Degradative encryption: An efficient way to protect SPIHT compressed images

Degradative encryption: An efficient way to protect SPIHT compressed images

Optics Communications 285 (2012) 4891–4900 Contents lists available at SciVerse ScienceDirect Optics Communications journal homepage: www.elsevier.c...
Download PDF
1MB Sizes 1 Downloads 78 Views
Report

Optics Communications 285 (2012) 4891–4900

Contents lists available at SciVerse ScienceDirect

Optics Communications journal homepage: www.elsevier.com/locate/optcom

Degradative encryption: An efficient way to protect SPIHT compressed images Tao Xiang a,n, Jinyu Qu a, Chenyun Yu a, Xinwen Fu b a b

College of Computer Science, Chongqing University, Chongqing 400044, China Department of Computer Science, University of Massachusetts Lowell, Lowell, MA 01854, USA

a r t i c l e i n f o

abstract

Article history: Received 10 May 2012 Received in revised form 5 June 2012 Accepted 6 June 2012 Available online 23 August 2012

Degradative encryption, a new selective image encryption paradigm, is proposed to encrypt only a small part of image data to make the detail blurred but keep the skeleton discernible. The efficiency is further optimized by combining compression and encryption. A format-compliant degradative encryption algorithm based on set partitioning in hierarchical trees (SPIHT) is then proposed, and the scheme is designed to work in progressive mode for gaining a tradeoff between efficiency and security. Extensive experiments are conducted to evaluate the strength and efficiency of the scheme, and it is found that less than 10% data need to be encrypted for a secure degradation. In security analysis, the scheme is verified to be immune to cryptographic attacks as well as those adversaries utilizing image processing techniques. The scheme can find its wide applications in online try-and-buy service on mobile devices, searchable multimedia encryption in cloud computing, etc. & 2012 Elsevier B.V. All rights reserved.

Keywords: Selective encryption Degradative encryption Set partitioning in hierarchical trees Joint compression and encryption

1. Introduction It is hard to say whether the development of networks facilitates the application of multimedia, or the prevalence of multimedia boosts the evolution of networks, but an undeniable fact is that multimedia is a necessity in our networked daily life. Digital image, as one of the most common multimedia form, has been gaining much attention for a long time, and its security faces great challenges in the ubiquitous networked environment now. Encryption is widely used to protect images, but traditional encryption algorithms are incompetent when they meet the increasing massive data volumes, restricted network conditions, as well as real-time transmission requirements. Many efforts have been made to deal with image security, especially in terms of efficiency, and selective image encryption [1] (or known as selective/partial encryption [2]) is a promising one. The basic principle of selective encryption is to only selectively encrypt a portion of image data. Because different parts of image data contribute differently to the visualization of an image, we can just keep a part of them secure and make the visualization of whole image to meet our requirements. Since the volume of data to be encrypted is reduced, the encryption efficiency is significantly improved.

n

Corresponding author. E-mail address: [email protected] (T. Xiang).

0030-4018/$ - see front matter & 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.optcom.2012.06.097

Most of work in existing literature focuses on selective encryption for confidentiality, which we call confidential selective encryption and is abbreviated as confidential encryption here. Confidential encryption chooses the important part of image data to be encrypted to keep the contents of whole image secure (i.e., to make the encrypted image totally unintelligible). Current research on confidential encryption mainly includes: (1) selectively encrypting important bit in spatial domain, such as the most significant bit (MSB) in bitplane [3]; (2) encrypting important coefficients in transform domain, such as discrete cosine transform (DCT) [4], discrete wavelet transform (DWT) [5,6], or discrete wavelet packet transform (DWPT) [7]; (3) joint selective encryption with coding, such as embedded zerotree wavelet (EZW) coding or set partitioning in hierarchical trees (SPIHT) algorithm [2,8–11]; and (4) selective encryption at bitstream level, such as at packet level of JPEG2000 standard [12]. Among these directions, it is found that joint compression and encryption is an attractive beneficial solution to image security since any encryption before compression will impair the compression performance of encoders. Many efforts have been made to design and analyze encryption algorithms embedded into image coding, such as Huffman coding [5,13–15], arithmetic coding [13,14,16–22], quadtree coding [2,23], EZW coding or SPIHT algorithm [2,8–11], etc. Like traditional cryptosystems, confidential encryption makes plain images totally unrecognizable, which is not desirable in some scenarios. For example, in cloud computing, images are often encrypted for privacy or security reason when being

4892

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

uploaded to the cloud, but it is hard to launch a search among these encrypted data. Although recently some theories and techniques are proposed to support searchable encryption [24–27], the granularity of search is very limited and the speed is unacceptably slow since many of them are based on public-key cryptography. Another example is online multimedia service, the service provider may need to encrypt images or videos against unpaid clients or unauthorized access. However, customers cannot have a general knowledge about the contents before their purchases, unless the service provider gives a description or a preview clip, which will definitely induce extra workload and overhead on computation and storage. Further examples are found in wireless multimedia sensor networks (WMSN) [28] or the Internet of Things (IoT) where privacy is a main concern with regard to image/video surveillance applications [29]. It is impractical to encrypt the entire multimedia data not only for doing so will bring troubles in data aggregation and analysis, but also for the limitation of computational resources. There are some initial attempts at secure image search (or called as image retrieval/indexing). One intuitive resolution is based on the image metasearch, i.e. search of images based on associated metadata such as keywords, text, etc. The metadata is encrypted for secure retrieval. The other method is called contentbased image retrieval (CBIR). Li [30] presented a security mechanism for CBIR by utilizing digital watermarking for hierarchical queries with different authorization on a large image collection. Lu et al. [31] considered content-based multimedia retrieval over encrypted databases, and proposed two secure indexing schemes built upon visual words representation of images. In [32], a secure CBIR system is presented where both images and features are encrypted and the latter information is used for secure indexing. Zhang et al. [33] proposed a watermarking protocol for user rights and privacy protection in the context of CBIR. In this paper, we present a simple yet efficient way to solve the above-mentioned problems for compressed images. Compared with the most existing work relying on pure cryptographic theory, we turn to image processing techniques. Degradative encryption, a new efficient selective encryption paradigm, is proposed to encrypt the detail of an image but to keep the skeleton recognizable. Then a concrete degradative encryption algorithm combined with SPIHT compression is given. Extensive experiments are conducted to exam the security and efficiency of the scheme. This paper is organized as follows. Section 2 introduces the concept of degradative encryption and its potential applications. In Section 3, we review and analyze the SPIHT compression algorithm, and then propose a degradative encryption scheme based on SPIHT. Section 4 discusses the encryption efficiency and strength of the proposed scheme, and its format compliance is also investigated. Security analysis is given in Section 5. Finally, Section 6 concludes the paper.

