ISO/IEC 23003-3:2020/DAM 2:2025(en)
ISO/IEC JTC 1/SC 29
Secretariat: JISC
Date: 2025-10-24
Information technology — MPEG audio technologies — Part 3: Unified speech and audio coding — Amendment 2: Media authenticity
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO [had/had not] received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee [or Project Committee] ISO/TC [or ISO/PC] ###, [name of committee], Subcommittee SC ##, [name of subcommittee].
This second/third/… edition cancels and replaces the first/second/… edition (ISO #####:####), which has been technically revised.
The main changes are as follows:
— xxx xxxxxxx xxx xxxx
A list of all parts in the ISO ##### series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.
Information technology — MPEG audio technologies — Part 3: Unified speech and audio coding — Amendment 2: Media authenticity
Add the following at the end of Clause 2:
IETF RFC 3986, Uniform Resource Identifier (URI): Generic Syntax
After Clause 4.4.1 add:
4.4.2 Audio object types
Currently, this document does not define any audio object types. The range of Object Type ID values 64 to 95 (both 64 and 95 included) is reserved. The data function UsacAotSpecificConfig(audioObjectType) is defined as empty.
NOTE – ISO/IEC 14496-3 defines Object Type ID value 42 and the associated USAC audio object type.
After Clause 4.5.4 add:
4.5.5 audioProfileLevelIndication
Currently, this document does not define any audioProfileLevelIndication values. The range of audioProfileLevelIndication values 0x70 to 0x7F (both 0x70 and 0x7F included) is reserved.
NOTE – ISO/IEC 14496-3 defines audioProfileLevelIndication values for the Baseline USAC Profile and for the Extended HE AAC Profile.
Replace Table 78 with the following:
Table 8 — Value of usacExtElementType
usacExtElementType | Value |
ID_EXT_ELE_FILL | 0 |
ID_EXT_ELE_MPEGS | 1 |
ID_EXT_ELE_SAOC | 2 |
ID_EXT_ELE_AUDIOPREROLL | 3 |
ID_EXT_ELE_UNI_DRC | 4 |
/* reserved for ISO/IEC 23008-3 use */ | 5-14 |
ID_EXT_ELE_AUTH_INFO | 15 |
/* reserved for ISO use */ | 16-127 |
/* reserved for use outside of ISO scope */ | 128 and higher |
NOTE Application-specific usacExtElementType values are mandated to be in the space reserved for use outside of ISO scope. These are skipped by a decoder as a minimum of structure is required by the decoder to skip these extensions. | |
Replace Table 86 with the following:
Table 16 — Interpretation of data blocks for USAC extension payload decoding
usacExtElementType | The concatenated usacExtElementSegmentData represents: |
ID_EXT_ELE_FIL | Series of fill_byte |
ID_EXT_ELE_MPEGS | SpatialFrame() |
ID_EXT_ELE_SAOC | SaocFrame() |
ID_EXT_ELE_AUDIOPREROLL | AudioPreRoll() |
ID_EXT_ELE_UNI_DRC | uniDrcGain() as defined in ISO/IEC 23003‑4 |
ID_EXT_ELE_AUTH_INFO | authExtension() as defined in 7.19 |
unknown | unknown data. The data block shall be discarded. |
After 7.18, add:
7.19 Media Authentication
The authExtension() syntax element is used to transmit media authentication information.
7.19.1 Media Authentication Syntax
Table XXX — Syntax of authExtension
Syntax | No. of bits | Mnemonic |
authExtension() |
|
|
{ |
|
|
numAuthExtMinus1 = escapedValue(4,4,4); | 4, 8, 12 | uimsbf |
for (i=0; i <= numAuthExtMinus1; i++) { |
|
|
authSequence | 1 | uimsbf |
authExtType | 3 | uimsbf |
switch (authExtType) { |
|
|
case AUTH_START: |
|
|
authExtConfig(); |
|
|
break; |
|
|
case AUTH_SIG: |
|
|
authExtSig(); |
|
|
break; |
|
|
case AUTH_UUID: |
|
|
authUUID(); |
|
|
break; |
|
|
case AUTH_TIME: |
|
|
authTimestamp(); |
|
|
break; |
|
|
default: |
|
|
break; |
|
|
} |
|
|
} |
|
|
} |
|
|
Table XXY — Syntax of authExtConfig
Syntax | No. of bits | Mnemonic |
authExtConfig() |
|
|
{ |
|
|
authID | 8 | uimsbf |
authHashType = escapedValue(4,8,8); | 4, 12, 20 | uimsbf |
authKeyID = escapedValue(3,8,8); | 3, 11, 19 | uimsbf |
authAddExtTypes | 1 | uimsbf |
authProvID = escapedValue(8,8,16); | 8, 16, 32 | uimsbf |
if (authProvID == 0x00) { |
|
|
authSourceURILengthMinus1 | 8 | uimsbf |
for (i=0; i<= authProvIDLengthMinus1; i++) { |
|
|
authSourceURI[i] | 8 | bslbf |
} |
|
|
} |
|
|
isAuthCRC | 1 | uimsbf |
if (authAddExtTypes){ |
|
|
authAddExtInclusion | 1 | uimsbf |
authAddExtTypeListLengthMinus1 | 7 | uimsbf |
for (i=0; i <= authAddExtTypeListLengthMinus1; i++) { |
|
|
authAddExtConfigExt[i] | 1 | blsbf |
authAddExtType[i] = escapedValue(7,8,16); | 7, 15, 31 | uimsbf |
} |
|
|
} |
|
|
} |
