Joint SPIHT compression and selective encryption

Joint SPIHT compression and selective encryption

Applied Soft Computing 21 (2014) 159–170 Contents lists available at ScienceDirect Applied Soft Computing journal homepage: www.elsevier.com/locate/...
Download PDF
3MB Sizes 0 Downloads 34 Views
Report

Applied Soft Computing 21 (2014) 159–170

Contents lists available at ScienceDirect

Applied Soft Computing journal homepage: www.elsevier.com/locate/asoc

Joint SPIHT compression and selective encryption Tao Xiang ∗ , Jinyu Qu, Di Xiao College of Computer Science, Chongqing University, Chongqing 400044, China

a r t i c l e

i n f o

Article history: Received 20 February 2013 Received in revised form 28 October 2013 Accepted 13 March 2014 Available online 29 March 2014 Keywords: Selective encryption Joint compression and encryption Set partitioning in hierarchical trees

a b s t r a c t JCSE-SPIHT, an algorithm of joint compression and selective encryption based on set partitioning in hierarchical trees (SPIHT), is proposed to achieve image encryption and compression simultaneously. It can protect SPIHT compressed images by only fast scrambling a tiny portion of crucial data during the coding process while keeping all the virtues of SPIHT intact. Intensive experiments are conducted to validate and evaluate the proposed algorithm; the results show that the efficiency and the compression performance of JCSE-SPIHT are very close to original SPIHT. In security analysis, JCSE-SPIHT is proved to be immune to various attacks not only from traditional cryptanalysis, but also by utilizing sophisticated image processing techniques. © 2014 Elsevier B.V. All rights reserved.

1. Introduction While powerful hardware facilitates the capturing and processing of high-resolution images, the increasing volume of massive images is a great challenge for their storage and transmission, especially in some resource-constrained environments such as wireless sensor networks (WSN) and smartphone platforms. Compression plays a vital role for images in saving memory space and transmission bandwidth; it undoubtedly becomes an indispensable part in various image standards such as GIF, JPEG, and JPEG2000. Another issue is the security problem in image storage and distribution, and encryption is a prevalent and effective way to solve this problem. However, it is impractical to adopt traditional encryption schemes here due to: (1) the characteristics of image data, such as high correlation and redundancy, (2) the requirement of transmission rate in delay-sensitive communications, and (3) the requirement of energy consumption in resource-constrained environments. There have been various explorations of cryptosystems tailored for image encryption by considering the characteristics of image data and the techniques of image processing. Among those schemes, two ideas are promising and have been attracting plenty of attention in recent research. One idea is joint compression and encryption [1–11], which can perform encryption and compression in a single step by embedding encryption operation into compression process. Traditionally, encryption and compression are considered as two independent procedures; when they are concerned together, encryption usually comes after compression since

∗ Corresponding author. Tel.: +86 23 6510 3199. E-mail address: [email protected] (T. Xiang). http://dx.doi.org/10.1016/j.asoc.2014.03.009 1568-4946/© 2014 Elsevier B.V. All rights reserved.

the encrypted data is incompressible in theory. But when encryption is seamlessly embedded into compression, the two procedures are simplified as one. The other is selective encryption (or called as partial encryption) [12–17]. As its name indicated, selective encryption only selectively encrypts a portion of image data, i.e. the important data that is curial for image visualization. Compared with traditional encryption schemes taking the whole image data into consideration, selective encryption can improve encryption efficiency greatly as the volume of data to be encrypted is significantly reduced. Set partitioning in hierarchical trees (SPIHT) was proposed by Said and Pearlman [18] based on the work in [19]. It outperforms the other existing compression algorithms in excellent compression performance and extremely low computational complexity, and can be utilized in various application scenarios and network environments such as WSN [20]. For this reason, selective image encryption based on SPIHT has attracted increasing attentions, and lots of related work can be found in the existing literature. The selective encryption schemes based on SPIHT can be classified into categories: confidential encryption and degradative encryption. In confidential encryption, the important information for visualization is selectively encrypted to keep the whole image confidential. In [13], a selective encryption scheme is proposed to only encrypt significance information in the two highest pyramid levels. In [21] the authors proposed to confuse the positions of four coefficients having the same father node, and encrypt the sign information of coefficients by chaotic map. Later in [22], this ideal is extended to work in 3D-SPIHT algorithm. Only the significance bits of individual wavelet coefficients are encrypted for several iterations of Color-SPIHT algorithm in [23]. A secure shape and texture SPIHT (SecST-SPIHT) scheme is presented in

160

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

[24] for secure coding of arbitrarily shaped visual objects, where the bits that represent object shape information and significance information of individual coefficients are selectively encrypted. In [25], the output of SPIHT is classified into structure bits and data bits, and only those structure bits are encrypted by chaotic map. To further reduce encryption overhead, the scheme in [26] only encrypts the significant bits representing the vertical descendants of coefficients in the list of insignificant sets. In [27], the output bits of SPIHT are encrypted by randomized arithmetic coding algorithm and nonlinear dynamic filters based on different application scenario. The scheme in [28] consists of two steps: DWT coefficient in the same band is first confused by a chaotic map, then the output of SPIHT is masked by another chaotic map except the two most significant bits and the sign bit. The authors in [29] employ piecewise linear chaotic map to encrypt significance information in the list of insignificant pixels for Color-SPIHT algorithm. In degradative encryption, a low-resolution version of original image is obtained after encryption for preview or access control. In [30], it is proposed to only encrypt partial sign coefficients of SPIHT output to degrade the original image and keep the skeleton discernible. The scheme in [27] also supports conditional access. There are some problems about the existing solutions. First, most existing selective encryption schemes based on SPIHT are not closely coupled with the SPIHT coding procedures as they target on the input and/or output of SPIHT. That is to say, they selectively encrypt some input and/or output coefficients of SPIHT, and have no impact on the unencrypted part of code stream. As a result, the compression procedures are unaware and independent of the encryption, and they can be separated into two independent parts. Second, the security of some existing schemes is not well analyzed and guaranteed. For example, many of them are vulnerable to chosen-plaintext attack; also, the attacks by utilizing image processing techniques are not considered. Last, some schemes utilize chaotic maps to perform the encryption, and the processing speed may be a bottleneck when dealing with massive data in real-time applications since plenty of floating-point operations are involved. In this paper, by taking both into consideration the ideas of selective encryption and joint compression and encryption, we propose a joint compression and selective encryption scheme for secure SPIHT coding. We seamlessly embed the encryption operation into SPIHT coding procedures by selectively confusing the elements of several important lists in the beginning coding passes of SPIHT. Furthermore, the confusion effect after encryption can be fully propagated to the subsequent coding procedures and the