Original image

Compression

Important part

Unimportant part

Encryption

Degraded image Fig. 1. Principle of degradative encryption combined with compression.

The basic principle of degradative encryption combined with compression is shown in Fig. 1. The input is the original plain image of high resolution. During its compression, the unimportant part of data representing the detail of the image is selectively encrypted. The algorithm finally outputs the degraded cipher image of low resolution. In this manner, all users gain a rough preview of the image, but only the receiver with correct key can recover the plain image of original resolution. Degradative encryption has its superiority to traditional cryptosystem in many aspects. First, it has great flexibility between security and efficiency. As only part of data is encrypted, the algorithm can be designed in a progressive way to adjust the selective encryption strength to meet the tradeoff between security and efficiency in different environments. Second, the skeleton information provided by cipher image is useful for search, preview, etc., in different application scenarios. Also, the algorithm can be format-compliant with elaborated design. With all these virtues, degradative encryption can find its wide applications in various network environments and application scenarios. For example, it may be employed in try-and-buy online multimedia service. Users could have a preview of an image to check whether they are interested in, and only the authorized or paid consumers can obtain the original image with high quality. It supports operations such as search and aggregation on ciphered images in cloud computing or WMSN while maintaining a certain degree of privacy. Also, it can be used as a copyright protection method, because only the owner is capable of revealing the original quality of an image.

3. Degradative encryption algorithm based on SPIHT 2. Concept of degradative encryption and its applications In most selective encryption schemes, we usually pay attention to the important part of data that contributes much to the visualization of images such as MSBs, low-frequency DCT coefficients, and the tree structure of SPIHT algorithm, and rarely take the unimportant part into consideration. The unimportant part of image data, such as the least significant bit (LSB) in bitplane or high-frequency DCT coefficients, usually represents the detail of an image. We can thereby selectively encrypt this part of data to keep the visualization of the skeleton of original image after encryption. Since the effect of this selective encryption is similar to that of image degradation, we call it degradative selective encryption (abbreviated as degradative encryption in the subsequent statements throughout the paper).

Said and Pearlman presented a highly efficient technique in [34] for compressing wavelet coefficients based on SPIHT. SPIHT is an improved version of EZW coding [35], and its performance is either comparable to or surpass previous results obtained through much more sophisticated and computationally complex methods. The coding procedure of SPIHT is extremely fast and can be stopped at any compression ratio or compressed file size. These virtues make it a good candidate for image compression especially under some constrained channel conditions such as wireless sensor networks (WSNs) [36]. There is some work designing confidential encryption schemes on SPIHT [8–11]. In this section, we first review and analyze SPIHT algorithm, and then propose a degradative encryption scheme based on SPIHT.

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

LL3

4893

HL3 HL2

LH3 HH3 HL1 LH2

HH2

LH1

HH1

Fig. 2. The SOT structure of SPIHT. (a) DWT; (b) SOT.

3.1. Review of SPIHT algorithm SPIHT compression algorithm is well regarded as a highly efficient technique for lossy image compression. It is based on the concept of zerotrees, whereby an image is transformed using a multiple-level DWT as shown in Fig. 2(a), and the resulting coefficients are grouped into spatial orientation trees (SOT) and coded using successive approximation quantization. The SOT structure is shown in Fig. 2(b). The SPIHT coder produces an embedded code which allows the decoding of the resulting bitstream to be terminated at any point to produce an arbitrary bit rate. Thus, the output bitstream can be decoded progressively to provide rate-distortion scalability. The underlying principle of SPIHT algorithm is simple: given a magnitude threshold, scan the DWT coefficients in SOT with significance test and transmit the test results and the remaining MSB of significant coefficients, then decrease the threshold and repeat the process. For a partitioning subset T , the significance test is formalized as 8 < 1 max f9ci,j 9 Z 2n g ði,jÞ A T Sn ðT Þ ¼ ð1Þ : 0 otherwise where ci,j denotes the coefficient at (i, j). That means given a threshold 2n, a set of coefficients T is significant if there is a coefficient in T whose magnitude is at least 2n. For convenience, Sn ðfi,jgÞ is abbreviated as Sn ði,jÞ. In the algorithm, each 2  2 block of coefficients in the root level corresponds to three trees of coefficients, as shown in Fig. 2(b). The following sets of coordinates are defined:

 Oði,jÞ : set of coordinates of all offspring of the coefficient at (i, j);

 Dði,jÞ : set of coordinates of all descendants of the coefficient at (i, j);

 H : set of coordinates of all coefficients in the root level;  Lði,jÞ ¼ Dði,jÞOði,jÞ. Three lists are maintained by the algorithm:

