, Applicability,and Robustness,” https:// competitions.cr.yp.to/caesar-submissions.html seamlessly could occur. Powerful CPUs can perform a 4) IPTV Forum Japan, “Integrated Broadcast-Broadband System variety of functions; however, low-end CPUs have re- Specification,” http://www.iptvforum.jp/download/docs/files/ HybridcastSystem20e.pdf strictions. Manufacturers are trying to evolve these 5) IPTV Forum Japan, “HTML5 Browser Specification,” http: CPUs so they can run applications that connect to the //www.iptvforum.jp/download/docs/files/HTML5Browser21e.pdf 6) NIST, “NIST Special Publication 800-63-2, Electronic Au- Internet. To lower the cost, most TV sets use low-end thentication Guideline, ʡ http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-63-2.pdf, 2013. CPUs. 7) “Friio,” http://www.friio.com/ When adding a cryptographic feature on top of these 8) ITmedia news, http://www.itmedia.co.jp/news/articles/1205/ 21/news063.html (in Japanese) functions, a cryptographic method that requires only a 9) JEITA Report, “Number of Digital TV Receivers,” http://www. small amount of memory and puts a small load on the jeita.or.jp/japanese/stat/digital/2011/07.html (In Japanese). CPU is preferable. The cryptographic function is im- 10) http://www.hbbtv.org/ 11) HbbTV, “ETSI TS 102 796 V1.2.1 Errata 2,” https://www. plemented with software as one of applications or as a hbbtv.org/pages/about_hbbtv/TS102796-v121-errata-2.pdf part of an application. Therefore, a cryptographic al- 12) http://www.hulu.com/ 13) http://www.nhk.or.jp/hybridcast/online/ gorithm that uses less CPU time has a higher practical 14) http://www.urlkor.com/w.ohtv.kr (in Korean) 15) http://www.cableplus.jp/smart-tv-box/ value. 16) http://www.synccast.jp/ Developing a light software is important, and 17) http://www.youview.com/ 18) M. Abomhara, O. Zakaria, O. O. Khalifa, A. A. Zaidan, and B. developing a lightweight cryptographic algorithm B. Zaidan, “Enhancing Selective Encryption for H.264/AVC us- used in the software is also important. Cur- ing Advanced Encryption Standard, ” Int. Journal of Computer Theory and Engineering, Vol.2, No.2, pp.223-229, 2010. rently, a lot of lightweight cryptographic methods 19) P. Agraval and M. Rajpoot, “A Fast and Secure Selective En- 21) 85) cryption Scheme using Grid Division Method,” Int. Journal of has been proposed, ex. CLEFIA ,LED ,Mi- Computer Applications, Vol.51, No.4, pp.2-3, 2012. dori37), Piccolo144), PRESENT53),SIMON40), Skinny41), 20) S. Agrawal and M. Chase, “A study of Pair Encodings: Pred- icate Encryption in prime order groups,” Proc. of TCC’16-A, 40) 148) 45) 46) SPECK ,TWINE , ChaCha20 , Keccak , PHO- Springer-Verlag, LNCS 9563, pp.259-288, 2016. TON84), SPONGENT52), SipHash35), and etc. 21) T. Akishita and H. Hiwatari, “Very compact hardware im- plementations of the blockcipher CLEFIA,” Proc. of SAC’11, Moreover, a competition, CEASER project, regard- Springer-Verlag, LNCS 7118, pp.278-292, 2011. 22) K. Almarashada, A. Dawood, T. Martin, M. Al-Mualla, and H. ing to an authenticated encryption that has both func- Bhaskar, “An Optimized Selective Encryption for Video Con- tions of authentication and encryption is hold and fidentiality,” Proc. of ICIAR’15, Springer-Verlag, LNCS 9164, pp.109-118, 2015. a lot of lightweight authenticated encryption schemes 23) A. M. Alattar, G. I. Al-Regib, and S. A. Al-Semari, “Im- proved Selective Encryption Techniques for Secure Transmission are proposed. The third round of the competition of MPEG Video Bit-Streams,” Proc. of ICIP’99, Vol.4, pp.256- candidates3) are as follows: ACORN, AEGIS, AES- 260, 1999. 