In this paper, we focus on an Encryption-then-Compression. (ETC) system with the assumption of the JPEG standard, although the traditional way of securely ...
AN ENCRYPTION-THEN-COMPRESSION SYSTEM FOR JPEG STANDARD Kenta KURIHARA∗ , Sayaka SHIOTA∗ and Hitoshi KIYA∗ ∗ Tokyo
Metropolitan University, Hino, Tokyo, 191–0065, Japan
Abstract—In many multimedia applications, image encryption has to be conducted prior to image compression. This paper proposes an Encryption-then-Compression system using a JPEGfriendly perceptual encryption method, which enables to be conducted prior to JPEG compression. The proposed encryption method can provides approximately the same compression performance as that of JPEG compression without any encryption, where both gray scale images and color ones are considered. It is also shown that the proposed system consists of four block-based encryption steps, and provide a reasonably high level of security. Most of conventional perceptual encryption methods have not been designed for international compression standards, but this paper focuses on applying the JPEG standard, as one of the most widely used image compression standards.
I. I NTRODUCTION With the wide/rapid spread of distributed systems for information processing, such as cloud computing and social networks, not only transmission but also processing is done on the public internet, and thus contents are transmitted over an insecure , bandwidth-constrained communication channel [1,2]. In the meantime, a lot of studies on secure, efficient and flexible communications have been reported. For securing multimedia data, full encryption with a state-of-the-art cipher (like RSA, AES, etc) is the most secure option. However, many multimedia applications have been seeking a trade-off in security to enable other requirements, e.g., low processing demands, retaining bitstream compliance, and signal processing in the encrypted domain, so a lot of perceptual encryptions have been studied as one of schemes for achieving the tradeoff [3-7]. In this paper, we focus on an Encryption-then-Compression (ETC) system with the assumption of the JPEG standard, although the traditional way of securely transmission is to use a Compression-then-Encryption system. That is, the JPEG compression of perceptually encrypted images is addressed. Recently, the JPEG committee has started to standardize a new work item, referred to as JPEG Privacy, in which secure transmission between network servers in cloud computing and social networks is supposed as one of the technical requirements of the JPEG Privacy [8,9]. However, most of the conventional works for ETC systems have no compatibility with the international standards, e.g., JPEG, JPEG 2000, etc [10-16]. Also, a number of perceptual encryption schemes have been studied for the international standards, but they do not correspond to ETC systems [1722], except for the article [23]. Because of such situations, a new ETC system is proposed under the assumption of the
978-1-4799-7783-3/15/$31.00 ©2015 IEEE
JPEG standard. In the proposed encryption system, an image is first divided into non-overlap blocks as well as in the JPEG standard, and then each block is encrypted by four blockbased steps, which enable to control a visibility condition including color alteration and a level of security. Moreover, the proposed algorithm has approximately the same compression performance as that of the JPEG compression without any encryption, in addition to the compatibility with the JPEG standard. II. P REPARATION A. Perceptual encryption and ETC system Perceptual image encryption is a processing technique which makes an image difficult to recognize visually. Number theory-based encryption methods, such as RSA, DES or AES are the most secure options. However, in the area of multimedia, many applications have sought a trade-off in security to enable other requirements, including low processing demands, retaining bitstream compliance, and signal processing in the encryption domain, such as compression, watermarking, searching, and so on. In this paper, we focus on image compression systems in the encrypted domain, namely ETC systems, as illustrated in Fig.1, in which a content owner Alice wants to securely and efficiently transmit an Image I to a recipient Bob, via an untrusted channel provider Charlie. In particular, the use of the JPEG standard is supposed as a compression method. B. JPEG compression The JPEG standard [24] is the most wildly used image compression standard. The JPEG encoding of a gray scale image consists of four basic steps: 1) Dividing an image into non-overlapped consecutive 8×8 blocks. 2) Applying 2-D DCT to each block. 3) Block-based quantizing. 4) Entropy coding using Huffman coding. On the other hand, in the JPEG compression of a color image, two processing steps are added before 1): a) Performing a color space transformation from RGB to YCbCr. b) Sub-sampling the Cb and Cr components to reduce the spatial resolutions. There are three sub-sampling ratios in the JPEG standard, referred to as [4:2:0](reduction by a factor of 2 in both the
119
PCS 2015
Fig. 1.
Encryption-then-Compression system
Fig. 3.
(a) Block division Fig. 2.
Four block-based steps for encryption
(b) Block scrambling (a) Block rotation
Block division and block scrambling
Fig. 4.
