Securing JPEG2000 (J2K)- The Next Generation Image Compression

Standard

Robert H. Deng, Yongdong Wu, Di MaInstitute for Infocomm Research

Singapore

• JPEG2000 (J2K) is an emerging standard for image compression– Achieves state-of-the-art low bit rate compression

and has a rate distortion advantage over the original JPEG.

– Allows to extract various sub-images from a single compressed image codestream, the so called “Compress Once, Decompress Many Ways”.

– ISO/IEC JTC 29/WG1 Security Working Setup in 2002

Background

“Compress Once, Decompress Many Ways”

A Single Original Codestream

By resolutions By layers Region of Interest

Outline

• Data Structure of J2K Image Codestreams

• The Authentication Scheme

• The Access Control Scheme

• Prototype Demo

Data Structure of J2K Image Codestreams

Components

• Each image is decomposed into one or more components, such as R, G, B.

• Denote components as Ci, i = 1, 2, …, nC.

Resolution & Resolution-Increments

1-level DWT

•J2K uses 2-D Discrete Wavelet Transformation (DWT)

Resolution and Resolution-Increments

2-level DWT

1-level DWT

Resolution and Resolution-Increments

2-level DWT

Resolution-increments:

R0

R1

R2

Resolution 0 = R0

Resolution 1 = {R0, R1}

Resolution 2 = {R0, R1, R2}

Precincts

Each resolution level is further partitioned into rectangular regions known as Precincts,Pi, i = 1, 2, …, nP

Layers & Layer-Increments

L0

L2

LnL

…

L1

• J2K encodes quantized wavelet coeffieicnts from MSB bit-plane to LSB Bit-plane

• Bit-planes are truncated some points. Data between two truncation points form a qualitylayer-increment, Li, i = 1, 2, …, nL

Layers & Layer-Increments

L0 {L0, L1} {L0, L1, L2}

All layer-increments

Packet (Cont.)

Packets & Progression Orders

• A J2K codestream can be viewed as a set of series of packets; they are the most fundamental building blocks of a codestream.

• A packet is uniquely identified by four parameters C, R, P and L, all the packets in a codestream can be sorted with respect to these four parameters in some orders, called Progression Orders.

• There are five Progression Orders which are LRCP, RLCP, RPCL, CPRL and PCRL respectively.

Progression Order

Resol uti on 0

Component 0

Preci nct 0 Preci nct 1

Resol uti on 1

Layer 0

Preci nct 0 Preci nct 1

Component 1 Component 0 Component 1

Resol uti on 0

Component 0

Preci nct 0 Preci nct 1

Resol uti on 1

Layer 1

Preci nct 0 Preci nct 1

Component 1 Component 0 Component 1

Packets in a codestream with progression order LRCP:

J2K Authentication

Third-Party Publication

Image Source

A single codestream

Client1

Client2

Client3

Owner

3rd PartyPublisher

(Signing key)

+ signature

Signature +& SIT1

Signature

Signature +& SIT3

“Sign Once, Verify Many Ways”

The Merkle Tree

Root

A B

h(n1) h(n2) h(n3) h(n4)

hahb

hr

n1 n2 n3 n4

Sig(hr)

A Codestream Example

4 resolutions:R0, R1, R2, R3

2 layers:L0, L1

2 precincts:P0, P1

The Merkle Tree For the Example Root

R3

L0

R0

P0

L1

P1 P0 P1

L0

P0

L1

P1 P0 P1

L0

R2

P0

L1

P1 P0 P1

L0

R1

P0

L1

P1 P0 P1

y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16

12

User asks for resolution 1,

Publisher sends y1, …, y8, signed root, 1 2SIT= { }

Resolution and Resolution-Increments

2-level DWT

Resolution-increments:

R0

R1

R2

Resolution 0 = R0

Resolution 1 = {R0, R1}

Resolution 2 = {R0, R1, R2}

Layers & Layer-Increments

L0 {L0, L1} {L0, L1, L2}

All layer-increments

The Optimized Merkle Tree

R0 R1

P0 P1 P0 P1

L0 L1

P0 P1 P0 P1

L0 L1

P0 P1 P0 P1

L0 L1

P0 P1 P0 P1

L0 L1

R3R2

Root

1

y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16

User asks for resolution 1,

Publisher sends y1, …, y8, signed root, SIT={ } 1

In J2K, max resolutions 33, max layers 65535

J2K Access Control

The Super-Distribution Model

Publisher Encrypted Codestream

Client1 Client2 Client3

Key Server

Encrypt every packet will a different key? Too many keys are needed.

“Encrypt Once, Decrypt Many Ways”

A Codestream Example

3 resolutions:R0, R1, R2,

3 layers:L0, L1, L2

2 precincts:P0, P1

Security Classes in a Codestream

• Security Classes of Resolution-Increments– R2 > R1 > R0 (total ordering)

• Security Classes of Layer-Increments– L2 > L1 >L0 (total ordering)

• Security Classes of Precincts– P1 and P0 are incomparable (i.e., isolated classes)

• Form combined hierarchy, the resulting lattice is a Directed Acyclic Graph, not a rooted tree!

Access Control Scheme 1

Master Key K

kR2=h(k|R) kL2=h(k|L)

kP1=h(k|P|1)

kR1=h(kR2) kL1=h(kL2)

kR0=h(kR1) kL0=h(kL1) kP0=h(k|P|0)

Packet key: krlp =h(kRr|kLl|kPp), (1) for r = 0, 1, 2; l =0, 1, 2, p = 0, 1

Encryption & Decryption

• Encryption– Owner generates a master key, and the packet keys

for all the packets. Uses packet keys to encryption the corresponding packets. Distributes ciphertext to users.

• Decryption– To access a sub-image, user requests intermediate

keys from a server, derives packet keys to decrypt packets corresponding to the sub-image.

• User1 asks resolution 2, layer 0, gets kR2, kL0, kP0, kP1

• User2 asks resolution 0, layer 2, gets kR0, kL2, kP0, kP1

• User1 & User2 collude, kR2, kR0 kR2

kL0, kL2 kL2

kP0 & kP1

Get resolution 2 & layer 2

Collusion Attack

Access Control Scheme 2

• Assuming the preferred progression order is RLP

P0 (k220)

L2 (k22)R2 (k2)

R1 (k1)

R0 (k0)

Root (master key)

P

0

P1 (k221) P0 (k210) P1 (k211)

L1 (k21) L0 (k20)

P0 (k200) P1 (k201)

P0 (k120)

L2 (k12)

P1 (k121) P0 (k110) P1 (k111)

L1 (k11) L0 (k10)

P0 (k100) P1 (k101)

P0 (k020)

L2 (k02)

P1 (k021) P0 (k010) P1 (k011)

L1 (k01) L0 (k00)

P0 (k000) P1 (k001)

Conclusions

• J2K codestream: “compress once, decompress many ways”

• Authentication scheme: “Sign once, Verify many ways” (has been incorporated in the standard document)

• Access Control scheme: “Encrypt once, Decrypt many ways” (under evaluation)