entire code stream, so the encrypted images are well protected by selectively encrypting a tiny portion of data. Finally, the coding efficiency and compression performance of SPIHT algorithm are almost intact. The contribution of this paper can be summarized as follows: • We propose JCSE-SPIHT, a joint SPIHT compression and selective encryption algorithm. Different from previous schemes that work on input and/or output coefficients of SPIHT, the encryption process of JCSE-SPIHT is embedded into SPIHT coding process. • We propose a method of generating plaintext-dependent keystream in JCSE-SPIHT and make it immune to chosenplaintext attacks. • We propose a fast random insertion algorithm to accelerate the encryption from taking O(n2 ) time to O(n) without any security compromise, which makes the proposed scheme highly efficient. • We analyze the security and performance of JCSE-SPIHT by extensive experiments, especially, we utilize some well-established image processing techniques to analyze the security of JCSESPIHT. The rest of the paper is organized as follows. Section 2 gives a brief review of SPIHT compression algorithm. The joint compression and selective encryption scheme based on SPIHT is described in Section 3. Section 4 presents the experimental results on the proposed encryption scheme. Security analysis is discussed in Section 5. Finally, Section 6 concludes the paper. 2. Review of SPIHT compression SPIHT is an improved algorithm based on the embedded zerotree wavelet (EZW) algorithm [19], and its performance is comparable to or surpass the original EZW both in theory and practice. The encoding procedures are computationally efficient and can be stopped at any compression ratio by the feature of progressive coding. In a low ratio, the algorithm is still able to gain a clear recognizable image when an appropriate wavelet is selected. SPIHT is operated on the coefficients of discrete wavelet transform (DWT) that are organized in tree structure. Specially, an image is first transformed using a multiple-level DWT as shown in Fig. 1(a). DWT divides the image into four sub-bands: LL, HL, LH, and HH. LL sub-band is the approximation of the original image and will be decomposed recursively in multiple-level decomposition, LH sub-band preserves the horizontal edge details, HL sub-band

Fig. 1. The SOT structure of SPIHT. (a) DWT and (b) SOT.

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

161

Fig. 2. The flowchart of SPIHT algorithm.

preserves the vertical edge details, and HH sub-band represents the diagonal details. Then the resulting coefficients are grouped into spatial orientation trees (SOT) as shown in Fig. 1(b) and coded using successive approximation quantization. The following partitioning sets of coordinates are defined based on the structure of SOT: (1) O(i, j): set of coordinates of all offspring of the coefficient at (i, j); (2) D(i, j): set of coordinates of all descendants of the coefficient at (i, j); (3) H: set of coordinates of all coefficients in the root level; and (4) L(i, j) = D(i, j) − O(i, j). A significance test is defined to estimate the significance of the coefficients corresponding to the coordinates in these partitioning sets. For a partitioning subset T, the significance test is formalized as

 Sn (T) =

1,

max {|ci,j |≥2n },

(i,j)∈T

0,

(1)

otherwise

where ci,j denotes the coefficient at (i, j). That means given a threshold 2n , a set of coefficients T is significant if there is a coefficient in T whose magnitude is at least 2n . The coordinates in these partitioning sets are then classified into three lists by the significance test as below: (1) list of insignificant sets (LIS): it contains two types of entries representing the sets D(i, j) and L(i, j), and to differentiate between them, we say that an LIS entry is of type A if it represents D(i, j), and of type B if it represents L(i, j); (2) list of insignificant pixels (LIP): a list of insignificant coefficients that do not belong to any of the sets in LIS; and (3) list of significant pixels (LSP): a list of coefficients that have been identified as significant. These lists are dynamically maintained during the running of the algorithm. The coding process of SPIHT algorithm can be summarized as: given a magnitude threshold, scan the DWT coefficients in SOT with significance test and transmit the test results and the remaining most significant bits of significant coefficients; then decrease the threshold and repeat the process. The flowchart of SPIHT algorithm is shown in Fig. 2. The algorithm consists of four phases: initialization, sorting pass, refinement pass, and quantization-step update. The initialization sets LSP as an empty list, adds all the coordinates in H to LIP, and only those with descendants to LIS as type A entries. In the sorting pass, each coordinate in LIP and LIS is fed to significance test and the result is output to code stream. If the result is true, it will be moved to LSP; otherwise it will be moved to the end of LIP or LIS. The refinement pass outputs the significant bits of coefficients in LSP except the newly added ones in the sorting pass. The magnitude of significance test is decreased in the last phase, and the last three phases are iterated until the termination condition is satisfied.

3. Joint compression and selective encryption based on SPIHT (JCSE-SPIHT) In this section, we propose an algorithm of joint compression and selective encryption based on SPIHT (JCSE-SPIHT) while keeping all the virtues of SPIHT intact. The basic idea is to embed encryption into the coding procedures by selectively encrypting a small portion of vital information in the beginning coding iterations. The impact of selective encryption can propagate rapidly to the subsequent coding iterations and then protect the entire code stream. We first discuss the feasibility of scrambling the scanning order of three lists maintained by SPIHT coding algorithm, and then present the JCSE-SPIHT algorithm. We also introduce a fast random insertion algorithm with suitable data structure to accelerate the encryption. The block diagram of the proposed algorithm is described in Fig. 3. 3.1. Scanning order scrambling The coordinates of coefficients are used in SPIHT coding algorithm but never transmitted. As the scanning order of SOT and the results of branching test are the same both in encoding and decoding procedures, the decoder can recover the values of coefficients and their coordinates successfully. That is to say, the three lists (i.e. LIP, LIS, and LSP) created and maintained by the encoder and the decoder are identical, and are scanned with the same order. On the contrary, if the scanning orders of the encoder and the decoder are different, the original coefficients cannot be recovered, and then the reconstructed image is confused. In the process of SPIHT encoding, the scanning order is maintained by LIP, LIS, and LSP. SPIHT algorithm first scans all the coefficients in LIP to determine their significance; then proceeds to check the significance of the descendant coefficients in LIS; after scanning all nodes in LIP and LIS, it outputs refinement bits of LSP coefficients. In addition, during the encoding process, these three linked lists are interacted: if a node in LIP is significant, the node will be inserted to the end of LSP (as shown in Fig. 4(a)); if a node of

Fig. 3. Block diagram of JCSE-SPIHT.