(b) Block inversion
Block rotation and inversion
horizontal and vertical directions), [4:2:2] (reduction by a factor of 2 in the horizontal direction), and [4:4:4] (no sub- Step6: Generate the encrypted image by integrating the transformed block images. sampling) respectively. By performing the steps 1) to 4) to the brightness component Y and the sub-sampled chroma These steps will be described below in more detail. components Cb and Cr independently , the JPEG bitstream of a color image is generated. A.1 Block scrambling III. PROPOSED METHOD We investigate a block-based encryption scheme, in which an image with N × M pixels is divided into non-overlapped consecutive blocks with Bx × By pixels as shown in Fig.2(a). The proposed system consists of four block-based steps as illustrated in Fig.3, so that it has a high relationship with the JPEG standard. A. Block-Based Perceptual Encryption The procedure of performing the proposed image encryption is given as follows: Step1: Divide each color component of a color image I = {IR , IG , IB } into Bx × By blocks respectively. The ith block image is defined as I(i) = {IR (i), IG (i), IB (i)} where i = 1, 2, · · · is a block number. Step2: Permute randomly the divided blocks using a random integer generated by a secret key K1 (see Fig.3) where K1 is commonly used for all color components. Step3: Rotate and invert randomly each block (see Fig.4) using a random integer generated by a key K2 where K2 is commonly used for all color components as well. Step4: Apply the negative-positive transformation to each block using a random integer generated by a key K3 where K3 is commonly used for all color components. Step5: Shuffle three color components in each block using a random integer generated by a key K4 .
The block scrambling is the operation that permutes randomly each block. Figure 2(b) illustrates an example of the block scrambling. Figures 5(b) and 5(c) are shuffled images with different block sizes, and Fig.5(d) is a partially scrambled image. It is certified that the original image is difficult to be recognized from the encrypted image when the block size is small, and that the partial encryption allows to control the relation between the visibility and the user-friendliness. The block-scrambled image IS (i) has three color components as IS (i) = {ISR (i), ISG (i), ISB (i)}. For example, since the sixth block image in Fig2.(a) is moved to the tenth block in Fig.2(b), IS (10) is represented as IS (10) = I(6). A.2 Block Rotation and Block Inversion As shown in Fig.4(a), the block rotation is the operation that rotates randomly each block either 0◦ , 90◦ , 180◦ or 270◦ where Bx = By is supposed. Also, the block inversion is the operation that inverts each block horizontally and vertically as shown in Fig.4(b). There are four patterns of block inversion, i.e., non-inversion, ether horizontal or vertical inversion, both horizontal and vertical inversion. The transformed image ID (i) has three color components as ID (i) = {IDR (i), IDG (i), IDB (i)}. Note that the images encrypted by the methods A.1 and A.2 have the same color and histogram as those of the original image. Next encryption steps can provide different ones.
120
(a)Original (N × M = 1024 × 768)
(c)Encrypted (Bx = By = 16) Fig. 5.
(b)Encrypted (Bx = By = 64)
B. Consideration on block size and the key In order to make the proposed method suitable for JPEG compression, it is required to select an appropriate block size Bx ×By . As mentioned in Section II, JPEG compression is performed for each 8×8 block except for the prediction of the DC component. In addition, because the chroma components Cb and Cr are sub-sampled, a color image must be commonly split into 16 × 16 blocks as MCU (Minimum Coded Unit) in order to make 8 × 8 blocks in the JPEG compression. In this paper, 16 or its integer multiple is proposed as Bx and By . The suitability of the proposed block size will be conformed in Section V. We can choose a random matrix which expresses the permutation of each block, the direction of rotation of each block, whether to invert each block or not, or the permutation of color components of each block, as an encryption key. Then the key space is large enough as confirmed in Section IV, but the key size depends on the image size. Also, we can choose a seed of Pseudo-Random Number Generator (PRNG) as an encryption key. Then the key size is independent of the image size, while the key space depends on the bit-length of a PRNG’s seed. The key spaces in each case will be discussed in Section IV.
(d)Partially encrypted (Bx = By = 16)
Encrypted images by block scrambling
(a)Negative-positive transformation (Bx = By = 16) Fig. 6.
to the new block image IE (i) = {IER (i), IEG (i), IEB (i)} = {INB (i), ING (i), INR (i)}. Finally, the encrypted image IE = {IER , IEG , IEB } is generated by integrating the transformed block images IE (i). The color and histogram of the images encrypted by the methods A.3 and A.4 are different from the original image. Figure 6(b) shows the encrypted image by using the above four encryptions from A.1 to A.4.
