Mark Ryan's homepage t

Video authentication project

With the increasing usage of fake videos in misinformation campaigns, proving the provenance of a video is important. We are developing methods that allows a social media platform to incorporate a "Verify" button that would allow a user's device to verify the authenticity of a video with respect to a signature made by the recording device, even if the publisher has edited the video before it was published.

Why do you want to let the publisher edit the video?

The publisher may want to redact confidential parts of the video, e.g. by blurring the faces of people not relevant to the content, or by cropping the video. We assume the recording device signs the video content, together with metadata including the recording time and GPS location. We assume that the recording device has a signing key, certified by an appropriate certificate authority. The requirement to support editing means that a simple digital signature on the video file and the metadata won't work. We have developed two methods, called Eva and Arash. Each one has advantages and disadvantages. Both methods support videos using standard lossy codecs (such as H.264).

Method 1: Eva

In Eva, the publisher decides to make a sequence E of edits to a video V, resulting in a new video V'. Eva allows the publisher to create a proof of the following facts:

The video V' presented to the user has been derived from an original video V by applying the edits E.
The original video V was signed by the recording device.

The user receives the new video V' and the edits and the proof of the statements above. Note that the user does not receive the original video V, since that may have confidential redacted information. This kind of proof is called a zero-knowledge proof because it does not contain any information about the confidential ingredient V. The proof convinces the user that such a V exists, without giving them the ability to reconstruct it.

Our paper formalises the notion and security model of proofs of video authenticity and describes the cryptographic video authentication protocol (called Eva), which supports lossy codecs and arbitrary edits and is proven secure under well-established cryptographic assumptions. Compared to previous cryptographic methods for image authentication, Eva is not only capable of handling significantly larger amounts of data originating from the complex lossy video encoding but also achieves linear prover time, constant RAM usage, and constant proof size with respect to video size. Generating zero-knowledge proofs is known to be slow, but our implementation of Eva integrates the Nova folding scheme and other optimizations to make Eva practical. For a 2-minute HD (1280 × 720) video encoded in H.264 at 30 frames per second, Eva generates a 448 byte proof in about 2.4 hours on consumer-grade hardware at 2.6 μs per pixel, surpassing state-of-the-art cryptographic image authentication schemes by more than an order of magnitude in terms of prover time and proof size.

Further info:

Chengru Zhang, Xiao Yang, David Oswald, Mark D. Ryan, Philipp Jovanovic. Eva: Efficient Privacy-Preserving Proof of Authenticity for Lossily Encoded Videos. In 46th IEEE Symposium on Security and Privacy, 2025.
Prototype code

Method 2: Arash

Arash is an alternative to Eva, working in a completely different way: the camera signs some data extracted from the video. Arash is much more efficient than Eva; it can process a 2-minute 1280 × 720 video encoded in H.264 at 30 fps in a few seconds instead of 2.4 hours. However, Arash is less precise than Eva, because the resolution of the signed data might not be enough to convince the user that the video is authentic. This is a judgment that the user makes.

In Arash, the recording device divides the video into blocks. For each block, it computes a discrete cosine transform (DCT) from the pixel values in the block. It then truncates or quantises the DCT (as done in JPEG encoding), and signs hashes derived from it. A publisher can edit the video and the signatures; the signed material for blocks that are edited will be eliminated from the data that the user receives, ensuring confidentiality of the redacted material. Full details of how this works are in the (forthcoming) paper. When the user verifies the video, the user interface offers them the possibility to see a representation of the signed data, as well as a colour-coded video showing which blocks have been edited (coloured red) and which ones still match the original signature (coloured green).

Illustration of Arash

The video above shows the signed data from an original video of actor Colin Farrell (on the left), which is manipulated using DeepFake maker to replace the face with that of actor Ryan Reynolds (on the right). The data and the manipulation method come from the CelebDF paper. The visualisation on the right shows that the face replacement has been detected around the eyes, nose and mouth.

Contact

For more information, feel free to contact the team:
Chengru Zhang
Dan Fentham (dxf209 at student.bham.ac.uk)
David Oswald (David.F.Oswald at durham.ac.uk)
Mark Ryan (M.D.Ryan at bham.ac.uk)
Philipp Jovanovic
Shize Deng (sxd371 at student.bham.ac.uk)
Xiao Yang (x.yang.10 at bham.ac.uk)