162

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

Fig. 4. Insertion processes of the nodes in LIP and LIS. (a) LIP and (b) LIS.

type A in LIS is significant, the offspring of the node will be inserted to the end of LSP or LIP; and if a node of type B in LIS is significant, the offspring of the node will be inserted to the end of LIS (as shown in Fig. 4(b)). From Fig. 4 it is known that the significant nodes in LIP and LIS will always be inserted to the end of a determined list, and this guarantees the possibility for the decoder to duplicate the encoder’s execution path and reconstruct the image exactly. If significant node in LIP or LIS is inserted into a random position instead of the end of the list, the scanning order of encoder will be scrambled and the decoder cannot duplicate this order unless it knows the random position. This process is called as random insertion. To demonstrate the different impacts of random insertion on the three linked lists, a 512 × 512 gray-level Lena is used as the test image (Fig. 5(a)). SPIHT algorithm runs at 1.0 bpp, and random insertions are performed on LIP, LIS and LSP respectively and jointly. Rabbit algorithm [31], which is a synchronous stream cipher and faster than commonly used ciphers, is adopted as the pseudo random number generator (PRNG) to generate a random number within the current length of the list. The results are shown in Fig. 5. Fig. 5(b)–(d) shows the results of random insertion on a single list. It’s clear that the decoded image is not confused very well; some blurry outlines and skeletons can be found, especially for the random insertion on LIP. Fig. 5(e)–(g) shows the results of random insertion on two lists, and the decoded images are unrecognizable. But the result of random insertion on LIS and LSP is not very good, because in the beginning of SPIHT coding, LIP contains the most significant coefficients but it is not scrambled. Fig. 5(h) shows the result of random insertion on three lists, which also has good confusion effect but is time-consuming since the volume of encrypted data is too large. Based on the above analysis, it is feasible to protect SPIHT compressed images by scrambling the scanning order during SPIHT coding. In this paper, we propose to selectively encrypt the order of LIS and LIP by random insertion, and the reasons of doing so are multifold. First, LIS and LIP control the structure of SOT, and altering the orders of LIS and LIP has significant impact on the subsequent updating of LIP, LIS and LSP, so the final visualization of the image will be totally destroyed if the orders of LIS and LIP are scrambled.

Fig. 5. Results of random insertion on LIP, LIS and LSP respectively and jointly. (a) Lena; (b) LIP; (c) LIS; (d) LSP; (e) LIP and LSP; (f) LIS and LIP; (g) LIS and LSP; and (h) LIS, LIP and LSP.

Second, we only encrypt the orders of LIS and LIP in the beginning iterations which are curial to the structure of SOT, to gain a good balance between security and computational overhead. Furthermore, we also conduct the similar experiments on all the gray-level images in USC-SIPI image database [32], and the results verify the feasibility of our idea.

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

s

163

Status vector(v) 0 1 0 1

IV Key

One-bit logical left shift

PRNG

c

1 0

1 0 1 0

0

1 0 1 0

0 0/1

+

SIG(0/1)

Fig. 7. Generating plaintext-dependent keystream by PRNG.

newly generated node is not actually inserted before the p-th node of linked list, but before the node whose address is the p-th element in DAA. However, this inconsistency does not degrade the randomness of the insertion, and actually it achieves the same randomness as the case when the order of addresses in DAA is synchronized with those in linked list. This conclusion holds as long as the output distribution of PRNG is uniform, which is satisfied for a cryptographically secure PRNG. Under this circumstance, the randomness of the selected address in DAA is the same regardless of the order of its permutation. 3.3. The proposed algorithm Fig. 6. DAA structure and FRI process. (a) DAA and (b) an example of FRI.

3.2. Fast random insertion based on node address list A fast random insertion (FRI) is proposed here to accelerate the encryption, because the access to a linked list is sequential and finding a given random position is time-consuming. Specifically, in the process of random insertion, after a pseudo-random number p is generated as a position in the linked list, the pointer needs to scan the linked list from the head node till pth node, then inserts the new node before the pth node. Therefore, addressing a node in a linked list takes the time of O(n); if the encoding process generates n nodes to be inserted, the random insertion operation will totally take the time of O(n2 ). It is so slow that it takes about one minute to encrypt a 512 × 512 Lena at 1.0 bpp. To conquer this drawback, we introduce a simple scheme to accelerate the speed of random insertion, which is quite fast and can obtain equal confusion effect. The basic idea of FRI is converting sequential addressing on a linked list to random addressing on a dynamic address array (DAA). DAA consists of a segment of successive memory and saves the addresses of all nodes for a linked list, as shown in Fig. 6(a), so we can access to any node of the linked list immediately rather than scan from the link header. FRI process can be described as follows. After generating a node N, add the corresponding address to DAA L in sequence; upon obtaining a random position p, it is easy to get the address L[p] which points to a node in the linked list; then insert N before the node whose address is L[p]. Fig. 6(b) gives an example of FRI where p = 2, and it is clear that the new node N is inserted into the front of Node3 quickly by using L[p]. By random addressing on DAA, it is clear that FRI takes O(1) time to insert a node to a random position. Given the same assumption, i.e. there are n nodes in total to be randomly inserted, FRI only takes linear time O(n) in total, which is a substantial acceleration compared to O(n2 ). For example, with FRI it only takes hundreds of milliseconds to encrypt a 512 × 512 Lena at 1.0 bpp (more experimental results can be found in Section 4.2). Since the address of newly generated node is always added to the end of DAA whatever the random position is, the order of addresses in DAA may be different from those in linked list as shown in Fig. 6. That is to say, given a random position p, the

We propose JCSE-SPIHT, a joint SPIHT compression and selective encryption algorithm based on the preceding statements in this subsection. The basic idea of JCSE-SPIHT is performing FRI on LIP and LIS in the selected number of SPIHT coding iterations. Due to the characteristics of SOT, the number of nodes, which are near to the root and generated in the beginning iterations, is small; but they are critical for the reconstruction of the SOT since they represent the most significant information of an image. Therefore, we selectively scrambling the nodes in LIP and LIS by FRI in the first r rounds of iterations, where the parameter r controls the selective encryption strength. By proper selection of r, we can get a good tradeoff between security requirement and computational overhead. Essentially, JCSE-SPIHT is a permutation-only cipher, and one obvious deficiency of many existing permutation-only ciphers is that they are not secure against chosen-plaintext attack [33,34]. The problem is caused by that the keystream for permutation is independent of plaintext, so the attacker can recover the permutation rule if the key is reused. In this paper, we solve this problem by generating plaintext-dependent keystream by PRNG without extra payload on cipher image. The basic idea is making the generated random number dependent on significant coefficients, and the schema is described in Fig. 7. If a node is to be inserted into LIP or LIS, we feed back the significant coefficient of that node to a status vector v by one-bit logical left shift of v (v  1) and concatenation it with the significant bit (the initial value of v is randomized); then v and the last output of PRNG c are exclusive-ORed to feed into the PRNG to generate a random value. Since the significant bits are generated by wavelet coefficients, the keystream is dependent on plain image. The procedures of proposed algorithm are described in Algorithm 3.1. Although JCSE-SPIHT is closed coupled with SPIHT coding algorithm, it only alters the process of inserting nodes into LIP and LIS. That is to say, the most part of SPIHT coding is intact and we can ignore their detail here to concentrate on the understanding of our proposed algorithm. The encryption procedures are explained as follows. Algorithm 3.1.

JCSE-SPIHT

1: Parameter initialization: initialize the parameters of SPIHT, PRNG, and status vector (v); let i = 1 (first round in SPIHT).