24) A. M. Alattar and G. I. Al-Regib, “Evaluation of Selective OTR, AEZ, Ascon, CLOC and SILC, COLM, Deoxys, Encryption Techniques for Secure Transmission of MPEG- JAMBU, Ketje, Keyak, MORUS, NORX, OCB, and Compressed Bit-Streams,” Proc. of IEEE ISCS’99, Vol.4, pp.340-343, 1999. Tiaoxin. 25) G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, “A Prac- tical and Provably Secure Coalition-Resistant Group Signa- As you see, there are too many candidates to ture Scheme,” Proc. of Crypto’00, Springer-Verlag, LNCS 1880, use. CRYPTREC then publish a draft “Cryptographic pp.255-270, 2000. 26) G. Ateniese, D. Song and G. Tsudik, “Quasi-Efficient Revo- Technology Guideline (Lightweight Cryptography) to cation in Group Signature Schemes,” IACR Cryptology ePrint help their users. Archive, http://eprint.iacr.org/2001/101.pdf, 2011. 27) N. Attrapadung, “Dual System Encryption via Doubly Se- lective Security: Framework, Fully-secure Functional Encryp- 5. Conclusion tion for Regular Languages, and More,” Proc. of Eurocrypt’14, Springer-Verlag, LNCS 8441, pp.557-577, 2014. When new services will be constructed, new security 28) N. Attrapadung, “Dual System Encryption Framework in Prime-Order Groups,” IACR Cryptology ePrint Archive, http: requirements will arise and new efficient security tech- //eprint.iacr.org/2015/390.pdf, 2015. 29) N. Attrapadung, G. Hanaoka, T. Matsumoto, T. Teruya, and S. nologies met to the requirement will be necessary. New Yamada, “Attribute Based Encryption with Direct Efficiency frameworks on which all the services work with high Tradeoff,” Proc. of ACNS’16, Springer-Verlag, LNCS 9696, pp.249-266, 2016. level security is required. 30) N. Attrapadung, G. Hanaoka, K. Ogawa, G. Ohtake, H. Watan- abe, and S. Yamada, “Attribute-Based Encryption for Range References Attributes,” Proc. of SCN’16, Springer-Verlag, LNCS 9841, pp.42-61, 2016. 1) ARIB, “Conditional Access System Specifications for Digital 31) N. Attrapadung, G. Hanaoka, and S. Yamada, “Conversions Broadcasting,” ARIB STD-B25, 2007. among Several Classes of Predicate Encryption and Applica- 2) ARIB, “Conditional Access System (Second Generation) and tions to ABE with Various Compactness Trade-offs,” Proc. CAS Program Download System Specifications for Digital of Asiacrypt’15 (1), Springer-Verlag, LNCS 9452, pp.575-601, Broadcasting,” ARIB STD-B61, 2017 (In Japanese). 2015. 3) CAESAR, “CAESAR: Competition for Authenticated En- 32) N. Attrapadung and H. Imai, “Dual-Policy Attribute Based

60 Invited Paper » Security Technologies for Enriched Broadcasting Services

Encryption,” Proc. of ACNS’09, Springer-Verlag, LNCS 5536, Process. Mag., Vol.30, No.2, pp.97-107, 2013. pp.168-185, 2009. 55) D. Boneh and M. Franklin, “An Efficient Public Key Traitor 33) N. Attrapadung, B. Libert, and E. de Panafieu, “Expressive Tracing Scheme,” Proc. of Crypto’99, Springer-Verlag, LNCS key-policy attribute-based encryption with constant-size cipher- 1666, pp.338-353, 1999. texts,” Proc. of PKC’11, Springer-Verlag, LNCS 6571, pp.90- 56) D. Boneh and M. Naor, “Traitor Tracing with Constant Size 108, 2011. Ciphertext,” Proc. of ACM CCS’08, pp.501-510, 2008. 34) N. Attrapadung and S. Yamada, “Duality in ABE: Converting 57) D. Boneh, A. Sahai, and B. Waters, “Fully Collusion Resis- Attribute Based Encryption for Dual Predicate and Dual Policy tant Traitor Tracing with Short Ciphertexts and Private Keys,” via Computational Encodings,” Proc. of CT-RSA’15, Springer- Proc. of Eurocrypt’06, Springer-Verlag, LNCS 4004, pp.573-592, Verlag, LNCS 9048, pp.87-105, 2015. 2006. 