 LIS: list of insignificant sets;  LIP: list of insignificant pixels;  LSP: list of significant pixels. LIS contains two types of entries, representing the sets Dði,jÞ and Lði,jÞ. To differentiate between them, we say that an LIS entry

is of type A if it represents Dði,jÞ, and of type B if it represents Lði,jÞ. LIP is a list of insignificant coefficients that do not belong to any of the sets in LIS. LSP is a list of coefficients that have been identified as significant. The algorithm procedure is described in Algorithm 1. Algorithm 1. SPIHT coding algorithm. Initialization: output n ¼ blog2 ðmaxði,jÞ f9ci,j 9gÞc; set LSP as an empty list, and add the coordinates ði,jÞ A H to LIP, and only those with descendants also to LIS, as type A entries. Sorting Pass: for all (i, j) in LIP do output Sn ði,jÞ (BLIP-sig ); if Sn ði,jÞ ¼ 1 then move (i, j) to LSP and output the sign of ci,j (BLIP-sgn ); end if end for for all (i, j) in LIS do if the entry is of type A then output Sn ðDði,jÞÞ (BLIS-D-sig ); if Sn ðDði,jÞÞ ¼ 1 then for all ðk,lÞ A Oði,jÞ do output Sn ðk,lÞ (BLIS-O-sig ); if Sn ðk,lÞ ¼ 1 then add (k, l) to LSP and output the sign of ck,l (BLIS-O-sgn ); else add (k, l) to the end of LIP; end if end for if Lði,jÞ a f then move (i, j) to the end of LIS as type B; else remove (i, j) from LIS; end if end if end if if the entry is of type B then output Sn ðLði,jÞÞ (BLIS-L-sig ); if Sn ðLði,jÞÞ ¼ 1 then add each ðk,lÞ A Oði,jÞ to the end of LIS as type A; remove (i, j) from LIS; end if end if

4894

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

end for Refinement Pass: for all (i, j) in LSP, except those included in the last sorting pass (i.e., with same n), output the nth most significant bit of 9ci,j 9 (BLSP-bit ); Quantization-Step Update: decrement n by 1 and go to sorting pass.

The coordinates information of coefficients are used in the coding algorithm but never transmitted. As the scanning order of SOT and the results of branching test are the same both in encoding and decoding procedures, the decoder can recover the value of coefficients and their coordinates successfully. 3.2. Analysis of SPIHT’s output The binary code stream of SPIHT consists of the output, underlined in Algorithm 1, of the coding algorithm. The bitstream can be divided into ordered subsets B ¼ B0 B1 . . . Bi . . ., where Bi is the set of bits output at i-th iteration of SPIHT algorithm. Each Bi may contain 7 types of coefficients that are also remarked in the brackets in Algorithm 1. We use subscript sig to indicate the significance information, and sgn the sign information. Generally speaking, significance bits (BLIP-sig , BLIS-D-sig , BLIS-O-sig , and BLIS-L-sig ) are more important to the visualization of images than sign bits (BLIP-sgn and BLIS-O-sgn ) and refinement bits (BLSP-bit ). This is because significance bits determine the structure of SOT and have error propagation on descendants when they are missing, on the other hand, the impact of each sign bit is isolated and it contributes little to image energy. As for refinement bits, as the name indicated, they just make the reconstructed coefficients approximate to their real value. To demonstrate the influence of each type of coefficients, we use a 512  512 graylevel Lena image encoded by SPIHT at 1.0 bpp (Fig. 3(a)), and encrypt each type of coefficients by RC4 [37] encryption algorithm. The results are shown in Fig. 3(b)–(h). It is clear from Fig. 3(b)–(e) that the encryption of significance information will make the decoded image unrecognizable, but the deterioration is much less in Fig. 3(f)–(h) when sign and refinement bits are encrypted. We also check the proportion of each type of coefficients in the code stream, and the results are tabulated in Table 1. We find that significance bits (except BLIS-L-sig ) occupy the most proportion, then are refinement bits, and sign bits occupy the least. This distribution is easy to understand because significance bits represent the structure of SOT, while sign bits just follow those significance bits whose values are 1. We also take all the gray-level images in USC-SIPI image database [38] to do the same experiments under different coding rate and similar results are obtained. 3.3. Degradative encryption based on SPIHT We propose a degradative encryption algorithm based on the preceding analysis of the output of SPIHT algorithm. The basic idea is to only encrypt BLIS-O-sgn while keeping other coefficients intact. The reasons for encrypting BLIS-O-sgn are: (1) it meets the requirement of degradative encryption because encryption of BLIS-O-sgn can blur the original image, but still makes the contents of the image intelligible; (2) it reduces the computational overhead substantially as the proportion of BLIS-O-sgn in code stream is small; and (3) it supports progressive encryption to control the encryption strength.

The proposed encryption algorithm is designed to work in progressive mode to support progressive encryption in different scenarios. There is a parameter r to control the strength of encryption, i.e., only the BLIS-O-sgn coefficients in the last r round(s) are encrypted, where 1 rr r n and n is the maximum iteration number in SPIHT. For conceptual understanding, the encryption starts from the last round of iteration, and progressively diffuses to previous r-1 iterations.1 In this manner, the value of r controls the granularity of encryption. With a great r the algorithm gains more security, but the encryption payload will increase; while a small r can accelerate the encryption when efficiency is more crucial than security. This gives much flexibility to meet a good tradeoff between computational overhead and security in various computing environments and application scenarios. The reason we choose to encrypt BLIS-O-sgn coefficients starting from the last round of SPIHT iteration is multifold. First, the data close to the leaf nodes of SOT are the detail of images and have a high probability to pass the significance test, so more BLIS-O-sgn coefficients are generated at the end of coding iterations. Second, the magnitudes of DWT coefficients corresponding to BLIS-O-sgn at the end of coding iterations are usually small, and they represent refinement information of images. Based on these two main factors, we can get a progressively blurred image by encrypting BLIS-O-sgn coefficients starting from the last round of SPIHT iteration. Another virtue of this manner is that with a proper selection of r, we do not need to encrypt BLIS-O-sgn coefficients in the beginning rounds. Because if a compressed image is transmitted at an extremely low bit rate, there is no need to encrypt it for degradation purpose since the decoded image is obscure itself.