164

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

2: SPIHT coding: run SPIHT coding algorithm until a newly generated node N is to be inserted into LIP or LIS. 3: Random position generation: get the significant bit b of N, v = (v  1)|b, s = c ⊕ v; take s as in input of PRNG to generate a random number c; then obtain a random position p = c mod l where l is the length of current list to be inserted. 4: FRI: Insert N to position p by using FRI. 5: Repeat 2–4 until current round of SPIHT coding ends; 6: if i < r then 7: i = i + 1 (next round in SPIHT), and goto step 2; 8: end if In the initialization, a secret key must be first determined to run the algorithm. A threshold value r is selected to decide how many round of encryption should be performed, i.e. to control the encryption strength. In other words, great value of r means more data will be encrypted; but small value of it will save computational overhead. In practical deployment, a proper value of r should be selected to get a good tradeoff between security and efficiency. The parameters of PRNG and SPIHT should also be initialized accordingly. After the initialization, SPIHT coding procedures are executed until a newly generated node N is to be inserted into LIP or LIS. At this point, the significant bit b of N is gotten and fed back it to the input of PRNG by following equations:

v = (v  1)|b

(2)

s=c⊕v

(3)

where v is the status vector, b is the significant bit of N, c is the output of PRNG, and  is the logical left shift operation. s is then used to fed back to PRNG and generate a random position p by the following rule: p = cmodl

(4)

where l is the length of current list to be inserted. After the generation of random position p, the node N is inserted into position p of LIP or LIS by using FRI instead of the end of the list. As it is stated in Section 3.2, N is actually inserted before the node whose address is the pth element in DAA. The algorithm maintains two DAAs for LIP and LIS. The process of SPIHT coding is iterative. In one iteration, all the elements of LIS are scanned in the sorting pass [18]; so steps 2–4 in Algorithm 3.1 will be repeated for several times in one iteration of SPIHT coding. Because the encryption is only performed in the beginning r rounds of SPIHT coding iteration, a iteration counter i is utilized to check whether the exit condition is satisfied. After the explanation of JCSE-SPIHT, it is easy to understand that our proposed algorithm is closely coupled with SPIHT coding process, which is different from most existing schemes only encrypting the input and/or output of SPIHT. As LIP and LIS are scrambled in the beginning of SPIHT coding iterations and they will be further used in the subsequent coding iterations, the superiorities of JCSE-SPIHT are obvious. First, we only need to encrypt a small portion of data and the encryption effect will be diffused quickly to all the subsequent coding procedures, which makes the final output of code stream totally scrambled. Second, the efficiency of JCSE-SPIHT is quite satisfactory since only LIP and LIS in the first r rounds are encrypted; what is more, by utilizing PRI, the efficiency of JCSESPIHT is further optimized.

are used in our experiments. Rabbit algorithm [31] is utilized in our algorithm as the PRNG. 4.1. Encryption strength In JCSE-SPIHT, we use a parameter r to balance the security strength and computational overhead. To demonstrate the impact on encryption strength by different values of r and give a recommendation on the selection of proper value of r, we take a 512 × 512 gray-level Lena as the input, and encrypt the scanning order of LIS and LIP from the first round to the last round respectively, i.e. r = 1 −11. The results are shown in Fig. 8. From Fig. 8(a)–(b), we can find that the encryption is not effective when r = 1–2 as some fragments of plain image are still there. When r ≥ 3, there are only some irregularly distributed dark and bright speckles and stripes in Fig. 8(c)–(k), and we cannot get any intelligible information about the plain image, especially when r ≥ 6. In order to quantitatively measure the encryption strength, we utilize several metrics to measure the distinction between encrypted image and plain image. 4.1.1. Peak signal-to-noise ratio (PSNR) Peak signal-to-noise ratio (PSNR) is designed to measure the difference in pixel value between two images, and it is widely used to estimate the quality of compressed or reconstructed image. Also, it is appropriate for measuring the difference between plain image and encrypted image. The definition of PSNR is as below:



PSNR = 10 × log

(5)

h

(6)

i=0 j=0

where the image size is w × h, I(i, j) and J(i, j) denote the pixel values at (i, j) in images I and J. In our experiments, I and J are plain and encrypted images respectively. The smaller value PSNR takes, the greater difference it has between I and J. 4.1.2. Mean structural similarity (MSSIM) Structural similarity (SSIM) index [36] is a novel method for measuring the similarity between two images aiming at improving the traditional metrics such as PSNR by considering human visual system (HVS). SSIM checks the luminance and edge information of two images. Specifically, it computes the quality of a distorted image by comparing the correlations in luminance, contrast, and structure locally (usually in an 8 × 8 window) between the reference and distorted images, and averages these values over the entire image. SSIM index is defined as below: SSIM(x, y) =

(2x y + c1 )(2xy + c2 ) (2x + 2y + c1 )(x2 + y2 + c2 )

(7)

where x and y are the windows of two images of size m × m; x and y stand for the average of x and y; x2 and y2 denote the variance of x and y respectively;  xy is the covariance of x and y; c1 = (k1 L)2 , c2 = (k2 L)2 , where k1 = 0.01, k2 = 0.03, and L is the gray level of pixel value. In our experiments, we use the mean SSIM (MSSIM) index [36] to evaluate the overall image quality:

4. Experimental results We implement the proposed JCSE-SPIHT algorithm based on the SPIHT source code provided by [35]. The bit rate of compression is set to 1.0bpp for a tradeoff between image quality and compression performance. Gray-level images in USC-SIPI image database [32]



1  2 (I(i, j) − J(i, j)) wh w

MSE =

2552 MSE

1 SSIM(xi , yi ) n n

MSSIM(X, Y ) =

(8)

i=1

where X and Y are original image and encrypted image respectively; xi and yi are the image contents at the ith local window; n is the

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

165

Table 1 Experimental results on Lena under different encryption strength. Round

PSNR

MSSIM

LSS

ESS

Proportion

r=1 r=2 r=3 r=4 r=5 r=6 r=7 r=8 r=9 r = 10 r = 11 AES

11.840 11.840 11.286 11.167 11.157 11.035 10.762 10.907 10.982 10.513 10.550 9.110

0.109 0.109 0.103 0.102 0.097 0.092 0.081 0.075 0.073 0.057 0.061 0.035

−16.259 −16.259 −17.597 −17.393 −17.285 −17.110 −17.629 −16.966 −16.952 −18.563 −18.082 −13.633

0.198 0.198 0.200 0.183 0.197 0.210 0.223 0.204 0.225 0.217 0.230 0.061

0.348% 0.348% 0.367% 0.546% 0.944% 2.026% 4.234% 8.669% 17.661% 34.169% 65.431% 100%

number of local windows. Similar to PSNR, small value of MSSIM indicates great difference between X and Y. 4.1.3. Luminance similarity score (LSS) Luminance similarity score (LSS) [37] is introduced to calculate the luminance similarity between two images: 1 f (x1i , x2i ) n n

LSS =

i=1

f (x1i , x2i ) =

(9)