35) J. P. Aumasson and D. J. Bernstein, “SipHash: A Fast Short- 58) D. Boneh and M. Zhandry, “Multiparty Key Exchange, Efficient Input PRF,” Proc. of Indocrypt’12, Springer-Verlag, LNCS Traitor Tracing, and More from Indistinguishability Obfusca- 7668, pp.489-508, 2012. tion,” Proc. of Crypto’14, Springer-Verlag, LNCS 8616, pp.480- 36) J. Aumasson, J. Nakahara Jr. and P. Sepehrdad, “Cryptanal- 499, 2014. ysis of the ISDB Scrambling Algorithm (MULTI2),” Proc. of 59) J. Borghoff, A. Canteaut, T. G´’uneysu, E. B. Kavun, M. Kneze- FSE’09, pp.296-307, 2009. vic, L. R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rech- 37) A. Baba, K. Matsumura, S. Mitsuya, M. Takechi, H. Fuji- berger, P. Rombouts, S. S. Thomsen, and T. Yalcin, “PRINCE - sawa, H. Hamada, S. Sunasaki, and H. Katoh, “Seamless, Syn- A low-latency block cipher for pervasive computing applications chronous, and Supportive: Welcome to Hybridcast - An ad- - extended abstract,” Proc. of Asiacrypt’12, Springer-Verlag, vanced hybrid broadcast and broadband system,” IEEE Con- LNCS 7658, pp.208-225, 2012. sumer Electronics Magazine, Vol.1, No.2, pp.43–52, 2012. 60) E. Bresson and J. Stern, “Efficient Revocation in Group Signa- 38) S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. tures,” Proc. of PKC’01, Springer-Verlag, LNCS 1992, pp.190- Akishita, and F. Regazzoni, “Midori: A block cipher for low en- 206, 2001. ergy,” Proc. of Asiacrypt’15 (2), Springer-Verlag, LNCS 9453, 61) J. Camenisch, “Efficient and Generalized Group Signature,” pp.411-436, 2015. Proc. of Eurocrypt’97, Springer-Verlag, LNCS 1233, pp.465-479, 39) B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, 1997. S. Vadhan, and K. Yang, “On the (Im)possibility Obfuscating 62) J. Camenisch and M. Michels, “ A Group Signature Scheme with Programs,” Proc. of Crypto’01, Springer-Verlag, LNCS 2139, Improved Efficiency,” Proc. of Asiacrypt’98, Springer-Verlag, pp.1-18, 2001. LNCS 1514, pp.160-174, 1998. 40) R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. 63) J. Camenisch and M. Stadler, “Efficient Group Signatures Weeks, and L. Wingers, “The SIMON and SPECK families of Schemes for Large Groups,” Proc. of Crypto’97, Springer- lightweight block ciphers,” IACR Cryptology ePrint Archive, Verlag, LNCS 1294, pp.410-424, 1997. http://eprint.iacr.org/2013/404.pdf, 2013. 64) B. L. Candelore, R. A. Unger, and H. Derovanessian, “Time 41) C. Beierle, J. Jean, S. K´’olbl, G. Leander, A. Moradi, T. Peyrin, division partial encryption,” U.S. Patent 07751560, 2010. Y. Sasaki, P. Sasdrich, S. M. Sim,“The SKINNY Family of 65) F. Chaabane, M. Charfeddine, and C.B. Amar, “A Multimedia Block Ciphers and its Low-Latency Variant MANTIS,” Proc. of Tracitn Traitors Scheme using multi-level hierarchical Structure Crypto’16 (2), Springer-Verlag, LNCS 9815, pp.123-153, 2016. for Tardos Fingerprint Based Audio Watermarking,” Proc. of 42) M. Bellare, D. Micciancio and B. Warinschi, “Foundations of SIGMAP’14, pp.289-296, 2014. Group Signatures: Formal Definitions, Simplified Requirements, 66) F. Chaabane, M. Charfeddine, and C.B. Amar, “Clustering and a Construction Based on General Assumptions,” Proc. of Impact on Group-based Traitor Tracing Schemes,” Proc. of Eurocrypt’03, Springer-Verlag, LNCS 2656, pp.614-629, 2003. ISDA’15, pp.440-445, 2015. 43) M. Bellare, H. Shi and C. Zhang, “Foundations of Group Sig- 67) D. Chaum and E. van Heyst, “Group Signatures,” Proc. of Eu- natures,” Proc. of CT-RSA’05, Springer-Verlag, LNCS 3376, rocrypt’91, Springer-Verlag, LNCS 547, pp.257-265, 1991. pp.136-153, 2005. 