4. Experimental results and analysis We implement the proposed degradative encryption algorithm based on the SPIHT source code provided by [39], and the bit rate of compression is set to 1.0 bpp for a tradeoff between image quality and compression performance. Gray-level images in USCSIPI image database [38] are adopted in our experiments. RC4 is employed as the cryptographic primitive throughout the experiments, but any other cryptographically secure stream ciphers or block ciphers working in OFB and CTR models [37] can be incorporated here because our scheme is independent of cryptographic primitives. 4.1. Encryption strength To demonstrate the encryption effect and strength, we use a 512  512 gray-level Lena image as the input, and progressively encrypt the output of BLIS-O-sgn during SPIHT coding in two ways. First, only the BLIS-O-sgn coefficients in the last r round(s) are encrypted, where 1r r r11 here. Then, we do the similar encryption in a reversed order, i.e. only the BLIS-O-sgn coefficients in the first r^ round(s) are encrypted, where 1r r^ r11. The results are shown in Figs. 4 and 5, respectively. Because we find there are no output of BLIS-O-sgn in the first two iterations, the encrypted images are identical when r¼ 9–11 (Fig. 4(i)). For the same reason, the cipher images are omitted in Fig. 5 when r^ ¼ 122 since they are the same with the plain image (Fig. 3(a)). From Fig. 4(a)–(i), we can clearly see a progressive blurring effect on the plain image with the increasing of encryption strength. When r ¼1–6, the image is smoothly blurred and the quality of the image is degraded gradually. When r Z 7, only the 1

In implementation, the encryption starts from the (n r þ1)-th iteration.

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

4895

Fig. 3. Encryption of SPIHT coefficients. (a) Lena encoded by SPIHT at 1.0 bpp; (b)–(h) Encryption of BLIP-sig , BLIS-D-sig , BLIS-O-sig , BLIS-L-sig , BLIP-sgn , BLIS-O-sgn , and BLSP-bit , respectively.

Table 1 Distribution of different type of coefficients in SPIHT when encoding a 512  512 Lena at different coding rates. Coefficient

1.0 bpp (%)

2.0 bpp (%)

3.0 bpp (%)

4.0 bpp (%)

5.0 bpp (%)

6.0 bpp (%)

7.0 bpp (%)

8.0 bpp (%)

BLIP-sig BLIS-D-sig BLIS-O-sig BLIS-L-sig BLIP-sgn BLIS-O-sgn BLSP-bit

23.78 14.85 26.42 5.96 9.10 8.59 11.29

22.03 14.46 29.05 4.49 8.95 9.28 11.73

18.94 13.06 29.68 3.34 7.60 10.35 17.04

22.71 10.47 24.54 2.52 9.57 8.84 21.35

23.10 8.46 19.89 2.01 10.03 7.20 29.31

21.48 7.07 16.61 1.68 9.46 6.01 37.69

19.40 6.07 14.26 1.44 8.60 5.16 45.07

17.43 5.32 12.49 1.26 7.74 4.52 51.26

skeleton of the image is intelligible while the detail information is lost. Fig. 4(i) represents the situation when all the BLIS-O-sgn coefficients are encrypted, which is identical to the case in Fig. 5(i). On the contrary, in Fig. 5(a)–(i), the quality of the image is not smoothly degraded when encryption is strengthened. For example, in Fig. 5(a)–(d), there are some irregularly distributed dark and bright speckles that make some parts of the image unidentifiable but keeping other parts clear. Several metrics are utilized to describe the difference between cipher and plain images. One of them is the commonly used peak signal-to-noise ratio (PSNR). PSNR is usually used as a measure of the quality of a compressed or reconstructed image. The greater value it is, the better quality it gains. PSNR is defined as below: 2552 PSNR ¼ 10  log MSE

MSE ¼

!

w X h 1 X ðIði,jÞJði,jÞÞ2 wh i ¼ 0 j ¼ 0

ð2Þ

ð3Þ

where the image size is w  h pixels, I(i, j) and J(i, j) denote the pixels at (i, j) in two images. We also measure the encryption effect from the viewpoint of human visual system (HVS), and check the similarities of luminance and edge information between cipher and plain images. Images are first divided into N blocks of 8  8 pixels, and the following two metrics are calculated based on block unit. Luminance similarity score (LSS) [40]: defined as below, is employed to capture the luminance similarity between two

images. LSS ¼

N 1X f ðx ,x Þ N i ¼ 1 1i 2i

f ðx1i ,x2i Þ ¼

8 > > > <1

  9x1i x2i 9 > > > : round b

ð4Þ

if 9x1i x2i 9 o

b 2

ð5Þ

otherwise

where x1i and x2i are the average luminance values of the i-th block from two images, and b ¼ 3 in our experiments. A negative LSS value indicates substantial dissimilarity in luminance between two images. Edge similarity score (ESS) [40]: the dominant edge direction in each block is extracted by Sobel operator and quantized into one of the eight representative directions. The representative edge directions are equally spaced by 22.51 in a polar coordinate system. We use indices 1–8 to represent these eight directions, and use index 0 to represent a non-edge block. Let e1i and e2i be the edge direction indices for the i-th block in two images, respectively, ESS is computed as PN wðe1i ,e2i Þ ESS ¼ PiN¼ 1 i ¼ 1 cðe1i ,e2i Þ ( wðe1i ,e2i Þ ¼

ð6Þ

0,

if e1i ¼ 0 or e2i ¼ 0

9cosðfðe1i Þfðe2i ÞÞ9

otherwise

ð7Þ

4896

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

Fig. 4. Encryption of BLIS-O-sgn coefficients starting from the last round of SPIHT iteration. (a)–(h) r ¼1–8; (i) r¼ 9–11.