⎧ ⎪ ⎨ 1,

if |x1i − x2i | <

⎪ ⎩ −round |x1i − x2i | , otherwise

ˇ 2

(10)

ˇ

where x1i and x2i are the average luminance values of the ith 8 × 8 block from two images, and ˇ = 3 in our experiments. A negative LSS value indicates substantial dissimilarity in luminance between two images. 4.1.4. Edge similarity score (ESS) Edge similarity score (ESS) [37] measures the similarity of edge directions between two images. The dominant edge direction in each 8 × 8 block is extracted by Sobel operator and quantized into one of the eight representative directions. The eight representative directions are equally spaced by 22.5 degrees in a polar coordinate system. Indices 1 to 8 are employed to represent these eight directions, and index 0 represents a non-edge block. Let e1i and e2i be the edge direction indices for the ith block in two images respectively, ESS can be described as below:

n w(e1i , e2i ) ESS = i=1 n i=1



w(e1i , e2i ) =

 c(e1i , e2i ) =

Fig. 8. Encryption results with different values of r. (a)–(k) r = 1–11, respectively.

(11)

c(e1i , e2i ) 0,

if e1i = 0 or e2i = 0

| cos((e1i ) − (e2i ))|,

otherwise

0,

if e1i = e2i = 0

(12)

(13)

1, otherwise

where (e) is the representative edge angle for an index e. The score ranges from 0 to 1, where 0 indicates that the edge information of two images is highly distinct and 1 indicates a match between the edges in two images. By employing the above metrics, we conduct experiments on Lena with different encryption strength, and the results are tabulated in Table 1. For comparison with the traditional image encryption, we use AES to encrypt the whole image data of Lena, and the results are shown in the last row of Table 1. From the experimental results we can find that, generally speaking, better

166

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

encryption strength is gained when r takes greater value. However, as indicated in the last column of Table 1, more proportion of data are needed to be encrypted as r increases, which increases the computational overhead heavily. But even so, the superiority of selective encryption is obvious since only a small proportion of data are encrypted while the encryption strength is comparable to the traditional encryption. Actually, we can select a proper value of r to achieve a good tradeoff between encryption strength and computational overhead. From Fig. 8 and Table 1 we find that plain image is well protected when r ≥ 6; to save encryption time, r = 6 is a good configuration for the tradeoff between security and efficiency. In order to validate our conclusion, we also conduct the same experiments by setting r = 6 on all the gray-level images in USC-SIPI image database, similar results are found and provided in Table 2. Therefore, we claim that r = 6 is a proper configuration since the plain images can be well protected while only 1–4% data are needed to be encrypted. 4.2. Computational overhead Computational overhead is determined by the complexity of an algorithm and the size of data to be processed. In our scheme, the cryptographic primitive is selected from the existing wellestablished cryptographic algorithms and their complexities are predetermined. FRI only has a slight impact on SPIHT coding because it is embedded into the coding process and DAA is utilized to accelerate the addressing. The size of data to be processed is controlled by the parameter r since the proposed algorithm is a selective encryption scheme. From Tables 1 and 2 we find there are only about 1%-4% data to be encrypted. Table 2 also shows the encryption time of JCSE-SPIHT and the SPIHT encoding time on gray-level images in USC-SIPI image database. All these experiments are run on a PC with Intel 3.10GHz CPU and 1GB RAM. The results in Table 2 demonstrate a good encryption efficiency because the time of joint encryption and compression of JCSE-SPIHT is very close to that of original SPIHT coding; sometimes the former is even smaller than the latter as FRI changes the structure of SOT.

long as the bit rate is not extremely low (in that case, the quality of reconstructed image is poor even for standard SPIHT), JCSE-SPIHT can scan the scrambled list in some iteration from head to end in the subsequent coding iteration and output all the necessary information. That is to say, given the same compression ratio or bit rate, the quality of reconstructed images by JCSE-SPIHT and SPIHT may only have slight difference. Therefore, JCSE-SPIHT does not degrade the compression performance of SPIHT significantly. Actually, for most images, the differences of compression performance between JCSE-SPIHT and SPIHT are negligible and cannot be discriminated in visual perception. 4.4. Format compliance For the reason that traditional image encryption algorithms take image files as transparent binary input, they may destroy the syntax of image files and make the decoder crash when it is not aware of the encryption or does not have the correct key. To make the encryption friendly and increase the robustness of image codec, format compliance is preferred. In JCSE-SPIHT, we only scramble the order of lists, i.e. change the positions of nodes in lists; so the result of significant test is kept intact, as well as the subsequent sign output when the node is asserted as significant. Both the plain decoder and the decoder without correct key can follow the execution path of decoding procedures smoothly without any exceptions, except for may getting a totally unintelligible decoded image. 5. Security analysis Selective encryption differs from traditional data encryption. It considers the characteristics of image data and image processing, and provides a shortcut to reduce computational overhead of encryption. Consequently, several important security requirements must be considered: the security of cryptographic primitive and the security of the selective scheme. Because we use Rabbit algorithm as cryptographic primitive that is proven to be secure [31] (other well-established cryptographic primitive can also be used instead), we focus on the security analysis of the selective scheme.

4.3. Compression performance 5.1. Confusion and diffusion Embedding encryption into compression should not impair the compression performance significantly; otherwise it will make the joint compression and encryption meaningless. Since JCSE-SPIHT scrambles the scanning order of SOT and changes the execution path of SPIHT coding, we need to evaluate its compression performance. We take all the gray-level images in USC-SIPI image database into consideration, and encode each of them using JCSE-SPIHT and SPIHT both at 1.0bpp, then we measure the quality of encoded images by PSNR and MSSIM. The results are tabulated in Table 2. We can find that there are only about 4 dB reduction on PSNR and 0.03 in MSSIM on average. For some images containing artificial patterns (e.g. testpat.lk), the difference in PSNR is apparent; however, this does not degrade their visual quality as the difference in MSSIM indicated. We now give the explanation on how the experimental results happen and why they are valid. As we can see clearly from Algorithm 3.1, JCSE-SPIHT scrambles the order of nodes in LIP and LIS in the first r iterations, and consequently it changes the scanning order of SOT and the execution path of SPIHT coding. Some important nodes with greater values may be put behind some other nodes with smaller values because a node can be randomly inserted into any position of the list. This may have impact on the quality of decompressed images if the code stream of SPIHT is truncated when a preset bit rate is met. However, the impact is not significant since only a small part of data near to the root of SOT is scrambled. As