68) J. Chen, R. Gay, and H. Wee, “Improved Dual System ABE in 44) F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, G. Prime-Order Groups via Predicate Encodings,” Proc. of Euro- Neven, “Better zero-knowledge proofs for lattice encryption and crypt’15 (2), Springer-Verlag, LNCS 9057, pp.595-624, 2015. their application to group signatures,” Proc. of Asiacrypt’14, 69) B. Chor, A. Fiat, M. Naor, and B. Pinkas, “Tracing Traitors,” Springer-Verlag, LNCS 8873, pp.551-572, 2014. IEEE Trans. on Information Theory, vol.46, no.3, pp.893-910, 45) D. J. Bernstein, “ChaCha, a variant of Salsa20,” http://cr.yp. 2000. to/chacha.html, 2008. 70) H. Chabanne, D. H. Phan, and D. Pointcheval, “Public Trace- 46) G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche, “The ability in Traitor Tracing Schemes,” Proc. of Eurocrypt’05, Keccak SHA-3 submission,” Submission to NIST (Round 3), Springer-Verlag, LNCS 3494, pp.542-558, 2005. 2011. 71) H. Cheng and X. Li, “On The Application of Image Decompo- 47) J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-Policy sition to Image Compression and Encryption,” Proc. of IFIP Attribute-Based Encryption,” Proc. of IEEE S&P’07, pp.321- ICCMS’96, pp.116-127, 1996. 334, 2007. 72) Y. Dodis, N. Fazio, A. Kiayias and M. Yung, “Scalable Public- 48) O. Billet and D. H. Phan, “Traitors Collaborating in Public: Pi- Key Tracing and Revoking,” Proc. of PODC’03, pp.190-199, rates 2.0,” Proc. of Eurocrypt’09, Springer-Verlag, LNCS 5479, 2003. pp.189-205, 2009. 73) F. Dufaux and T. Ebrahimi, “Scrambling for Privacy Protection 49) O. Billet and H. Gilbert, “A Traceable Block Cipher”, Proc. of in Video Surveillance Systems,” IEEE Circuits and Syst. Video Asiacrypt’03, Springer-Verlag, LNCS 2894, pp.331-346, 2003. Tech. Vol.18, No.8, pp.1168-1174, 2008. 50) A. Bogdanov, D. Khovratovich and C. Rechberger, “Biclique 74) A. Fiat and T. Tassa, “Dynamic Traitor Tracing,” J. of Cryp- Cryptanalysis of the Full AES,” IACR Cryptology ePrint tology, vol.14, no.3, pp.211-223, 2001. Archive, http://ePrint.iacr.org/2011/500.pdf, 2011. 75) J. Furukawa and H. Imai, “An Efficient Group Signature Scheme 51) A. Bogdanov, D. Khovratovich and C. Rechberger, “Biclique from Bilinear Maps,” IEICE Trans. Fundamentals, Vol. E89-A, Cryptanalysis of the Full AES,” Proc. of Asiacrypt’11, pp.344- No. 5, pp. 1328-1338, 2006. 371, 2011. 76) R. Gay, P. Meaux, and H. Wee, “Predicate Encryption for Multi- 52) A. Bogdanov, M. Kneˇzvić, G. Leander, D. Toz, K. Varici, and I. dimensional Range Queries from Lattices,” Proc. of PKC’15, Verbauwhede, “spengent: A Lightweight Hash Function,” Proc. Springer-Verlag, LNCS 9020, pp.752-776, 2015. of CHES’11, Springer-Verlag, LNCS 6917, pp.312-325, 2011. 77) V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded Cipher- 53) A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. text Policy Attribute Based Encryption,” Proc. of ICALP’08 Poschmann, M. J. B. Robshaw, Y. Seurin, and C. Vikkel- (2), Springer-Verlag, LNCS 5126, pp.579-591, 2008. soe, “PRESENT: an ultra-lightweight block cipher,” Proc. of 78) S.D. Gordon, J. Katz, V. Vaikuntanathan, “A group signa- CHES’07, Springer-Verlag, LNCS 4727, pp.450-466, 2007. ture scheme from lattice assumptions,” Proc. of Asiacrypt’10, 54) A. Boho, G. Van Wallendael, A. Dooms, J. De Cock, G. Braeck- Springer-Verlag, LNCS 6477, pp.395-412, 2010. man, P. Schelkens, B. Preneel, and R. Van de Walle, “End-to- 79) V. Goyal, O. Pandey, A. Sahai, and B. Waters,“Attribute-based end Security for Video Distribution: the Combination of En- encryption for fine-grained access control of encrypted data,” cryption, Watermarking, and Video Adaptatoin,” IEEE Signal Proc. of ACM CCS’06, pp.89-98, 2006.

