Securing JPEG2000 J2K The Next Generation Image Compression Standard

1
Securing JPEG2000 (J2K)- The Next Generation
Image Compression Standard
Robert H. Deng, Yongdong Wu, Di Ma Institute for
Infocomm Research Singapore
2
Background

• JPEG2000 (J2K) is an emerging standard for image
  compression
• Achieves state-of-the-art low bit rate
  compression and has a rate distortion advantage
  over the original JPEG.
• Allows to extract various sub-images from a
  single compressed image codestream, the so called
  Compress Once, Decompress Many Ways.
• ISO/IEC JTC 29/WG1 Security Working Setup in 2002

3
Compress Once, Decompress Many Ways
A Single Original Codestream
4
Outline

• Data Structure of J2K Image Codestreams
• The Authentication Scheme
• The Access Control Scheme
• Prototype Demo

5
Data Structure of J2K Image Codestreams
6
Components

• Each image is decomposed into one or more
  components, such as R, G, B.
• Denote components as Ci, i 1, 2, , nC.

7
Resolution Resolution-Increments

• J2K uses 2-D Discrete Wavelet
• Transformation (DWT)

1-level DWT
8
Resolution and Resolution-Increments
1-level DWT
2-level DWT
9
Resolution and Resolution-Increments
2-level DWT
Resolution 1 R0, R1
Resolution 0 R0
Resolution 2 R0, R1, R2
Resolution-increments
R0
R1
R2
10
Precincts
Each resolution level is further partitioned into
rectangular regions known as Precincts, Pi, i
1, 2, , nP
11
Layers Layer-Increments

• J2K encodes quantized wavelet coeffieicnts from
  MSB bit-plane to LSB Bit-plane
• Bit-planes are truncated some points. Data
  between two truncation points form a quality
• layer-increment,
• Li, i 1, 2, , nL

LnL
L2
L1
L0
12
Layers Layer-Increments
L0, L1
L0, L1, L2
L0
All layer- increments
13
Packet (Cont.)
14
Packets Progression Orders

• A J2K codestream can be viewed as a set of series
  of packets they are the most fundamental
  building blocks of a codestream.
• A packet is uniquely identified by four
  parameters C, R, P and L, all the packets in a
  codestream can be sorted with respect to these
  four parameters in some orders, called
  Progression Orders.
• There are five Progression Orders which are LRCP,
  RLCP, RPCL, CPRL and PCRL respectively.

15
Progression Order
Packets in a codestream with progression order
LRCP
16
J2K Authentication
17
Third-Party Publication
Owner
Client1
Image Source
Signature SIT1
(Signing key)
Client2
Signature
A single codestream
signature
Signature SIT3
Client3
3rd Party Publisher
Sign Once, Verify Many Ways
18
The Merkle Tree
Sig(hr)
Root
hr
hb
ha
A
B
h(n4)
h(n1)
h(n2)
h(n3)
n1 n2 n3 n4
19
A Codestream Example
4 resolutions R0, R1, R2, R3 2 layers L0, L1
2 precincts P0, P1
20
The Merkle Tree For the Example
Root
2
1
R3
R1
R2
L0
L0
L1
L1
L0
L1
P0
P1
P0
P1
P1
P0
P1
P0
P1
P0
P0
P1
y1 y2 y3 y4 y5 y6 y7 y8 y9
y10 y11 y12 y13 y14 y15 y16
User asks for resolution 1, Publisher sends y1,
, y8, signed root,

SIT
2
1
21
Authentication Verification

• Authentication
• Owner constructs a Merkle tree of a codestream
  and signs the root value. Passes data to a
  publisher
• Upon request of a user, publisher sends packets
  of requested sub-image, signature and SIT.
• Verification
• The user re-computes the root value, and verifies
  it based on the signature.

22
Resolution and Resolution-Increments
2-level DWT
Resolution 1 R0, R1
Resolution 0 R0
Resolution 2 R0, R1, R2
Resolution-increments
R0
R1
R2
23
Layers Layer-Increments
L0, L1
L0, L1, L2
L0
All layer- increments
24
The Optimized Merkle Tree
Root
R0
R1
R2
1
R3
y1 y2 y3 y4 y5 y6 y7 y8 y9
y10 y11 y12 y13 y14 y15 y16
User asks for resolution 1, Publisher sends y1,
, y8, signed root, SIT
1
In J2K, max resolutions 33, max layers 65535
25
J2K Access Control
26
The Super-Distribution Model
Key Server
Publisher Encrypted Codestream
Client1
Client2
Client3
Encrypt Once, Decrypt Many Ways
Encrypt every packet will a different key? Too
many keys are needed.
27
A Codestream Example
3 resolutions R0, R1, R2, 3 layers L0, L1,
L2 2 precincts P0, P1
28
Security Classes in a Codestream

• Security Classes of Resolution-Increments
• R2 gt R1 gt R0 (total ordering)
• Security Classes of Layer-Increments
• L2 gt L1 gtL0 (total ordering)
• Security Classes of Precincts
• P1 and P0 are incomparable (i.e., isolated
  classes)
• Form combined hierarchy, the resulting lattice is
  a Directed Acyclic Graph, not a rooted tree!

29
Access Control Scheme 1
Master Key K
kR2h(kR)
kL2h(kL)
kL1h(kL2)
kR1h(kR2)
kL0h(kL1)
kP0h(kP0)
kP1h(kP1)
kR0h(kR1)
Packet key krlp h(kRrkLlkPp),
(1) for r 0, 1, 2 l 0,
1, 2, p 0, 1
30
Encryption Decryption

• Encryption
• Owner generates a master key, and the packet keys
  for all the packets. Uses packet keys to
  encryption the corresponding packets. Distributes
  ciphertext to users.
• Decryption
• To access a sub-image, user requests intermediate
  keys from a server, derives packet keys to
  decrypt packets corresponding to the sub-image.

31

• User1 asks resolution 2, layer 0, gets kR2, kL0,
  kP0, kP1

• User2 asks resolution 0, layer 2, gets kR0, kL2,
  kP0, kP1

32
Access Control Scheme 2

• Assuming the preferred progression order is RLP

Root (master key)
L0 (k20)
L2 (k22)
L1 (k21)
R2 (k2)
P0 (k220)
P1 (k221)
P0 (k210)
P0 (k200)
P1 (k201)
P1 (k211)
L0 (k10)
L2 (k12)
L1 (k11)
R1 (k1)
P1 (k101)
P0 (k120)
P1 (k121)
P0 (k110)
P1 (k111)
P0 (k100)
P0
L0 (k00)
L2 (k02)
L1 (k01)
R0 (k0)
P0 (k020)
P1 (k001)
P1 (k021)
P0 (k010)
P1 (k011)
P0 (k000)
33
Conclusions

• J2K codestream compress once, decompress many
  ways
• Authentication scheme Sign once, Verify many
  ways (has been incorporated in the standard
  document)
• Access Control scheme Encrypt once, Decrypt
  many ways (under evaluation)

34
Thank you!