|
|
Table XXY — Syntax of authExtSig
Syntax | No. of bits | Mnemonic |
authExtSig() |
|
|
{ |
|
|
authID | 8 | uimsbf |
authPartialSig | 1 | uimsbf |
authABREnable | 2 | uimsbf |
numSig = 1; |
|
|
|
| |
if (authABREnable) { |
|
|
authABRBitrateAtMinMax | 2 | uimsbf |
|
| |
if (authABREnable==1) { |
|
|
if(authABRBitrateAtMinMax==1) { |
|
|
numSig = 2; |
|
|
} else { |
|
|
numSig = 3; |
|
|
} |
|
|
} |
|
|
if (authABREnable==2) { |
|
|
if(authABRBitrateAtMinMax==1) { |
|
|
numSig = 3; |
|
|
} else if(authABRBitrateAtMinMax==2) { |
|
|
numSig = 4; |
|
|
} else { |
|
|
numSig = 5; |
|
|
} |
|
|
} |
|
|
} |
|
|
for (n=0; n<numSig; n++) { |
|
|
if (authPartialSig) { |
|
|
sigSegmentStart | 1 | uimsbf |
sigSegmentStop | 1 | uimsbf |
sigSegmentLengthMinus1 | 5 | uimsbf |
sigPartial | (sigSegmentLengthMinus1+1) * 8 | uimsbf |
} else { |
|
|
sigLengthMinus1 | 7 | uimsbf |
sigComplete | (sigLengthMinus1+1) * 8 | uimsbf |
} |
|
|
} |
|
|
} |
|
|
Table XYZ — Syntax of authUUID
Syntax | No. of bits | Mnemonic |
authUUID() |
|
|
{ |
|
|
uuidSegmentStart | 1 | uimsbf |
uuidSegmentStop | 1 | uimsbf |
uuidSegmentLengthMinus1 | 4 | uimsbf |
uuid | (uuidSegmentLengthMinus1+1)*8 | uimsbf |
} |
|
|
Table XYZ — Syntax of authTimestamp
Syntax | No. of bits | Mnemonic |
authTimestamp() |
|
|
{ |
|
|
authID | 8 | uimsbf |
authTimeType | 7 | uimsbf |
authTimeOffsetType | 1 | uimsbf |
switch (authTimeType ) { |
|
|
case authTimeLong: |
|
|
authTime = escapedValue(12,16,32); | 12, 28, 60 | uimsbf |
authTimeOffset | 12 | uimsbf |
break; |
|
|
case authTimeShort: |
|
|
authTimeS = escapedValue(4,8,8); | 4, 12, 20 | uimsbf |
authTimeOffsetS = escapedValue(4,8,8); | 4, 12, 20 | uimsbf |
break; |
|
|
case authTimeTAI: { /* acc. ISO/IEC 23001-17 */ |
|
|
TAI_timestamp; | 64 | uimsbf |
status_bits; | 8 | uimsbf |
break; |
|
|
default: |
|
|
break; |
|
|
} |
|
|
} |
|
|
7.19.2 Media Authentication Semantics
numAuthExtMinus1 | Plus 1 indicates the number of signalled authExtType elements. |
authSequence | Indicates the authentication sequence to which the related authentication information belongs to. |
authExtType | Indicates the type of authentication information signalled. |
authID | Shall be used to identify the combination of authHashType, authProvID and authKeyID to which the related authentication information belongs to. This may be used to enable authentication of one authentication sequence with different authentication configurations. |
authHashType | Indicates the hashing algorithm to be used according to Table XYZ. |
Table XYZ — Values and meaning of authHashType
authHashType Value | Hashing algorithm |
0 | SHA-1 |
1 | SHA-224 |
2 | SHA-256 |
3 | SHA-384 |
4 | SHA-512 |
All other values | /* reserved for ISO use */ |
authKeyID | Identifies the authentication key used to calculate the value of the signature in authExtSig() according to Table XYZ. The values of authKeyID are dependent on the authentication provider and are not defined in the present document. This value shall be set to 0 in case there is no key needed for the underlying hashing function. |
Table XYZ — Values and meaning of authKeyID
authKeyID Value | Key |
0 | No key |
All values | /* Authentication Provider key ID */ |
authProvID | Identifies the provider of the authentication system according to Table XYZ. In case authProvID equals to 1, there is no provider. This mode can be used to create a message digest only by using the method identified by authHashType. |
Table XYZ — Values and meaning of authProvID
authProvID Value | Authentication Provider URI |
0 | See authSourceURI. |
1 | Message Digest only |
2-… | /* Registration Authority */ |
authSourceURILengthMinus1 | Plus 1 indicates the length of the authSourceURI-field in bytes. |
authSourceURI | Contains a URI with syntax and semantics as defined in as defined in IETF RFC 3986. |
isAuthCRC | Indicates if an CRC-based authentication method is used. If set to 1, the used verification mechanism shall generate the signature (sigPartial or sigComplete) utilizing the data resulting from calculating a CRC as defined in 1.8.4.5 (CRC16) of ISO/IEC 14496-3, using the syntax elements according to 7.19.3.3 as input. |
authAddExtTypes | Indicates if authentication information for additional extension types is signalled. |