61 ITE Trans. on MTA Vol. 6, No. 1 (2018)

80) D. Goyal, N. Hemrajani, and S. G. Vihar, “Novel Selective En- pp.180-198, 2012. cryption for H.264 Video,” Int. Journal of Information Security 106) Y. Li, Z. Chen, S. Tan, and R. H. Campbellm, “Security En- Science, Vol.3, No.4, pp.216-226, 2014. hanced MPEG Player,” Proc. of IEEE IWMS’96, pp.169-175, 81) C. Griwodz, “Video Protection by Partial Content Corruption,” 1996. Proc. of ACM Multimedia’98, pp.37-39, 1998. 107) B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang, 82) C. Griwodz, O. Merkel, J. Dittmann, and R. Steinmetz, “Pro- “Signature Schemes with Efficient Protocols and Dynamic tecting VoD the Easier Way,” Proc. of ACM Multimedia’98, Group Signatures from Lattice Assumptions,” Proc. of Asi- pp.21-28, 1998. acrypt’16, Springer-Verlag, LNCS 10032, pp.373-403, 2016. 83) J. Groth, “Fully Anonymous Group Signatures without Random 108) S. Ling, K. Nguyen, H. Wang, “Group signatures from lat- Oracles,” Proc. of Asiacrypt’07, Springer-Verlag, LNCS 4833, tices: simpler, tighter, shorter, ring-based,” Proc. of PKC’15, pp.164-180, 2007. Springer-Verlag, LNCS 9020, pp. 427-449, 2015. 84) J. Guo, T. Peyrin, and A. Poschmann, “The PHOTON Family 109) T. D. Lookabaugh, D. C. Sicker, D. M. Keaton, W. Y. Guo, and of Lightweight Hash Functions,” Proc. of Crypto’11, Springer- I. Vedula, “Security Analysis of Selectively Encrypted MPEG-2 Verlag, LNCS 6841, pp.222-239, 2011. Streams,” Proc. of SPIE’03, Vol.5241, pp.10-21, 2003. 85) J. Guo, T. Peyrin, A. Poschmann, and M. J. B. Robshaw, “The 110) T. Matsushita and H. Imai, “A Public-Key Black-Box Traitor LED block cipher,” Proc. of CHES’11, Springer-Verlag, LNCS Tracing Scheme with Sublinear Ciphertext Size Against Self- 6917, pp.326-341, 2011. Defensive Pirates,” Proc. of Asiacrypt’04, Springer-Verlag, 86) A.B. Hamida, M. Koubaa, and H. Nicolas, “Hierarchical Trace- LNCS 3329, pp.260-275, 2004. ability of Multimedia Documents,” Proc. of IEEE CICS’11, 111) S. Mitsunari, R. Sakai, and M. Kasahara, “A New Traitor Trac- pp.108-113, 2011. ing,” IEICE Trans. on Fundamentals, vol.E85-A, no.2, pp.481- 87) S. Hohenberger and B. Waters, “Attribute-Based Encryption 484, 2002. with Fast Decryption,” Proc. of PKC’13, Springer-Verlag, LNCS 112) D. Naor, M. Naor, and J. Lotspiech, “Revocation and Tracing 7778, pp.162-179, 2013. Schemes for Stateless Receivers,” Proc. of Crypto’01, Springer- 88) R. N. Hole and M. Kolhekar, “Robust Video Encryption and De- Verlag, LNCS 2139, pp.41-62, 2001. cryption using Selective Encryption,” Proc. of IEEE ICNTE’17, 113) M. Naor and B. Pinkas, “Efficient Trace and Revoke Schemes,” 2017. Proc. of FC’00, Springer-Verlag, LNCS 1962, pp.1-20, 2000. 89) D. Ikarashi, K. Chida, and K. Takahashi, “A Probabilistic 114) L. Nguyen and R. Safavi-Naini, “Efficient and Provably Secure Extension of k-Anonymity,” Proc. of CSS’09, E7-4, 2009 (in Trapdoor-free Group Signature Schemes from Bilinear Pair- Japanese). ings,” Proc. of Asiacrypt 2004, LNCS 3329, Springer-Verlag, 90) T. Iwata, K. Minematsu, J. Guo, and S. Morioka, “CLOC: pp.372-386, 2004. authenticated encryption for short input,” Proc. of FSE’14, 115) R. Nishimaki, D. Wichs, and M. Zhandry, “Anonymous Traitor Springer-Verlag, LNCS 8540, pp.149-167, 2014. Tracing: How to Embed Arbitrary Information in a Key,” Proc. 91) S. Jeong, E. Lee, S. Lee, Y. Chung, and B. Min, “Slice-Level of Eurocrypt’16, Springer-Verlag, LNCS 9666, pp.388-419, 2016. Selective Encryption for Protecting Video Data,” Proc. of IEEE 116) Y. Nishimoto, H. Kawakita, C. Yamamura, T. Nakagawa, and ICOIN’11, pp.54-57, pp.1-2, 2011. T. Inoue, “A Downloadable Conditional Access System for 92) H. Jin and J. Lotspiech, “Renewable traitor tracing: A trace- Satellite Broadcasting,” Proc. of IEEE ICCE’14, pp.584-585, revoke-trace system for anonymous attack,” Proc. of Esorics’07, 2014. Springer-Verlag, LNCS 4734, pp.563-577, 2007. 