(b)Encrypted by four steps (Bx = By = 16)
Encrypted images with different color
IV. KEY SPACE ANALYSIS
A.3 Negative-Positive Transformation The negative-positive transformation is the operation that reverses all of the pixel values in each block by using a random number of either zero or one. In the ith block, the transformed pixel value p′ is computed by { ′ p =p (r(i) = 0) (1) p′ = 255 − p (r(i) = 1) where p is the pixel value of an original image with 8-bpp, and r(i) is a random integer given for the ith block. Fig.6(a) shows an encrypted image by using the negative-positive transformation. The transformed image IN (i) has three color components as IN (i) = {INR (i), ING (i), INB (i)}. A.4 Color Component Shuffling The color component shuffling is the operation that permutes values among R, G and B components by using a random integer in each block. The shuffled image IE (i) has three color components as IE (i) = {IER (i), IEG (i), IEB (i)}. For example, if the color component R is changed with B, the ith block image IN (i) = {INR (i), ING (i), INB (i)} is changed
There are several kinds of attack on an encryption, such as the brute-force attack, the differential attack, the statistical attack, and so on. In this paper, we evaluate the safety of the proposed system with its key space assuming that an attacker performs the brute-force attack. Because the encryption of each step is independent, the key space of the proposed method is determined by it of each encryption. In this Paragraph, we argue about the key space of each encryption. As all of the proposed encryptions are block-based, the parameter of the key space is the number of the divided blocks n. In the case of dividing N ×M image into Bx ×By blocks, n is computed by N ×M n= . (2) Bx × By When a random matrix is used to express a key, the key space is equal to the number of generatable encrypted images. In the block scrambling, the key space Ns , which is the number of permutation of n blocks, is given by NS = n P n = n!.
(3)
Similarly, the key spaces of other encryption steps are given as (4) NR = 4n , NI = 4n , ND = 8n
121
NN = 2n , NE =
(
3P 3
)n
= 6n
(5)
where NR and NI are the key spaces of the block rotation and the block inversion, ND is the key space of the encryption combining the block rotation and the block inversion respectively, and NN , and NE are the key spaces of the negativepositive transformation and the color component shuffling. Consequently, the key space of encrypted images by using all the proposed encryption steps, NA , is represented by NA
= NS · ND · NN · NE
(6)
= n! · 8 · 2 · 6 .
(7)
n
n
n
For example, when a color image with 1024 × 768 pixels is divided into 16 × 16 blocks, we obtain n = 3072 and NA = 3072!×83072 ×23072 ×63072 . Therefore, it is confirmed that the key space is expanded by using four encryption steps. Even NN , which is the smallest key space in the above key spaces, is larger than 2256 when n > 256, i.e., the key space of the proposed scheme is larger than that of the 256-bits key, when the divided image has more than 256 blocks at least. On the other hand, in the case of using a seed of PRNG as an encryption key, the key spaces SS , SR , SI , SD , SN and SE , which are the key spaces of the block scrambling, the block rotation, the block inversion combination of the block rotation and the block inversion, the negative-positive transformation and the color component scramble, are different from the key spaces of the above case. If 2m seeds are available as the input of PRNG, each key space S, which is SS , SR , SI , SD , SN or SE , is given as S = min(2m , N ) (8)
Fig. 7. RD curve of decrypted images with different block sizes (block scrambling) TABLE I E XPERIMENTAL RESULT ( QUALITY Quality Factor Non-encryption Proposed Scheme (4 encryption steps) Block Scrambling (1step) Block Rotation (1step) Block Inversion (1step) Negative-Positive Transformation (1step) Color Component Shuffling (1step)
TABLE II E XPERIMENTAL RESULT ( QUALITY Quality Factor Non-encryption Proposed Scheme (4 encryption steps) Block Scrambling (1step) Block Rotation (1step) Block Inversion (1step) Negative-Positive Transformation (1step) Color Component Shuffling (1step)
where min(i, j) returns the value of whichever is smaller i or j, and N is NS , NR , NI , ND , NN or NE . For example, the key space of the block scrambling is given as SS = min(2m , NS ).
