Securing JPEG2000 (J2K)- The Next Generation Image Compression
Standard
Robert H. Deng, Yongdong Wu, Di MaInstitute for Infocomm Research
Singapore
• JPEG2000 (J2K) is an emerging standard for image compression– Achieves state-of-the-art low bit rate compression
and has a rate distortion advantage over the original JPEG.
– Allows to extract various sub-images from a single compressed image codestream, the so called “Compress Once, Decompress Many Ways”.
– ISO/IEC JTC 29/WG1 Security Working Setup in 2002
Background
“Compress Once, Decompress Many Ways”
A Single Original Codestream
By resolutions By layers Region of Interest
Outline
• Data Structure of J2K Image Codestreams
• The Authentication Scheme
• The Access Control Scheme
• Prototype Demo
Data Structure of J2K Image Codestreams
Components
• Each image is decomposed into one or more components, such as R, G, B.
• Denote components as Ci, i = 1, 2, …, nC.
Resolution & Resolution-Increments
1-level DWT
•J2K uses 2-D Discrete Wavelet Transformation (DWT)
Resolution and Resolution-Increments
2-level DWT
1-level DWT
Resolution and Resolution-Increments
2-level DWT
Resolution-increments:
R0
R1
R2
Resolution 0 = R0
Resolution 1 = {R0, R1}
Resolution 2 = {R0, R1, R2}
Precincts
Each resolution level is further partitioned into rectangular regions known as Precincts,Pi, i = 1, 2, …, nP
Layers & Layer-Increments
L0
L2
LnL
…
L1
• J2K encodes quantized wavelet coeffieicnts from MSB bit-plane to LSB Bit-plane
• Bit-planes are truncated some points. Data between two truncation points form a qualitylayer-increment, Li, i = 1, 2, …, nL
Layers & Layer-Increments
L0 {L0, L1} {L0, L1, L2}
All layer-increments
Packet (Cont.)
Packets & Progression Orders
• A J2K codestream can be viewed as a set of series of packets; they are the most fundamental building blocks of a codestream.
• A packet is uniquely identified by four parameters C, R, P and L, all the packets in a codestream can be sorted with respect to these four parameters in some orders, called Progression Orders.
• There are five Progression Orders which are LRCP, RLCP, RPCL, CPRL and PCRL respectively.
Progression Order
Resol uti on 0
Component 0
Preci nct 0 Preci nct 1
Resol uti on 1
Layer 0
Preci nct 0 Preci nct 1
Component 1 Component 0 Component 1
Resol uti on 0
Component 0
Preci nct 0 Preci nct 1
Resol uti on 1
Layer 1
Preci nct 0 Preci nct 1
Component 1 Component 0 Component 1
Packets in a codestream with progression order LRCP:
J2K Authentication
Third-Party Publication
Image Source
A single codestream
Client1
Client2
Client3
Owner
3rd PartyPublisher
(Signing key)
+ signature
Signature +& SIT1
Signature
Signature +& SIT3
“Sign Once, Verify Many Ways”
The Merkle Tree
Root
A B
h(n1) h(n2) h(n3) h(n4)
hahb
hr
n1 n2 n3 n4
Sig(hr)
A Codestream Example
4 resolutions:R0, R1, R2, R3
2 layers:L0, L1
2 precincts:P0, P1
The Merkle Tree For the Example Root
R3
L0
R0
P0
L1
P1 P0 P1
L0
P0
L1
P1 P0 P1
L0
R2
P0
L1
P1 P0 P1
L0
R1
P0
L1
P1 P0 P1
y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16
12
User asks for resolution 1,
Publisher sends y1, …, y8, signed root, 1 2SIT= { }
Resolution and Resolution-Increments
2-level DWT
Resolution-increments:
R0
R1
R2
Resolution 0 = R0
Resolution 1 = {R0, R1}
Resolution 2 = {R0, R1, R2}
Layers & Layer-Increments
L0 {L0, L1} {L0, L1, L2}
All layer-increments
The Optimized Merkle Tree
R0 R1
P0 P1 P0 P1
L0 L1
P0 P1 P0 P1
L0 L1
P0 P1 P0 P1
L0 L1
P0 P1 P0 P1
L0 L1
R3R2
Root
1
y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16
User asks for resolution 1,
Publisher sends y1, …, y8, signed root, SIT={ } 1
In J2K, max resolutions 33, max layers 65535
J2K Access Control
The Super-Distribution Model
Publisher Encrypted Codestream
Client1 Client2 Client3
Key Server
Encrypt every packet will a different key? Too many keys are needed.
“Encrypt Once, Decrypt Many Ways”
A Codestream Example
3 resolutions:R0, R1, R2,
3 layers:L0, L1, L2
2 precincts:P0, P1
Security Classes in a Codestream
• Security Classes of Resolution-Increments– R2 > R1 > R0 (total ordering)
• Security Classes of Layer-Increments– L2 > L1 >L0 (total ordering)
• Security Classes of Precincts– P1 and P0 are incomparable (i.e., isolated classes)
• Form combined hierarchy, the resulting lattice is a Directed Acyclic Graph, not a rooted tree!
Access Control Scheme 1
Master Key K
kR2=h(k|R) kL2=h(k|L)
kP1=h(k|P|1)
kR1=h(kR2) kL1=h(kL2)
kR0=h(kR1) kL0=h(kL1) kP0=h(k|P|0)
Packet key: krlp =h(kRr|kLl|kPp), (1) for r = 0, 1, 2; l =0, 1, 2, p = 0, 1
Encryption & Decryption
• Encryption– Owner generates a master key, and the packet keys
for all the packets. Uses packet keys to encryption the corresponding packets. Distributes ciphertext to users.
• Decryption– To access a sub-image, user requests intermediate
keys from a server, derives packet keys to decrypt packets corresponding to the sub-image.
• User1 asks resolution 2, layer 0, gets kR2, kL0, kP0, kP1
• User2 asks resolution 0, layer 2, gets kR0, kL2, kP0, kP1
• User1 & User2 collude, kR2, kR0 kR2
kL0, kL2 kL2
kP0 & kP1
Get resolution 2 & layer 2
Collusion Attack
Access Control Scheme 2
• Assuming the preferred progression order is RLP
P0 (k220)
L2 (k22)R2 (k2)
R1 (k1)
R0 (k0)
Root (master key)
P
0
P1 (k221) P0 (k210) P1 (k211)
L1 (k21) L0 (k20)
P0 (k200) P1 (k201)
P0 (k120)
L2 (k12)
P1 (k121) P0 (k110) P1 (k111)
L1 (k11) L0 (k10)
P0 (k100) P1 (k101)
P0 (k020)
L2 (k02)
P1 (k021) P0 (k010) P1 (k011)
L1 (k01) L0 (k00)
P0 (k000) P1 (k001)
Conclusions
• J2K codestream: “compress once, decompress many ways”
• Authentication scheme: “Sign once, Verify many ways” (has been incorporated in the standard document)
• Access Control scheme: “Encrypt once, Decrypt many ways” (under evaluation)