117) K. Ogawa, G. Hanaoka and H. Imai, “Traitor Tracing Scheme 93) K. Kasamatsu, T. Matsuda, K. Emura, N. Attrapadung, Secure against Key Exposure and its Application to Anywhere G. Hanaoka, and H. Imai, “Time-Specific Encryption from TV service,” IEICE Trans. Fundamentals, vol.E90-A, no.5, Forward-Secure Encryption,” Proc. of SCN’12, Springer-Verlag, pp.1000-1011, 2007. LNCS 7485, pp.184-204, 2012. 118) K. Ogawa, G. Hanaoka, and H. Imai, “How to Make Traitor 94) K. Kasamatsu, T. Matsuda, G. Hanaoka, and H. Imai, “Ci- Tracing Schemes Secure against a Content Comparison Attack phertext Policy Multidimensional Range Encryption,” Proc. of in Actual Services,” IEICE Trans. on Fundamentals of Electron- ICISC’12, Springer-Verlag, LNCS 7839, pp.247-261, 2012. ics Communication and Computer Sciences, Vol.E100-A, No.1 95) A. Kiayias and M. Yung, “On Crafty Pirates and foxy Tracers,” 2017, pp.34-49, 2017. Proc. of ACM DRM’01, pp.22-39, 2001. 119) K. Ogawa and T. Inoue, “Practically Secure Update of Scram- 96) A. Kiayias and S. Pehlivanoglu, “Tracing and Revoking Pirate bling Scheme,” in Proc. IEEE BMSB’15, MM-15-013, 2015. Rebroadcasts,” Proc. of ACNS’09, Springer-Verlag, LNCS 5536, 120) K. Ogawa and T. Inoue, “A Scrambling Scheme Updating pp.253-271, 2009. Method in Broadcasting Services,” ITE Journal, Vol.69, No.12, 97) T. Kunkelmann and R. Reinema, “A Scalable Security Architec- pp.J344-J354, 2015 (in Japanese). ture for Multimedia Communication Standards,” Proc. of IEEE 121) K. Ogawa, G. Ohtake, A. Fujii, and G. Hanaoka, “Weakened ICMCS’97, pp.660-661, 1997. Anonymity of Group Signature and its Application to Subscrip- 98) K. Kurosawa and Y. Desmedt, “Optimum Traitor Tracing and tion Services,” IEICE Trans. Fundamentals, Vol.E97-A, No.6, Asymmetric Schemes,” Proc. of Eurocrypt’98, Springer-Verlag, 2014. LNCS 1403, pp.145-157, 1998. 122) G. Ohtake, K. Ogawa, G. Hanaoka, and H. Imai, “A Trade-Off 99) K. Kurosawa and T. Yoshida, “Linear Code Implies Public- Traitor Tracing Scheme,” IEICE Trans. Information and Sys- Key Traitor Tracing,” Proc. of PKC’02, Springer-Verlag, LNCS tems, vol.E92-D, no.5, pp.859-875, 2009. 2274, pp.172-187, 2002. 123) G. Ohtake, K. Ogawa, and R. Safavi-Naini,“Privacy Preserv- 100) F. Laguillaumie, A. Langlois, B. Libert, D. Stehlé, “Lattice- ing System for Integrated Broadcast-broadband Services using based group signatures with logarithmic signature size,” Proc. Attribute-Based Encryption,” IEEE Trans. on Consumer Elec- of Asiacrypt’13, Springer-Verlag, LNCS 8270, pp.41-61, 2013. tronics, Vol.61, No.3 2015, pp.328-335, 2015. 101) D. Lee, M. Lee, and D. Kang, “OHTV(open hybrid TV) service 124) T. Okamoto and K. Takashima, “Fully Secure Functional En- platform based on terrestrial DTV,” Proc. of ICACT’10, IEEE cryption with General Relations from the Decisional Linear As- Press, pp. 399–402, 2010. sumption,” Proc. of Crypto’10, Springer-Verlag, LNCS 6223, 102) A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B.Waters, pp.191-208, 2010. “Fully Secure Functional Encryption: Attribute-Based Encryp- 125) T. Okamoto and K. Takashima, “Fully Secure Unbounded tion and (Hierarchical) Inner Product Encryption,” Proc. of Eu- Inner-Product and Attribute-Based Encryption,” Proc. of Asi- rocrypt’10, Springer-Verlag, LNCS 6110, pp.62-91, 2010. acrypt’12, Springer-Verlag, LNCS 7658, pp.349-366, 2012. 