In cryptography, confusion and diffusion are two basic properties of a cipher. The proposed selective encryption scheme is seamlessly embedded into SPIHT coding process; it scrambles the order of LIP and LIS in the beginning coding iterations. Because the SPIHT coding procedures are progressive, the status of LIP and LIS in an iteration will be used in the subsequent iterations and will have significant impact on the updating of LIS, LIP and LSP, as well as the following output. The confusion effect by scrambling LIP and LIS in the beginning iterations will propagate to the subsequent coding procedures. In this manner, the output of SPIHT coding is confused by just selectively encrypting a small proportion of initial critical data. Furthermore, any tiny change in the data to be encrypted will be diffused to the subsequent coding procedures and make the final output totally different. 5.2. Key sensitivity For a well-designed cryptosystem, the ciphertext should be key-sensitive, and any slight change in the key should result in significant difference in ciphertext. In other words, any tiny error in the key will make the decrypted image chaotic and no information about the original image can be inferred therein. Fig. 9(a) presents the decrypted Lena with the correct key, and Fig. 9(b) shows the decrypted image with an incorrect key that is only one-bit different. It is obvious that tiny difference in the key will make the decrypted

Table 2 Experimental results on USC-SIPI images when r = 6. File

Description

Size

Encryption strength

Encryption time (ms)

Compression performance

PSNR

MSSIM

LSS

ESS

Proportion

SPIHT

JCSE-SPIHT

PSNR

15.094 11.326 13.333 9.521 7.826 11.863 11.767 11.654 10.156 9.671 13.561 16.005 13.944 14.884 13.786 13.445 13.426 16.541 17.310 13.035 15.914 16.857 10.696 11.176 7.442 9.144 9.726 7.878

0.134 0.025 0.234 0.101 0.061 0.034 0.077 0.046 0.032 0.050 0.096 0.133 0.224 0.142 0.113 0.074 0.060 0.107 0.260 0.081 0.128 0.255 0.059 0.094 0.113 0.025 0.121 0.071

−10.347 −12.292 −12.318 −19.505 −19.110 −13.429 −14.633 −13.495 −18.268 −20.916 −11.641 −8.983 −12.599 −10.343 −11.987 −12.209 −11.911 −7.646 −6.997 −13.538 −9.141 −7.364 −16.997 −17.018 −28.625 −18.061 −7.954 −24.197

0.230 0.461 0.116 0.164 0.203 0.343 0.238 0.376 0.347 0.243 0.248 0.254 0.150 0.281 0.296 0.317 0.375 0.293 0.190 0.340 0.273 0.223 0.279 0.208 0.017 0.366 0.406 0.104

1.269% 4.332% 1.413% 2.916% 3.777% 2.930% 2.783% 3.546% 2.796% 2.363% 1.962% 1.292% 0.892% 0.866% 1.170% 1.540% 1.558% 1.311% 0.758% 1.306% 1.147% 0.605% 2.813% 1.681% 2.380% 7.282% 4.279% 1.730%

97 92 105 97 95 95 292 279 273 1426 1104 306 327 289 304 293 273 297 302 290 296 1246 279 302 394 263 245 1109

94 91 96 95 92 98 273 278 273 1464 1090 280 300 270 288 272 286 266 288 267 298 1198 284 286 378 286 252 1067

SPIHT Moon surface Aerial Airplane Clock Resolution chart Chemical plant Couple Aerial Stream and bridge Man Airport Truck Airplane Tank Car and APCs Truck and APCs Truck and APCs Tank APC Tank Car and APCs Airplane (U-2) Fishing boat Girl (Elaine) 21 level step wedge 256 level test pattern Pixel ruler General test pattern

256 256 256 256 256 256 512 512 512 1024 1024 512 512 512 512 512 512 512 512 512 512 1024 512 512 512 512 512 1024

34.083 28.924 44.494 41.487 36.361 32.711 37.492 32.166 29.808 36.729 32.668 36.636 43.092 35.521 37.112 32.586 32.680 33.201 37.707 34.136 36.818 37.451 35.972 35.150 Inf 27.409 23.760 48.499

JCSE-SPIHT

SPIHT

JCSE-SPIHT

33.284 25.718 37.724 31.341 21.885 29.631 30.544 28.249 27.645 33.079 30.635 35.625 38.553 35.065 35.499 31.380 31.575 32.525 37.129 33.507 35.770 37.001 31.453 33.308 46.668 23.599 16.122 26.965

0.832 0.921 0.953 0.952 0.960 0.910 0.923 0.910 0.878 0.900 0.811 0.911 0.929 0.871 0.923 0.894 0.897 0.889 0.872 0.890 0.925 0.828 0.887 0.854 1.000 0.809 0.802 0.994

0.828 0.891 0.938 0.921 0.885 0.893 0.908 0.887 0.858 0.882 0.797 0.905 0.920 0.868 0.915 0.882 0.887 0.883 0.870 0.886 0.920 0.827 0.869 0.842 0.992 0.784 0.680 0.970

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

5.1.09 5.1.10 5.1.11 5.1.12 5.1.13 5.1.14 5.2.08 5.2.09 5.2.10 5.3.01 5.3.02 7.1.01 7.1.02 7.1.03 7.1.04 7.1.05 7.1.06 7.1.07 7.1.08 7.1.09 7.1.10 7.2.01 boat.512 elaine.512 gray21.512 numbers.512 ruler.512 testpat.1k

MSSIM

167

168

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

40

35

PSNR (dB)

30

25

20 Fig. 9. Decrypted Lena with the correct key and with an incorrect key of one-bit error. (a) Decrypted Lena with the correct key and (b) decrypted Lena with an incorrect key of one-bit error.

15

10 0

image totally unrecognizable. To demonstrate the general situation of key sensitivity, we generate 3000 keys at random and only one of them is correct; then we calculate the PSNR and the MSSIM of decrypted image with each key. The results are plotted in Fig. 10. It is clear that only the decrypted image with the correct key has high PSNR and MSSIM (about 36.148 dB and 0.974 respectively), the rest images decrypted by incorrect keys get the values as low as the encrypted image gets.

500

1000

1500 Key

2000

2500

3000

2000

2500

3000

(a) 1 0.9 0.8 0.7

5.3. Chosen-plaintext attack

0.6 MSSIM

Chosen-plaintext attack (CPA) is a cryptanalysis model that presumes the attacker has the capability to choose arbitrary plaintexts and obtain the corresponding ciphertexts. It is a commonly used cryptanalysis method, but unfortunately many existing permutation-only image encryption schemes are vulnerable to this kind of attack. [33,34] even gave a generalized quantitative cryptanalysis on some permutation-only multimedia ciphers. The fundamental problem is that the permutation is not plaintextdependent. This vulnerability has been overcome in JCSE-SPIHT. The generated keystreams for scrambling two images are different even when the same keys are used. To demonstrate this feature, we use the normalized Hamming distance dl , defined as below, to present the similarity of two binary keystreams.