authAddExtInclusion | If set to 1, all extension types signalled in authAddExtType shall be included into the calculation of the authentication information, according to 7.19.3. If set to 0, all extension types signalled in authAddExtType shall be excluded from the calculation of the authentication information, according to 7.19.3. |
authAddExtTypeListLengthMinus1 | Plus 1 indicates the length of the list of authAddExtType. |
authAddExtConfigExt | Indicates if extension type indicated in authAddExtType is one of usacExtElementType as defined in Table 77 (if authAddExtConfigExt is equal to ‘0’) or usacConfigExtType as defined in Table 78 (if authAddExtConfigExt is equal to ‘1’). |
authAddExtType | Indicates the extension type to be included or excluded for the calculation of the authentication information. |
authPartialSig | If set to ‘1’, indicates that the signature is transmitted partially. |
authABREnable | Indicates the type of the adaptive bit rate (ABR) scheme and the respective number of signature values according to Table XYZ. In the case that authABREnable equals 1 (upDownABR), the order of encapsulation is as follows: signatures for the streams at the current bitrate, the bitrate one above, the bitrate one below. In the case that authABREnable equals 2 (upDownMinMaxABR), the order of encapsulation is as follows: signatures for the streams at the current bitrate, the bitrate one above, the bitrate one below, the maximum bitrate, the minimum bitrate. |
Table XYZ — Values and meaning of authABREnable
authABREnable Value | ABR Scheme |
0 | noABR |
1 | upDownABR |
2 | upDownMinMaxABR |
3 | /*reserved*/ |
authABRBitrateAtMinMax | Indicates whether the current bitrate fulfils one of the conditions according to Table XYZ, that are related to the minimum and maximum bitrates in the adaptation set. In either case, the number of signature values is reduced. |
Table XYZ — Values and meaning of authABRBitrateMinMax
authABRBitrateMinMax Value | ABR Bitrate Status |
0 | Default value |
1 | The current bitrate is equal to the maximum or minimum bitrate in the adaptation set |
2 | The current bitrate is one level below the maximum or one level above the minimum bitrate in the adaptation set |
3 | /*reserved*/ |
sigSegmentStart | Indicates that the following sigPartial is the first segment of a signature. |
sigSegmentStop | Indicates that the following sigPartial is the last segment of a signature. NOTE: If both sigSegmentStartand and sigSegmentStop are equal to ‘1’, sigPartial contains a signature which is complete, but shorter than a full signature resulting from the related hashing algorithm. |
sigSegmentLengthMinus1 | Plus 1 indicates the length of the sigPartial field. |
sigPartial | This field carries a segment of the signature resulting from the used verification mechanism. sigPartial shall be calculated in the same way as sigComplete. sigPartial may be created by truncating sigComplete. Note: Verification may happen comparing only a subset of the bits resulting from the hashing algorithm. |
sigLengthMinus1 | Plus 1 indicates the length of the sigComplete field in bytes. |
sigComplete | This field carries the signature resulting from the used verification mechanism. sigComplete shall be calculated by applying the hashing algorithm and configuration as signalled in the authExtConfig() syntax element. The input data to the hashing algorithm shall be created in alignment with 7.19.3.3. Note: Verification may happen comparing only a subset of the bits resulting from the hashing algorithm. |
uuidSegmentStart | If set to ‘1’, indicates if the bytes in the uuid field are the first bytes of a UUID-segment. |
uuidSegmentStop | If set to ‘1’, indicates if the bytes in the uuid field are the last bytes of a UUID-segment. Note: If both uuidSegmentStart and uuidSegmentStop are set to ‘1’ the uuid field contains the full UUID. |
uuidSegmentLengthMinus1 | Plus 1 indicates the length of the uuid-field in bytes. |
uuid | This field contains the UUID of the related (sub-)stream. It may be used to map the audio stream to other media types, such as a related video stream. |
authTimeType | Indicates the type of the time-signalling according to Table XYZ. |
Table XYZ — Values and meaning of authTimeType
authTimeType Value | Timing Scheme |
0 | authTimeLong |
1 | authTimeShort |
2 | authTimeTAI |
3-127 | /* reserved */ |
authTimeOffestType | Indicates the unit of authTimeOffset value. This shall be set to ‘0’ if the unit is milliseconds, and shall be set to ‘1’ for using the sampling rate configured for the underlying signal type as base time. |