103) A. Lewko, A. Sahai, and B. Waters, “Revocation Systems with 126) R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-Based En- Very Small Private Keys,” Proc. of IEEE S&P’10, pp.273-285, cryption with Non-Monotonic Access Structures,” Proc. of ACM 2010. CCS’07, pp.195-203, 2007. 104) A. Lewko and B. Waters, “Decentralizing Attribute-Based En- 127) K. Paterson and E. Quaglia, “Time-Specific Encryption,” Proc. cryption,” Proc. of Eurocrypt’11, Springer-Verlag, LNCS 6632, of SCN’10, Springer-Verlag, LNCS 6280, pp.1-16, 2010. pp.568-588, 2011. 128) D. H. Phan, D. Pointcheval, and M. Strefler, “Message-Based 105) A. Lewko and B. Waters, “New Proof Methods for Attribute- Traitor Tracing with Optimal Ciphertext Rate,” Proc. of Lat- Based Encryption: Achieving Full Security through Selective incrypt’12, Springer-Verlag, LNCS 7533, pp.56-77, 2012. Techniques,” Proc. of Crypto’12, Springer-Verlag, LNCS 7417, 129) L. Qiao, K. Nahrstedt, and M. Tam, “Is MPEG encryption by

62 Invited Paper » Security Technologies for Enriched Broadcasting Services

using random list instead of zigzag order secure?,” Proc. of IEEE of USENIX Security Symposium’12, pp.65-80, 2012. ISCE’97, pp.226-229, 1997. 155) Q. Wang and X. Wang, “A New Selective Video Encryption Al- 130) L. Qiao and K. Nahrstedt, “A New Algorithm for MPEG Video gorithm for the H.264 Standard,” Proc. of IEEE PIC’16, pp.275- Encryption,” Proc. of CISST’97, pp.21-29, 1997. 279, 2014. 131) L. Qiao and K. Nahrstedt, “Comparison of MPEG Encryption 156) Y. Wang, M. O’Neill, and F. Kurugollu, “Adaptive Binary Mask Algorithms,” J. of Computer and Graphics, Vol.22, pp.437-448, for Privacy Region Protection,” Proc. of IEEE ISCAS’12, pp.97- 1998. 107, 2012. 132) Y. Rouselakis and B.Waters, “Practical Constructions and New 157) B. Waters, “Ciphertext-policy attribute-based encryption: An Proof Methods for Large Universe Attribute-Based Encryp- expressive, efficient, and provably secure realization,” Proc. of tion,” Proc. of ACM CCS’13, pp.463-474, 2013. PKC’11, Springer-Verlag, LNCS 6571, pp.53-70, 2011. 133) R. Safavi-Naini and Y. Wang, “Sequential Traitor Tracing,” 158) H. Wee, “Dual System Encryption via Predicate Encodings,” IEEE Trans. Information Theory, vol.49, no.5, pp.1319-1326, Proc. of TCC’14, Springer-Verlag, LNCS 8349, pp.616-637, 2003. 2014. 134) A. Sahai and B. Waters, “Fuzzy Identity-Based Encryption,” 159) Z. Wei, Y. Wu, X. Ding, and R.H. Deng, “A Scalable Proc. of Eurocrypt’05, Springer-Verlag, LNCS 3494, pp.457-473, and Format-compliant Encryption Scheme for H.264/SVC bit- 2005. streams,” Sig. Process. Image Commun., Vol.27, No.9, pp.1011- 135) M. Saini, P. Atrey, S. Mehrotra, and M. Kankanhalli, “Anony- 1024, 2012. mous Surveillance,” Proc. of IEE ICME’11, pp.1-60, 2011. 160) M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing met- 136) Y. Sakai, J. C. N. Schuldt, K. Emura, G. Hanaoka and K. Ohta, rics for password creation policies by attacking large sets of re- “On the Security of Dynamic Group Signatures: Preventing Sig- vealed passwords,” Proc. of ACM CCS’10, pp.162-175, 2010. nature Hijacking,” Proc. of PKC’12, LNCS 7293, pp.715-732, 161) C. Xiao, L. Wang, Z. Jie, and T. Chen, “A Multi-level Intel- 2012. ligent Selective Encryption Control Model for Multimedea Big 137) Z. Shahid, M. Chaumont, and W. Puech, “Fast Protection of Data Security in Sensing Systems with Resource Constraints,” H.264/AVC by Selective Encryption of CABAC,” Proc. of IEEE Proc. of IEEE ICCSCloud’16, 2016. ICME’09, pp.1038-1041, 2009. 