Fig. 5. Encryption of BLIS-O-sgn coefficients starting from the first round of SPIHT iteration. (a)–(i) r^ ¼ 3211.

cðe1i ,e2i Þ ¼



0

if e1i ¼ e2i ¼ 0

1

otherwise

ð8Þ

where fðeÞ is the representative edge angle for an index e. The score ranges from 0 to 1, where 0 indicates that the edge information of two images is highly distinct and 1 indicates a match between the edges in two images. The experimental results on Lena with different encryption methods and strength are listed in Table 2. To demonstrate the difference of degradative encryption from traditional image encryption method, it is also considered by using RC4 to encrypt the whole SPIHT compressed image data, and the results are given in the last row of Table 2. The cipher image encrypted by traditional method looks purely noisy and the values of PSNR, LSS and ESS indicate its little relativity to the plain image. However, the difference between cipher image encrypted by degradative encryption and its plain image is much smaller, as the skeleton information is reserved in the ciphered image. The values of PSNR, LSS, and ESS are smoothly decreased when r¼1–11, indicating that fine progressive degradation effects are gained. On the other side, the changes of PSNR, LSS,

and ESS are less smooth when r^ ¼ 1211. The values of LSS and ESS are even not monotonically decreased when the encryption strength is increased in this case. Similar results are found when we conduct the same experiments on all the grey-level images in USC-SIPI image database [38] (see Table 3), but for space limitation, only the detail on Lena is given in Table 2. The experimental results show that: (1) if BLIS-O-sgn coefficients are encrypted starting from the end of SPIHT coding iteration, progressive degradative encryption effect can be obtained corresponding to the encryption strength; and (2) encrypting of BLIS-O-sgn coefficients can make the skeleton information of an image intelligible while keeping detail secret. The results validate the soundness of our progressive degradative encryption scheme. 4.2. Encryption efficiency Since the proposed algorithm is a selective encryption scheme, the selection strength, i.e. the volume of encrypted data determines encryption efficiency. From Table 1 we can see that

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

Table 2 Experimental results on Lena using different encryption methods and strength. Encryption

Round

PSNR

Degradative

r ¼1 r¼ 2 r¼ 3 r¼ 4 r¼ 5 r¼ 6 r¼ 7 r¼ 8 r¼ 9 r¼ 10 r¼ 11

50.58 37.07 32.90 29.35 25.99 22.71 20.15 17.36 17.04 17.04 17.04

1.00 0.95 0.64 0.06  0.75  1.96  3.62  5.97  6.33  6.33  6.33

0.82 0.60 0.53 0.46 0.40 0.35 0.33 0.32 0.31 0.31 0.31

0.72 4.75 6.70 7.72 8.23 8.47 8.56 8.59 8.59 8.59 8.59

r^ ¼ 1 r^ ¼ 2 r^ ¼ 3 r^ ¼ 4 r^ ¼ 5 r^ ¼ 6 r^ ¼ 7 r^ ¼ 8 r^ ¼ 9 r^ ¼ 10 r^¼ 11

Inf Inf 26.74 19.68 18.37 17.62 17.32 17.16 17.08 17.04 17.04

1.00 1.00  0.03  4.01  5.43  6.05  6.26  6.31  6.33  6.34  6.33

1.00 1.00 0.86 0.59 0.51 0.40 0.35 0.34 0.30 0.31 0.31

0.00 0.00 0.01 0.03 0.12 0.37 0.88 1.90 3.84 7.87 8.59

8.88

 13.63

0.06

Traditional

LSS

ESS

Proportion (%)

100

Table 3 Experimental results on USC-SIPI image database when all BLIS-O-sgn coefficients are encrypted. File

Description

Size

PSNR LSS

ESS

Proportion (%)

5.1.09 5.1.10 5.1.11 5.1.12 5.1.13 5.1.14 5.2.08 5.2.09 5.2.10 5.3.01 5.3.02 7.1.01 7.1.02 7.1.03 7.1.04 7.1.05 7.1.06 7.1.07 7.1.08 7.1.09 7.1.10 7.2.01 boat.512 elaine.512 gray21.512 numbers.512

Moon surface Aerial Airplane Clock Resolution chart Chemical plant Couple Aerial Stream and bridge Man Airport Truck Airplane Tank Car and APCs Truck and APCs Truck and APCs Tank APC Tank Car and APCs Airplane (U-2) Fishing Boat Girl (Elaine) 21 level step wedge 256 level test pattern Pixel ruler General test pattern

256 256 256 256 256 256 512 512 512 1024 1024 512 512 512 512 512 512 512 512 512 512 1024 512 512 512 512

21.35 13.54 20.47 16.11 10.55 16.18 16.78 15.40 15.84 17.93 18.34 21.14 22.82 21.95 18.95 18.83 18.66 21.04 24.23 20.83 21.71 25.43 17.00 17.05 23.41 12.40