0.5 0.4 0.3 0.2 0.1 0 0

500

1000

1500 Key

(b)

(14)

Fig. 10. PSNR and MSSIM obtained by decrypting with 3000 random keys where only one of them is correct.

where d is the Hamming distance that calculating the number of positions at which the corresponding symbols are different; x and y are keystream vectors; l is the length of a keystream. We use Lena and Elaine as the plain images, encrypt them with the same key, and get dl = 0.499. Also, we do the same experiment on all pairs of images in USC-SIPI image database and similar results are obtained. This shows that our proposed scrambling is plaintext-dependent and the keystream for scrambling each image is different and uncorrelated even with the same key, and consequently it is immune to chosen-plaintext attack.

We take numbers of decrypted images with incorrect keys to average their pixel values, and the results are shown in Table 3. The values of PSNR and MSSIM do rise slightly with the initial increase of image quantity; but eventually they tend to be stabilized, and none of intelligible information about the plain image can be inferred from the averaged images. Actually, we find the image after averaging attack turns into a monotone gray image cumulatively, therefore the increase of PSNR and MSSIM attributes to the uniformly distributed luminance instead of the similarity to plain image.

5.4. Averaging attack

5.5. Blind image restoration

In image processing, multiple sampled images can be averaged for image enhancement if the noises are assumed to be independently distributed and their average is 0 [38]. We can regard encryption operation as a noise addition process, try to use the method of averaging multiple decrypted images with incorrect keys to recover an image, and see if any information about the original plain image could be found.

If encrypted image can be considered as a degraded image of plain image, then it might be recovered by image restoration techniques. Blind image restoration is able to reconstruct the original scene from a degraded one without any prior knowledge [39]. Traditionally, parameter estimation method like maximumlikelihood (ML) algorithm, or nonparametric deterministic image constraints restoration technique like iterative blind deconvolution

dl =

d(x, y) l

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

169

Table 3 PSNR and MSSIM of Lena by averaging different number of images. Number of images

2

4

8

16

32

64

128

256

512

1024

PSNR MSSIM

12.406 0.141

13.449 0.179

13.985 0.229

14.096 0.274

14.271 0.310

14.450 0.338

14.531 0.353

14.562 0.360

14.551 0.364

14.541 0.364

Table 4 PSNR and MSSIM of blind restored Lena. Restoration approach

Encrypted Lena

ML

IBD

P–M

TV

FastMBD

NSMBD

restoreInpaint

PSNR MSSIM

11.035 0.092

10.609 0.090

11.155 0.090

11.139 0.136

11.461 0.154

9.696 0.038

10.291 0.071

10.954 0.109

(IBD) algorithm, can gain a restored image with much better visual quality. Nowadays there are numerous of researches on blind restoration. Especially the research based on partial differential equations (PDE) has led to a new and effective way on image processing [40], and many PDE based schemes are available such as Perona-Malik (P–M) diffusion based schemes [41,42] and total variation (TV) based scheme [43]. Two recent proposed approaches, fast multichannel blind deconvolution (FastMBD) [44] and normalized sparsity measure blind deconvolution (NSMBD) [45], improve some former algorithms and get true sharp images quickly. There is also an open-source software restoreInpaint [46] which contains a large number of restoration techniques. They are all employed here to attempt at restoring the plain image or getting intelligible information about it from the restored image. We take as input the JCSE-SPIHT encrypted Lena (r = 6), and use the seven mentioned approaches of blind restoration to get the restored images. The results are demonstrated in Fig. 11. It is obvious that no intelligible information about the plain image can be inferred from the restored images regardless of the restoration approaches. The PSNR and the MSSIM of encrypted image and restored images are also given in Table 4, where we can see that the quality of restored images are not improved. Therefore, our proposed scheme is immune to this kind of attack.

6. Conclusions

Fig. 11. Blind image restoration results on Lnea with different approaches. (a) ML; (b) IBD; (c) P-M; (d) TV; (e) FastMBD; (f) NSMBD; and (g) restoredImage.

In this paper, we propose JCSE-SPIHT, an algorithm of joint compression and selective encryption based on set partitioning in hierarchical trees (SPIHT), by embedding encryption into SPIHT coding procedures. Since the soul of SPIHT is spatial orientation trees (SOT), and the scanning order of SOT decides the execution path of the codec and reconstructed image, we propose to scramble the list of insignificant sets (LIS) and the list of insignificant pixels (LIP) in the beginning r rounds of SPIHT coding, where r controls the tradeoff between encryption strength and computational overhead; we further introduce a fast random insertion (FRI) to accelerate the encryption from taking O(n2 ) time to O(n) without any security compromise. To make the scrambling resistant to chosen-plain attack, we investigate the method of generating plaintext-dependent keystream by cryptographically secure pseudo random number generator (PRNG). Intensive experiments are conducted to exam the security, efficiency, and compression performance of JCSE-SPIHT, as well as its format compliance. By setting r = 6, we can achieve a good security by only selectively encrypting 1% −4 % data, while the coding efficiency is almost not affected. As for the compression performance, there is only about 4 dB reduction on PSNR or 0.03 in MSSIM on average compared with the original SPIHT algorithm. In security analysis, not only do we study the security of JCSE-SPIHT from traditional cryptanalysis, but also exam its resistance to the attacks with the help of image processing techniques. None of them is