162) S. Yamada, N. Attrapadung, G. Hanaoka, and N. Kuni- 138) Z. Shahid and W. Puech, “Visual Protection of HEVC video hiro, “A Framework and Compact Constructions for Non- by Selective Encryption of CABAC Binstrings,” IEEE Trans. monotonic Attribute-Based Encryption,” Proc. of PKC’14, Circuits System. Video Tech., Vol.22, No.3, pp.325-339, 2012. Springer-Verlag, LNCS 8383, pp.275-292, 2014. 139) S. Sharma and P.K. Pateriya, “A Study on Different Approaches 163) S. Yang and S. Sun, “A Video Encryption Method based on of Selective Encryption Technique,” Int. Journal of Computer Chaotic Maps in DCT domain,” Prog. Nat. Sci., Vol.18, No.10, Science & Communication Networks, Vol.2, No.6, pp.658-662, pp.1299-1304, 2008. 2012. 164) S.-K.A. Yeung, S. Zhu, and B. Zeng, “Partial Video Encryption 140) H. Shen, L. Zhuo, and Y. Zhao, “An Efficient Motion Refer- based on Alternative Transforms,” IEEE Signal Process. Letter, ence Structure based Selective Encryption Algorithm for H.264 Vol 16, No. 10, pp.893-896, 2009. Videos,” IEEE IET Information Security, Vol.8, No.3, pp.199- 165) H. H. Yu, “Scalable encryption for multimedia content access 206, 2014. control,” Proc. of ICME’03, Vol.1, pp.633-636, 2003. 141) E. Shi, J. Bethencourt, H. Chan, D. Song, and A. Perrig, “Multi- Dimensional Range Query over Encrypted Data,” Proc. of the IEEE S&P’07, pp.350-364, 2007. 142) C. Shi and B. K. Bhargava, “An Efficient MPEG Video Encryp- Kazuto Ogawa received the B.E. and Ph.D. tion Algorithm,” Proc. of IEEE SRDS’98, pp.381-386, 1998. degrees from the University of Tokyo in 1987 and 143) C. Shi and B. K. Bhargava, “A Fast MPEG Video Encryption 2008, respectively. He joined NHK (Japan Broad- Algorithm,” Proc. of ACM Multimedia’98, pp.81-88, 1998. casting Corporation) in 1987. He has mainly en- gaged in research and development on video image 144) K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, processing systems and digital content rights man- and T. Shirai, “Piccolo: An Ultra-Lightweight Blockcipher,” agement systems. He is currently a research engi- Proc. of CHES’11, Springer-Verlag, LNCS 6917, pp.342-357, neer of NHK Science & Technology Research Lab- 2011. oratories. 145) D. Song, “Practical Forward-Secure Group Signature Schemes,” Proc. of ACM CCS’01, pp. 225-234, 2001. 146) G. A. Spanos and T. B. Maples, “Performance Study of a Se- lective Encryption Scheme for the Security of Networked, Real- Time Video,” Proc. of ICCCN’95, pp.2-10, 1995. 147) D. R. Stinson and R. Wei, “Key Preassigned Traceability Schemes for Broadcast Encryption,” Proc. of SAC’98, Springer- Verlag, LNCS 1556, pp.144-156, 1998. 148) T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, “TWINE : A lightweight block cipher for multiple platforms,” Proc. of SAC’12, Springer-Verlag, LNCS 7707, pp.339-354, 2012. 149) L. Sweeney, “k-anonymity: a model for protecting privacy,” In- ternational Journal on Uncertainty, Fuzziness and Knowledge- based Systems, Vol. 10.5, pp.567-570, 2002. 150) L. Tang, “Methods for encrypting and decrypting MPEG video data efficiently,” Proc. of ACM Multimedia’96, pp.219-229, 1996. 151) V. D. To, R. Safavi-Naini, and F. Zhang, ”New traitor tracing schemes using bilinear map”, Proc. of ACM DRM’03, pp.67-76, 2003. 152) L. Tong, F. Dai, Y. Zhang, and J. Li, “Restricted H.264/AVC Video Coding for Privacy Region Scrambling,” Proc. of IEEE ICIP’10, pp.2089-2092, 2010. 153) T. Uehara and R. Safavi-Naini, “Chosen DCT Coefficients At- tack on MPEG Encryption Scheme,” Proc. of IEEE PRCM’00, pp.316-319, 2000. 154) B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor, “How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation,” Proc.