0.32 0.35 0.39 0.34 0.34 0.36 0.32 0.40 0.36 0.33 0.37 0.35 0.38 0.31 0.28 0.36 0.32 0.29 0.36 0.35 0.26 0.29 0.36 0.28 0.04 0.41

8.78 9.95 8.82 8.13 8.36 11.14 10.78 10.73 11.22 11.01 9.43 11.32 9.86 11.61 12.16 10.08 9.96 9.13 10.67 10.10 12.34 10.77 10.22 11.54 3.88 8.23

ruler.512 testpat.1k

 2.99  9.12  2.32  5.12  7.80  6.48  5.13  6.00  6.28  5.08  3.91  3.37  1.26  2.87  4.23  4.87  5.08  3.45  1.76  3.27  3.53  1.11  5.19  6.15  1.44  8.81

512 8.51  7.97 0.29 17.85 1024 12.51  5.8 0.18 9.01

BLIS-O-sgn coefficients only occupy 8.59% of the SPIHT code stream for Lena, and Table 3 also gives the proportion of BLIS-O-sgn in all test images. It is found that the proportion of BLIS-O-sgn is around 10% (the average of the last column of Table 3 is 10.25%), that means we only need to encrypt at most 10% of the whole compressed image data. Given the same cryptographic primitive, the efficiency of our encryption scheme is 10 times of that of the

4897

traditional method, even all BLIS-O-sgn coefficients are selected to be encrypted. The last column of Table 2 lists the ratio of encrypted BLIS-O-sgn coefficients of Lena according to different selection strength. It is clear that with the increasing of encryption strength, more volume of coefficients is to be encrypted. Because of the structure of SOT, more BLIS-O-sgn coefficients are produced at the end of SPIHT iterations, and there is even no BLIS-O-sgn output in the first two iterations. Therefore, if we encrypt BLIS-O-sgn coefficients starting from the last round of SPIHT iteration, the increment of encrypted data when r ¼1–11 is decreasing. While the situation is opposite when we encrypt them from the first round, i.e. when r^ ¼ 1211. As the selection strength of our algorithm is adaptive, the value of parameter r could be chosen differently according to different scenarios to achieve a good tradeoff between computational overhead and security strength. This feature gives a great flexibility to our algorithm for being adopted in various practical applications. 4.3. Format compliance Traditional image encryption algorithms take image files as transparent binary input, and thus destroy file format as well as data structure after encryption. For this reason, the decoder without the key may crash during the decoding process. Then format-compliant selective encryption schemes are proposed, however, many of confidential encryption schemes based on SPIHT spoil the structure of SOT by encrypting significance coefficients [2,9–11], which are believed to be important for the reconstruction of original images. Because the value of significance coefficient determines the meaning of subsequent bit, changing the value of significance coefficients may introduce malfunction to the decoder at the end of coding stream. In our proposed degradative encryption scheme, only the sign coefficient, i.e. BLIS-O-sgn , is encrypted. Since the influence of sign coefficient is isolated and has no impact on subsequent bits, full format compliance is preserved. Both decoders with/without the secret key can handle the decoding process smoothly, except that a degraded image will be obtained without the correct key.

5. Security analysis The security analysis of a cryptosystem is vital both for its theoretical design and practical deployment. Selective encryption is different from traditional cryptosystem, and has its unique security requirements and challenges. The security of selective encryption lies in the two aspects: (1) the security of the cryptographic primitive being employed, which guarantees that the encrypted data cannot be disclosed without knowing the key; (2) the security of selection strategy, that ensures the encrypted data cannot be recovered from the non-encrypted ones, or the image cannot be disclosed without decrypting. For confidential encryption, it requires that any tiny information about the original image cannot be obtained. For degradative encryption, an image of or close to the original resolution cannot be obtained. As the proposed algorithm is independent of cryptographic primitive, any well-established cryptographically secure primitive can be adopted. Our attention is mainly paid to the security analysis of the selection strategy. In this section, unless stated otherwise, we use RC4 as the cryptographic primitive, and the selective encryption strategy is to use RC4 to encrypt all BLIS-O-sgn coefficients. The plain image is a 512  512 gray-level Lena encoded by SPIHT at 1.0 bpp as shown in Fig. 3(a).

4898

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

5.1. Key sensitivity For a well designed cryptosystem, the security relies on the key. In traditional cryptosystem, key sensitivity is crucial and any slight difference in the key should make the decrypted plaintext totally different and meaningless. In our scheme, it is further required that the decrypted data with incorrect key make little contribution to the visual reconstruction of the whole image. Fig. 6 is the decrypted image of Fig. 3(g) with a decryption key that is just one-bit different from the encryption key. It is clear that the quality of the decrypted image is similar to that of the cipher image and cannot be comparable with the original image (i.e. Fig. 3(a), and the PSNR between them is 17.37). To further address the general situation, we generate 3000 keys uniformly at random in the key space, and record the PSNR of decrypted image with each key. The results are plotted in Fig. 7. We find that any difference, no matter tiny or great, in the key makes the decrypted image substantially degraded. Only with correct key can we recover the original image.

Table 4 Probability distribution of BLIS-O-sgn . Probability

Plain image

Cipher image

pðBLIS-O-sgn ¼ 0Þ pðBLIS-O-sgn ¼ 1Þ

0.4941 0.5059

0.4971 0.5029

5.2. Plaintext inferring Since only portion of image data is encrypted, we need to check the possibility of inferring plaintext from statistical pattern or data correlation. BLIS-O-sgn coefficients follow the output of BLIS-O-sig when and only when BLIS-O-sig ¼ 1,2 i.e. the preceding bit next to each BLIS-O-sgn is 1, so one cannot infer the value of BLIS-O-sgn from that of BLIS-O-sig . From SPIHT coding procedure we also know that the output of BLIS-O-sgn is independent of other type of coefficients except BLIS-O-sig , thus it is also infeasible to deduce the value of BLIS-O-sgn from other coefficients. Now we examine the distribution of BLIS-O-sgn itself. Table 4 tabulates the probability distribution of BLIS-O-sgn in the plain image and the cipher image. The distribution of BLIS-O-sgn is well balanced in the cipher image and even in the plain image, that is to say, the adversary has negligible advantage of recovering BLIS-O-sgn from its distribution knowledge over random guessing.