PSNR 28.86 28.81 28.86 28.87 28.86 28.86 28.80
PSNR 30.25 30.18 30.25 30.26 30.25 30.25 30.18
FACTOR
= 60)
60 CIEDE2000 4.113 4.196 4.113 4.111 4.114 4.118 4.197
FACTOR
bitrate[bpp] 1.306 1.302 1.323 1.307 1.308 1.325 1.297
= 80)
80 CIEDE2000 3.587 3.675 3.587 3.586 3.587 3.589 3.676
bitrate[bpp] 1.933 1.931 1.954 1.935 1.935 1.955 1.919
(9)
Therefore, in order to make the proposed system secure, appropriate block size and bit-length of a PRNG’s key are required. V. SIMULATION We evaluate the effectiveness of the proposed encryption system by a number of simulations with color images. A. Simulation conditions The following procedure is carried out to evaluate the effectiveness: 1) Encrypt images in accordance with Fig.3. 2) Compress the encrypted images IE . 3) Compute the bitrate of the compressed images 4) Decompress and then decrypt the compressed images. 5) Compute the PSNR and CIEDE2000 values of the decrypted images compared to the original images. [4:2:0] is used as a sub-sampling ratio and five images (Airplane, Girl, Lenna, Mandrill, Pepper) are used as test images. In order to reduce the dispersion, we employ the average of 20 trial results of each image using 20 different seeds for the PSNR, CIEDE2000 and bitrate.
B. Simulation results B.1 Suitability of the block size Figure 7 shows some Rate-Distortion (RD) curves of JPEG images encrypted by the block scrambling with different block sizes. When Bx = By = 16, which is the smallest proposed block size, the compression efficiency of the block scrambled image is approximately equivalent to that of the not block scrambled image. Therefore, it is certified that an encrypted image with the proposed block size is not affected by the JPEG compression. B.2 Quality of the decrypted images Tables 1 and 2 show the experimental mean values of PSNR, CIEDE2000 and bitrate where the quality factor is a parameter to control the image quality of a compressed image. These tables certify that the compression efficiency of the encrypted image using any proposed encryption is almost the same as that of the original image. Next, the results with Q = 60 for the image Lenna are considered in more detail. When the original image is
122
Fig. 8.
Encrypted Fig.5(a) with different visibility
compressed, the values of PSNR and bitrate are 30.91[dB] and 1.198[bpp] respectively. On the other hand, when the image encrypted by the four proposed encryptions is compressed, they are 30.86[dB] and 1.185[bpp], and the minimum PSNR and the maximum bitrate, which are the worst results, are 30.84[dB] and 1.190[bpp]. Therefore, it can be said that the worst-case image quality is still approximately same as that of the original image. Hence, for example, all of the images shown in Figs.5 and 6 have almost the same efficiency of JPEG compression in spite of having different visibility. B.3 Competence of the proposed system Figure 8 is an encrypted image of Fig.5(a) using the four step encryptions partially with different block sizes. Each image shown in Figs. 5, 6 and 8 is different from the other images, i.e., each image has different visibility. Generally, when an image has different visibility from another image, each compression performance may be also different. However, as described above, the proposed ETC system enables an encrypted image to have almost the same compression performance as another encrypted image with different visibility. VI. CONCLUSIONS In this paper, we proposed an efficient ETC system for the JPEG standard. It contains the four encryption steps which are block-based encryptions and practically unaffected by the JPEG compression. An appropriate block size was also proposed on considering the JPEG algorithm. Then we evaluated the safety of the proposed system by confirming that its size of key space is large enough. The efficiency of the proposed ETC system was indicated by the simulations. Specifically, by using the proposed system, an image quality of an encrypted and compressed image IEC is almost as same as that of an compressed original image IC and an encrypted image has almost the same image quality as another encrypted image, although they have different visibility. Therefore, it can be said that the proposed system enables an image to be controlled the visibility of an encrypted image and the level of security depending on how multiple encryptions are used. R EFERENCES [1] C. T. Huang, L. Huang, Z. Qin, H. Yuan, L. Zhou, V.Varadharajan, and C. C. J. Kuo,“ Survey on securing data storage in the cloud, ”APSIPA Transactions on Signal and Information Processing, vol.3, e7, Jun. 2014.