170

T. Xiang et al. / Applied Soft Computing 21 (2014) 159–170

found to be capable of improving the quality of encrypted image significantly. Acknowledgments The work in this paper was supported by the National Natural Science Foundation of China (No. 61103211) and the Program for New Century Excellent Talents in University (No. NCET-12-0589). References [1] H.K.-C. Chang, J.-L. Liu, A linear quadtree compression scheme for image encryption, Signal Process. Image Commun. 10 (4) (1997) 279–290. [2] C.-P. Wu, C.-C.J. Kuo, Design of integrated multimedia compression and encryption systems, IEEE Trans. Multimedia 7 (5) (2005) 828–839. [3] R. Bose, S. Pathak, A novel compression and encryption scheme using variable model arithmetic coding and coupled chaotic system, IEEE Trans. Circuits Syst. I: Regular Papers 53 (4) (2006) 848–857. [4] M. Grangetto, E. Magli, G. Olmo, Multimedia selective encryption by means of randomized arithmetic coding, IEEE Trans. Multimedia 8 (5) (2006) 905–917. [5] J. Wen, H. Kim, J.D. Villasenor, Binary arithmetic coding with key-based interval splitting, IEEE Signal Process. Lett. 13 (2) (2006) 69–72. [6] H. Kim, J. Wen, J.D. Villasenor, Secure arithmetic coding, IEEE Trans. Signal Process. 55 (5) (2007) 2263–2272. [7] H. Li, J. Zhang, A secure and efficient entropy coding based on arithmetic coding, Commun. Nonlinear Sci. Numer. Simul. 14 (12) (2009) 4304–4318. [8] H. Hermassi, R. Rhouma, S. Belghith, Joint compression and encryption using chaotically mutated Huffman trees, Commun. Nonlinear Sci. Numer. Simul. 15 (10) (2010) 2987–2999. [9] K.-W. Wong, Q. Lin, J. Chen, Simultaneous arithmetic coding and encryption using chaotic maps, IEEE Trans. Circuits Syst. Part II: Express Briefs 57 (2) (2010) 146–150. [10] C.-H. Yuen, K.-W. Wong, A chaos-based joint image compression and encryption scheme using DCT and SHA-1, Appl. Soft Comput. 11 (8) (2011) 5092–5098. [11] O.-Y. Lui, K.-W. Wong, J. Chen, J. Zhou, Chaos-based joint compression and encryption algorithm for generating variable length ciphertext, Appl. Soft Comput. 1 (12) (2012) 125–132. [12] G.A. Spanos, T.B. Maples, Performance study of a selective encryption scheme for the security of networked, real-time video, in: International Conference on Computer Communications and Networks (ICCCN’95), Las Vegas, NV, USA, 1995, pp. 2–10. [13] H. Cheng, X. Li, Partial encryption of compressed images and videos, IEEE Trans. Signal Process. 48 (8) (2000) 2439–2451. [14] M. Podesser, H.-P. Schmidt, A. Uhl, Selective bitplane encryption for secure transmission of image data in mobile environments, in: IEEE Nordic Signal Processing Symposium (NORSIG’02), Tromso-Trondheim, Norway, 2002. [15] Y. Sadourny, V. Conan, A proposal for supporting selective encryption in JPSEC, IEEE Trans. Consumer Electron. 49 (4) (2003) 846–849. [16] R. Pfarrhofer, A. Uhl, Selective image encryption using JBIG, in: Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security (CMS’05), Salzburg, Austria, 2005, pp. 98–107. [17] S. Lian, X. Chen, On the design of partial encryption scheme for multimedia content, Math. Computer Modell. 57 (11-12) (2013) 2613–2624. [18] A. Said, W.A. Pearlman, A new, fast, and efficient image codec based on set partitioning in hierarchical trees, IEEE Trans. Circuits Syst. Video Technol. 6 (3) (1996) 243–250. [19] J.M. Shapiro, Embedded image coding using zerotrees of wavelet coefficients, IEEE Trans. Signal Process. 41 (12) (1993) 3445–3462.

[20] L.W. Chew, L.-M. Ang, K.P. Seng, Survey of image compression algorithms in wireless sensor networks, in: International Symposium on Information Technology (ITSim’08), Kuala Lumpur, Malaysia, 2008, pp. 1–9. [21] S. Lian, J. Sun, Z. Wang, Perceptual cryptography on SPIHT compressed images or videos, in: IEEE International Conference on Multimedia and Expo (ICME’04), Taipei, Taiwan, 2004, pp. 2195–2198. [22] S. Lian, J. Sun, Z. Wang, A secure 3D-SPIHT codec, in: European Signal Processing Conference (EUSIPCO’04), Vienna, Austria, 2004, pp. 813–816. [23] K. Martin, R. Lukac, K.N. Plataniotis, Efficient encryption of wavelet-based coded color images, Pattern Recogn. 38 (7) (2005) 1111–1115. [24] K. Martin, K.N. Plataniotis, Privacy protected surveillance using secure visual object coding, IEEE Trans. Circuits Syst. Video Technol. 18 (8) (2008) 1152–1162. [25] R. Lin, Y. Mao, Z. Wang, Chaotic secure image coding based on SPIHT, in: IEEE International Conference on Communications and Networking in China (ChinaCom’08), Hangzhou, China, 2008, p. 1294. [26] N. Taneja, B. Raman, I. Gupta, Partial encryption on SPIHT compressed images, in: International Conference on Pattern Recognition and Machine Intelligence (PReMI’09), Delhi, India, 2009, pp. 426–431. [27] H. Li, J. Wang, Y. Wang, M. Tian, S. Xu, A flexible and secure image compression coding algorithm, in: International Conference on Future Information Technology and Management Engineering (FITME’10), Changzhou, China, 2010, pp. 376–379. [28] H. Yang, X. Liao, K.-W. Wong, W. Zhang, P. Wei, SPIHT-based joint image compression and encryption, Acta Phys. Sin. 61 (4) (2012) 040505. [29] X. Zhang, X. Wang, Chaos-based partial encryption of SPIHT coded color images, Signal Process. 93 (9) (2013) 2422–2431. [30] T. Xiang, J. Qu, C. Yu, X. Fu, Degradative encryption: an efficient way to protect SPIHT compressed images, Opt. Commun. 285 (24) (2012) 4891–4900. [31] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius, Rabbit: a new high-performance stream cipher, in: Fast Software Encryption, vol. 2887, 2003, pp. 307–329. [32] The USC-SIPI image database. http://sipi.usc.edu/database/ [33] S. Li, C. Li, G. Chen, N.G. Bourbakis, K.-T. Lo, A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process. Image Commun. 23 (3) (2008) 212–223. [34] C. Li, K.-T. Lo, Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process. 91 (4) (2011) 949–954. [35] SPIHT image compression. http://www.cipr.rpi.edu/research/SPIHT/ [36] Z. Wang, A.C. Bovik, H.R. Sheikh, E.P. Simoncelli, Image quality assessment: From error visibility to structural similarity, IEEE Trans. Image Process. 13 (4) (2004) 600–612. [37] Y. Mao, M. Wu, Security evaluation for communication-friendly encryption of multimedia, in: IEEE International Conference on Image Processing (ICIP’04), Singapore, 2004, pp. 569–572. [38] R.C. Gonzalez, R.E. Woods, Digital Image Processing, 2nd Edition, Prentice Hall, Upper Saddle River, NJ, 2002. [39] D. Kundur, D. Hatzinakos, Blind image deconvolution, IEEE Signal Process. Mag. 3 (3) (1996) 43–64. [40] C. Schmaltz, J. Weickert, A. Bruhn, Beating the quality of JPEG 2000 with anisotropic diffusion, in: Proceedings of the 31st DAGM Symposium on Pattern Recognition (DAGM’09), 2009, pp. 452–461. [41] P. Perona, J. Malik, Scale-space and edge detection using anisotropic diffusion, IEEE Trans. Pattern Anal. Mach. Intell. 12 (7) (1990) 629–639. [42] Y.-L. You, M. Kaveh, Blind image restoration by anisotropic regularization, IEEE Transact. Image Process. 8 (3) (1999) 396–407. [43] L.I. Rudin, S. Osher, E. Fatemi, Nonlinear total variation based noise removal algorithms, Physica D 60 (1-4) (1992) 259–268. [44] F. Sroubek, P. Milanfar, Robust multichannel blind deconvolution via fast alternating minimization, IEEE Trans. Image Process. 1 (4) (2012) 1687–1700. [45] D. Krishnan, T. Tay, R. Fergus, Blind deconvolution using a normalized sparsity measure, in: IEEE Conference on Computer Vision and Pattern Recognition (CVPR’11), 2011, pp. 233–240. [46] restoreInpaint. http://restoreinpaint.sourceforge.net/.