5.3. Replacement attack

Fig. 6. Decrypted Lena with an incorrect key of one-bit difference.

Replacement attack in selective encryption refers to the method of replacing the encrypted ciphertexts with designed data without of decrypting them. It is usually an easy and efficient attack in selective encryption, especially in degradative encryption, as (1) only a small part of data is encrypted, and (2) the encrypted data are usually less important information and are believed to contribute little to the visualization. In our experiments, three replacement strategies are considered: (1) set all encrypted data to 0, (2) set all encrypted data to 1, and (3) set all encrypted data uniformly at random. The results are shown in Fig. 8, and it is clear that none of the replacement strategies can improve the image quality significantly.

5.4. Averaging attack In image processing, multiple sampled images can be averaged for image enhancement if the noises are assumed to be independently distributed and their average is 0 [41]. We regard the proposed degradative encryption as a noise generator, and study its resistance to averaging attack. We assume that the adversary is capable of obtaining arbitrary copies of cipher images encrypted by different keys. The averaging attack results are listed in Table 5 showing the PSNR obtained by averaging different number of images. We see that the quality of averaged image is not monotonically increased with the increasing number of averaged images, therefore the availability of more cipher images will not help in the attack. The best quality, i.e. PSNR is 21.15, occurs when 4 images are averaged. However, compared with the PSNR of cipher image (PSNR is 17.04 as shown in Table 2), the improvement is insignificant.

Fig. 7. PSNR obtained by decoding 3000 possible combinations of the key.

2 There may be no output of BLIS-O-sgn even if BLIS-O-sig ¼ 1 when the compression ratio meets the predefined threshold.

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

4899

Fig. 8. Replacement attack results on encrypted BLIS-O-sgn coefficients. (a) Set all BLIS-O-sgn to 0; (b) Set all BLIS-O-sgn to 1; (c) Set all BLIS-O-sgn with random values.

Table 5 PSNR obtained by averaging different number of images. Number of images

2

4

8

16

32

64

128

256

512

1024

PSNR

18.29

21.15

20.64

20.48

20.41

20.39

20.33

20.30

20.27

20.29

Acknowledgments

Table 6 PSNR obtained by applying filters on cipher image. Filter

Mean

Median

Wiener

Gaussian

Laplacian

PSNR

17.39

17.20

17.51

17.12

15.47

5.5. Attacks by other image processing techniques We also investigate the resistance of our degradative encryption algorithm against other image processing techniques such as image enhancement, restoration, and deblurring, however, none of them can improve the quality of cipher image significantly. Because the core of many such techniques is applying a filter on an image, in Table 6 we list the results on the cipher image by employing some prevalent filters in image processing [41]. The qualities of filtered images are almost the same with or even worse than the cipher image.

6. Conclusion In this paper, we proposed a novel selective image encryption paradigm: degradative encryption. Unlike existing confidential selective encryption whose purpose is to keep the entire image unintelligible, our motivation is to degrade the quality of original image but preserving a blurred preview. Degradative encryption can find its wide applications in various scenarios. We then presented a format-compliant degradative encryption algorithm based on set partitioning in hierarchical trees (SPIHT) compression. After analyzing the output of SPIHT, we proposed to encrypt BLIS-O-sgn coefficients whose proportion is only around 10% of the entire compressed bitstream. The scheme is designed in a progressive way to support a customized tradeoff between security and efficiency. Extensive experiments were conducted to investigate the strength and efficiency of the scheme, as well as its format compliance. In security analysis, not only do we studied the security of the cryptosystem from traditional cryptanalysis, but also examed its resistance to the attacks specific on selective encryption and those by leveraging image processing techniques. None of them is found to be helpful in improving the quality of cipher image significantly.