authTime | Indicates the base time. This is counted in seconds and the count starts on January 1st, 2025 at 00.00.01 UTC. |
authTimeOffset | Indicates the time offset compared to the value indicated in authTime. The time shall be set in a way that authTime + authTimeOffset indicates the time when the first sample of following related UsacFrame() has been recorded. |
authTimeS | Indicates the base time elapsed in seconds since the last time update of type ‘authTimeLong’. |
authTimeOffsetS | Indicates the time offset compared to the value indicated in authTimeS. The time shall be set in a way that authTime + authTimeOffset + authTimeS + authTimeOffsetS indicates the time when the first sample of following related UsacFrame() has been recorded. |
TAI_timestamp | Indicates the TAI_timestamp according to ISO/IEC 23001-17. |
status_bits | Indicates the bits synchronization_state, timestamp_generation_failure, timestamp_is_modified and reserved according to ISO/IEC 23001-17. |
7.19.3 Media Authentication Interface
For applications which require media authentication, related data for verification of the authenticity of a bitstream and mapping to other media types shall be provided to the system by using the syntax element usac_GetAuthData().
7.19.3.1 Syntax
Table 2 — Syntax of usac_GetAuthData
Syntax | No. of bits | Mnemonic |
usac_GetAuthData() |
|
|
{ |
|
|
authExtConfig() |
|
|
authExtSig() |
|
|
authUUID() |
|
|
authTimestamp() |
|
|
gad_bytesLengthMinus1 | 64 | uimsbf |
gad_bytes | (gad_bytesLengthMinus1+1)*8 | uimsbf |
} |
|
|
7.19.3.2 Semantics
gad_bytesLengthMinus1 | Plus 1 indicates the length of the gad_bytes field. |
gad_bytes | Includes all bytes relevant for the creation of the authentication information according to the configuration described in authExtConfig(). |
7.19.3.3 Media Authentication Interface Processing
The decoder shall extract all data related to media authentication for every authentication sequence as indicated by authID and authSequence, and populate the respective fields in usac_GetAuthData().
authExtConfig() and authExtSig() for the related authentication sequence (as indicated by the respective authID and authSequence) shall be copied from the respective bitstream elements. authTimestamp() having the same authID as the current authentication sequences and authUUID() syntax elements shall always be copied from the latest occurrences in bitstream. The gad_bytes field shall be populated by concatenating all bytes of the UsacConfig() syntax element and UsacFrame() syntax elements starting from the UsacFrame() which includes the related authExtConfig() syntax element up until and including the UsacFrame() which contains the related authExtSig() syntax element in which either sigSegmentStop equals ‘1’ or authPartialSig equals ‘0’. The authExtConfig() syntax element of the respective authentication sequence shall be populated into gad_bytes. The authExtSig() syntax element of the respective authentication sequence shall not be populated into gad_bytes. If any of the UsacFrame() syntax elements related to the current authentication sequence contains authExtConfig() or authExtSig() syntax elements with the same authID as the current authentication sequence and a different authSequence value, they shall be populated into gad_bytes. authExtConfig() and authExtSig() syntax elements with a different authID than the current authentication sequence and authUUID() elements shall not be populated into gad_bytes.The following extension types indicated by usacExtElementType in Table 77 and usacConfigExtType in Table 78 shall be excluded by default and not be populated into gad_bytes:
— ID_EXT_ELE_FILL (usacExtElementType)
— ID_CONFIG_EXT_FILL (usacConfigExtType)
All other extension types shall be included and populated into gad_bytes, unless they are signalled to be excluded via authAddExtType and authAddExtInclusion equal to ‘0’. The extension types excluded by default may be signalled to be included using authAddExtInclusion equal to ‘1’ and setting the respective authAddExtType value.
In the case an extension type or syntax element is excluded, the respective bits of the corresponding UsacExtElement(), UsacConfigExtension() or syntax element shall be replaced with ‘0’s before population into gad_bytes.
The input data for the hashing algorithm shall be created by concatenating gad_bytes with the bytes contained in the uuid field, if existing.
