Securing JPEG2000 (J2K) - The Next Generation Image Compression Standard Robert H. Deng, Yongdong Wu, Di Ma Institute for Infocomm Research Singapore

JPEG2000 (J2K) is an emerging standard for image compression –Achieves state-of-the-art low bit rate compression and has a rate distortion advantage over the original JPEG. –Allows to extract various sub-images from a single compressed image codestream, the so called “Compress Once, Decompress Many Ways”. –ISO/IEC JTC 29/WG1 Security Working Setup in 2002 Background

“Compress Once, Decompress Many Ways” A Single Original Codestream By resolutions By layers Region of Interest

Outline Data Structure of J2K Image Codestreams The Authentication Scheme The Access Control Scheme Prototype Demo

Data Structure of J2K Image Codestreams

Components Each image is decomposed into one or more components, such as R, G, B. Denote components as C i, i = 1, 2, …, n C.

Resolution & Resolution-Increments 1-level DWT J2K uses 2-D Discrete Wavelet Transformation (DWT)

Resolution and Resolution-Increments 2-level DWT 1-level DWT

Resolution and Resolution-Increments 2-level DWT Resolution-increments: R0R0 R1R1 R2R2 Resolution 0 = R 0 Resolution 1 = {R0, R 1 } Resolution 2 = {R0, R 1, R 2 }

Precincts Each resolution level is further partitioned into rectangular regions known as Precincts, P i, i = 1, 2, …, n P

Layers & Layer-Increments L0L0 L2L2 L nL … L1L1 J2K encodes quantized wavelet coeffieicnts from MSB bit-plane to LSB Bit- plane Bit-planes are truncated some points. Data between two truncation points form a quality layer-increment, L i, i = 1, 2, …, n L

Layers & Layer-Increments L0L0 {L 0, L 1 } {L 0, L 1, L 2 } All layer- increments

Packet (Cont.)

Packets & Progression Orders A J2K codestream can be viewed as a set of series of packets; they are the most fundamental building blocks of a codestream. A packet is uniquely identified by four parameters C, R, P and L, all the packets in a codestream can be sorted with respect to these four parameters in some orders, called Progression Orders. There are five Progression Orders which are LRCP, RLCP, RPCL, CPRL and PCRL respectively.

Progression Order Packets in a codestream with progression order LRCP:

J2K Authentication

Third-Party Publication Image Source A single codestream Client1 Client2 Client3 Owner 3 rd Party Publisher (Signing key) + signature Signature + & SIT1 Signature Signature + & SIT3 “Sign Once, Verify Many Ways”

The Merkle Tree Root A B h(n1)h(n1) h(n2)h(n2)h(n3)h(n3) h(n4)h(n4) haha hbhb hrhr n 1 n 2 n 3 n 4 Sig(h r )

A Codestream Example 4 resolutions: R 0, R 1, R 2, R 3 2 layers: L 0, L 1 2 precincts: P 0, P 1

The Merkle Tree For the Example Root R3R3 L0L0 R0R0 P0P0 L1L1 P1P1 P0P0 P1P1 L0L0 P0P0 L1L1 P1P1 P0P0 P1P1 L0L0 R2R2 P0P0 L1L1 P1P1 P0P0 P1P1 L0L0 R1R1 P0P0 L1L1 P1P1 P0P0 P1P1 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y User asks for resolution 1, Publisher sends y1, …, y8, signed root, 1 2 SIT= { }

Authentication & Verification Authentication –Owner constructs a Merkle tree of a codestream and signs the root value. Passes data to a publisher –Upon request of a user, publisher sends packets of requested sub-image, signature and SIT. Verification –The user re-computes the root value, and verifies it based on the signature.

Resolution and Resolution-Increments 2-level DWT Resolution-increments: R0R0 R1R1 R2R2 Resolution 0 = R 0 Resolution 1 = {R0, R 1 } Resolution 2 = {R0, R 1, R 2 }

Layers & Layer-Increments L0L0 {L 0, L 1 } {L 0, L 1, L 2 } All layer- increments

The Optimized Merkle Tree R0R0 R1R1 P 0 P 1 L0L0 L1L1 L0L0 L1L1 L0L0 L1L1 L0L0 L1L1 R3R3 R2R2 Root 1 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 User asks for resolution 1, Publisher sends y1, …, y8, signed root, SIT={ } 1 In J2K, max resolutions 33, max layers 65535

J2K Access Control

The Super-Distribution Model Publisher Encrypted Codestream Client1Client2Client3 Key Server Encrypt every packet will a different key? Too many keys are needed. “Encrypt Once, Decrypt Many Ways”

A Codestream Example 3 resolutions: R 0, R 1, R 2, 3 layers: L 0, L 1, L 2 2 precincts: P 0, P 1

Security Classes in a Codestream Security Classes of Resolution-Increments –R 2 > R 1 > R 0 (total ordering) Security Classes of Layer-Increments –L 2 > L 1 >L 0 (total ordering) Security Classes of Precincts –P 1 and P 0 are incomparable (i.e., isolated classes) Form combined hierarchy, the resulting lattice is a Directed Acyclic Graph, not a rooted tree!

Access Control Scheme 1 Master Key K k R2 =h(k|R) k L2 =h(k|L) k P1 =h(k|P|1) k R1 =h(k R2 ) k L1 =h(k L2 ) k R0 =h(k R1 ) k L0 =h(k L1 )k P0 =h(k|P|0) Packet key: k rlp =h(k Rr |k Ll |k Pp ), (1) for r = 0, 1, 2; l =0, 1, 2, p = 0, 1

Encryption & Decryption Encryption –Owner generates a master key, and the packet keys for all the packets. Uses packet keys to encryption the corresponding packets. Distributes ciphertext to users. Decryption –To access a sub-image, user requests intermediate keys from a server, derives packet keys to decrypt packets corresponding to the sub-image.

User1 asks resolution 2, layer 0, gets k R2, k L0, k P0, k P1 User2 asks resolution 0, layer 2, gets k R0, k L2, k P0, k P1 User1 & User2 collude, k R2, k R0  k R2 k L0, k L2  k L2 k P0 & k P1 Get resolution 2 & layer 2 Collusion Attack

Access Control Scheme 2 Assuming the preferred progression order is RLP P 0 (k 220 ) L 2 (k 22 ) R2 (k2)R2 (k2) R1 (k1)R1 (k1) R 0 (k 0 ) Root (master key) P0P0 P 1 (k 221 )P 0 (k 210 ) P 1 (k 211 ) L 1 (k 21 ) L 0 (k 20 ) P 0 (k 200 ) P 1 (k 201 ) P 0 (k 120 ) L 2 (k 12 ) P 1 (k 121 ) P 0 (k 110 ) P 1 (k 111 ) L 1 (k 11 ) L 0 (k 10 ) P 0 (k 100 ) P 1 (k 101 ) P 0 (k 020 ) L 2 (k 02 ) P 1 (k 021 ) P 0 (k 010 ) P 1 (k 011 ) L 1 (k 01 ) L 0 (k 00 ) P 0 (k 000 ) P 1 (k 001 )

Conclusions J2K codestream: “compress once, decompress many ways” Authentication scheme: “Sign once, Verify many ways” (has been incorporated in the standard document) Access Control scheme: “Encrypt once, Decrypt many ways” (under evaluation)

Thank you!