The work in this paper was supported by the National Natural Science Foundation of China (nos. 61103211, 61070246, 61003256), the Fundamental Research Funds for the Central Universities (no. CDJZR10180020), and the Post-doctoral Science Foundation of China (nos. 201104319, 20100470817). References [1] G.A. Spanos, T.B. Maples, Performance study of a selective encryption scheme for the security of networked, real-time video, in: Proceedings of the International Conference on Computer Communications and Networks (ICCCN’95), Las Vegas, NV, USA, 1995, pp. 2–10. [2] H. Cheng, X. Li, IEEE Transactions on Signal Processing 48 (8) (2000) 2439. [3] M. Podesser, H.-P. Schmidt, A. Uhl, Selective bitplane encryption for secure transmission of image data in mobile environments, in: Proceedings of the IEEE Nordic Signal Processing Symposium (NORSIG’02), Tromso-Trondheim, Norway, 2002. [4] R. Pfarrhofer, A. Uhl, Selective image encryption using JBIG, in: Proceedings of Communications and Multimedia Security (CMS’05), Salzburg, Austria, 2005, pp. 98–107. [5] C.-P. Wu, C.-C.J. Kuo, IEEE Transactions on Multimedia 7 (5) (2005) 828. [6] S. Lian, X. Chen, Mathematical and Computer Modelling, http://dx.doi.org/10. 1016/j.mcm.2011.06.007. [7] Y.-H. Seo, H.-J. Choi, D.-W. Kim, Optics Communications 282 (3) (2009) 367. [8] S. Lian, J. Sun, Z. Wang, Perceptual cryptography on SPIHT compressed images or videos, in: Proceedings of the IEEE International Conference on Multimedia and Expo (ICME’04), Taipei, Taiwan, 2004, pp. 2195–2198. [9] K. Martin, R. Lukac, K.N. Plataniotis, Pattern Recognition 38 (7) (2005) 1111. [10] K. Martin, S. Member, K.N. Plataniotis, IEEE Transactions on Circuits and Systems for Video Technology 18 (8) (2008) 1152. [11] N. Taneja, B. Raman, I. Gupta, Partial encryption on SPIHT compressed images, in: Proceedings of the International Conference on Pattern Recognition and Machine Intelligence (PReMI’09), Delhi, India, 2009, pp. 426–431. [12] Y. Sadourny, V. Conan, IEEE Transactions on Consumer Electronics 49 (4) (2003) 846. [13] J. Zhou, Z. Liang, Y. Chen, O.C. Au, IEEE Signal Processing Letters 14 (3) (2007) 201. [14] G. Jakimoski, K.P. Subbalakshmi, IEEE Transactions on Multimedia 10 (3) (2008) 330. [15] H. Hermassi, R. Rhouma, S. Belghith, Communications in Nonlinear Science and Numerical Simulation 15 (10) (2010) 2987. [16] R. Bose, S. Pathak, IEEE Transactions on Circuits and Systems I: Regular Papers 53 (4) (2006) 848. [17] M. Grangetto, E. Magli, G. Olmo, IEEE Transactions on Multimedia 8 (5) (2006) 905. [18] J. Wen, H. Kim, J.D. Villasenor, IEEE Signal Processing Letters 13 (2) (2006) 69. [19] H. Kim, J. Wen, J.D. Villasenor, IEEE Transactions on Signal Processing 55 (5) (2007) 2263. [20] K.-W. Wong, Q. Lin, J. Chen, IEEE Transactions on Circuits and Systems Part II: Express Briefs 57 (2) (2010) 146.

4900

T. Xiang et al. / Optics Communications 285 (2012) 4891–4900

[21] H. Li, J. Zhang, Communications in Nonlinear Science and Numerical Simulation 14 (12) (2009) 4304. [22] R.S. Katti, S.K. Srinivasan, A. Vosoughi, IEEE Transactions on Information Forensics and Security 6 (1) (2011) 19. [23] H.K.-C. Chang, J.-L. Liu, Signal Processing: Image Communication 10 (4) (1997) 279. [24] D.X. Song, D. Wagner, A. Perrig, Practical techniques for searches on encrypted data, in: Proceedings of the IEEE Symposium on Security and Privacy (S&P’00), Oakland, California, USA, 2000, pp. 44–55. [25] D. Boneh, G.D. Crescenzo, R. Ostrovsky, G. Persiano, Public key encryption with keyword search, in: Proceedings of the Advances in Cryptology— EUROCRYPT, Interlaken, Switzerland, 2004, pp. 506–522. [26] J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, W. Lou, Fuzzy keyword search over encrypted data in cloud computing, in: Proceedings of the IEEE International Conference on Computer Communications (INFOCOM’10), San Diego, CA, USA, 2010, pp. 1–5. [27] N. Cao, C. Wang, M. Li, K. Ren, W. Lou, Privacy-preserving multi-keyword ranked search over encrypted cloud data, in: Proceedings of the IEEE International Conference on Computer Communications (INFOCOM’11), Shanghai, China, 2011, pp. 829–837. [28] L.A. Grieco, G. Boggia, S. Sicari, P. Colombo, Secure wireless multimedia sensor networks: a survey, in: Proceedings of the International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies (UBICOMM’09), Sliema, Malta, 2009, pp. 194–201. [29] L. Atzori, A. Iera, G. Morabito, Computer Networks 54 (15) (2010) 2787.

[30] X. Li, Pattern Recognition Letters 24 (14) (2003) 2431. [31] W. Lu, A.S.A.L. Varna, M. Wu, Enabling search over encrypted multimedia databases, in: Proceedings of the SPIE Media Forensics and Security, San Jose, USA, 2009, p. 725418. [32] W. Lu, A.L. Varna, A. Swaminathan, M. Wu, Secure image retrieval through feature protection, in: Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP’09), Taibei, Taiwan, 2009, pp. 1533–1536. [33] J. Zhang, Y. Xiang, W. Zhou, L. Ye, Y. Mu, The Computer Journal 54 (10) (2011) 1661. [34] A. Said, W.A. Pearlman, IEEE Transactions on Circuits and Systems for Video Technology 6 (3) (1996) 243. [35] J.M. Shapiro, IEEE Transactions on Signal Processing 41 (12) (1993) 3445. [36] L.W. Chew, L.-M. Ang, K.P. Seng, Survey of image compression algorithms in wireless sensor networks, in: Proceedings of the International Symposium on Information Technology (ITSim’08), Kuala Lumpur, Malaysia, 2008, pp. 1–9. [37] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed., John Wiley & Sons, New York, 1996. [38] The USC-SIPI image database. URL: /http://sipi.usc.edu/database/S. [39] Spiht image compression. URL: /http://www.cipr.rpi.edu/research/SPIHT/S. [40] Y. Mao, M. Wu, Security evaluation for communication-friendly encryption of multimedia, in: Proceedings of the IEEE International Conference on Image Processing (ICIP’04), Singapore, 2004, pp. 569–572. [41] R.C. Gonzalez, R.E. Woods, Digital Image Processing, 2nd ed., Prentice Hall, Upper Saddle River, NJ, 2002.