[2] R. L. Lagendijk, Z. Erkin, and M. Barni,“ Encrypted signal processing for privacy protection: Conveying the utility of homomorphic encryption and multiparty computation, ” IEEE Signal Processing Mag., vol. 30, no. 1, pp. 82-105, Jan. 2013. [3] Z. Tang, X. Zhang, and W Lan, “ Efficient image encryption with block shuffling and chaotic map, ” Multimedia Tools Appl., doi:10.1007/s11042-014-1861-1, Jan. 2014. [4] D. Engel, T. Stutz, and A. Uhl, “ A survey on JPEG2000 encryption, ” Multimedia Syst., 15(4):243-270, Jan. 2009. [5] A. K. Jain, K.Nandakumar, and A. Nagar,“Biometric template security,” EURASIP J. Adv. Signal Process, vol.2008, p.113, Jan. 2008. [6] I. Ito and H. Kiya,“ One-Time Key Based Phase Scrambling for PhaseOnly Correlation between Visually Protected Images, ” EURASIP J. Information Security, vol.2009, no.841045, Jan. 2010 [7] I. Ito and H. Kiya,“ A new class of image registration for guaranteeing secure data management, ” Proc. the IEEE International Conference on Image Processing (ICIP), pp.269-272, Oct. 2008. [8] ISO/IEC JTC 1/SC 29/WG 1 N6402, “ Use cases and requirements for JPEG Privacy, ” Jul. 2013. [9] P. Schelkens, “ Image security tools for JPEG standards, ” Proc. the 2nd ACM workshop on Information hiding and multimedia security IH&MMSec, New York, USA, pp. 1–1, ACM Press, Jun. 2014. [10] J. Zhou, X Liu, O. C. Au, and Y. Y. Tang,“ Designing an efficient image Encryption-then-Compression system via prediction error clustering and random permutation, ” IEEE Trans. Inf. Forens. Security, vol.9, no.1, pp.39-50, Jan. 2014. [11] R. Hu, X. Li, and, B. Yang, “ A new lossy compression scheme for encrypted gray-scale images, ”Proc. the IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), pp.7436-7440, May 2014. [12] M. Johnson, P. Ishwar, V. Prabhakaran, D. Schonberg, and K. Ramchandran,“On compressing encrypted data, ”IEEE Trans. Signal Processing, vol.53, no.10, pp.2992-3106, Oct. 2004. [13] W.Liu, W. Zeng, L. Dong, and Q. Yao, “ Efficient compression of encrypted grayscale images, ” IEEE Trans. Image Processing, vol.19, no.4, pp.1097-1102, Apr. 2010. [14] X. Zhang,“Lossy compression and iterative reconstruction for encrypted image, ” IEEE Trans. Inf. Forens. Security, vol.6, no.1, pp.53-58, Mar. 2011. [15] D. Klinc, C. Hazay, A. Jagmohan, H. Krawczyk, and T. Rabin, “ On compression of data encrypted with block ciphers. Information Theory, ” IEEE Trans. Inf. Theory, 58(11), pp.6989-7001, Nov. 2012. [16] X. Zhang, G. Feng, Y. Ren, and Z. Quian, ”Scalable coding of encrypted images, “ IEEE Trans. Image Processing, 21(6), pp.3108-3114, Jun. 2012. [17] S. Imaizumi, M. Fujiyoshi, Y. Abe, and H. Kiya, “ Collusion attackresilient hierarchical encryption of JPEG 2000 codestreams with scalable access control, ” Proc. the IEEE International Conference Image Processing (ICIP), vol. 2, pp. 137-140, Sep. 2007. [18] S. Imaizumi, O. Watanabe, M. Fujiyoshi, and H. Kiya, “ Generalized hierarchical encryption of JPEG 2000 codestreams for access control, ” Proc. the IEEE International Conference Image Processing (ICIP), vol. 2, pp. 1094-1097, Sep. 2005. [19] S. Li, G. Chen, A. Cheung, B. Bhargava, and K. T. Lo,“On the design of perceptual MPEG-video encryption algorithms, ” IEEE Trans. Circuits and Systems for Video Technology, 17(2), pp.214-223, Feb. 2007. [20] D. Engel, T. Stutz, and A. Uhl, “ Assessing JPEG2000 encryption with key-dependent wavelet packets, ” EURASIP Journal on Information Security, 2012(1), 1-16, Apr. 2012. [21] H. Kiya, S. Imaizumi, and O. Watanabe, “ Partial-scrambling of image encoded using JPEG2000 without generating marker codes, ”Proc. the IEEE International Conference on Image Processing (ICIP). Volume III, pp.205-208 Sep. 2003. [22] O. Watanabe, A. Nakazaki, and H. Kiya, “ A fast Image-Scramble method using public-Key encryption allowing backward compatibility with JPEG2000, ” Proc. the IEEE International Conference on Image Processing (ICIP), pp. 3435-3438, Oct. 2004. [23] O. Watanabe, A. Uchida, T, Fukuhara, and H. Kiya, “ An Encryptionthen-Compression system for JPEG 2000 standard, ” Proc. the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), to be presented, Apr. 2015. [24] G. Wallace. “ The JPEG still picture compression standard, ” Communications of the ACM. 34(4), pp.30-44, Apr. 1991.
123
