Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
Flexible Authentication of Images Yanjiang Yang1, 2, Feng Bao2, Robert H. Deng2 2
Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 {yanjiang, baofeng, deng}@ i2r.a-star.edu.sg 1
School of Computing, National University of Singapore
[email protected]
ABSTRACT. In this paper, we propose a novel authentication method for digital images that achieves fine authenticating granularity (e.g., block-level granularity). Its appealing flexibility lies in the fact that with only one piece of authenticating data (e.g., digital signature or message authentication code) spanning all blocks, each block can be independently authenticated while ignoring the other blocks. In our method, the authenticating data are derived by means of the Chinese Remainder Theorem. To further attest its flexibility, the method provides adjustable confidence by managing the public system parameters. Security issues, advantages, as well as limitations related to the method are addressed. A wide range of potential applications are envisioned to demonstrate its practical significance. Keywords: Authentication; Chinese Remainder Theorem; Localization.
1. Introduction Never before has security concern over the distribution of multimedia data such as digital images become so prominent as it does today as advanced multimedia processing tools make such data readily tampered. This therefore necessitates the provision of security mechanisms for ensuring integrity and authenticity of the images, which is normally done by authentication techniques such as digital signature or fragile watermarking (e.g., among numerous others, [1-5]). The main differences between the two techniques can be summarized as follows: for the former, authenticating data are treated as a separate part from the original image (e.g., being appended at the end of the file), while for the latter, authenticating data are seamlessly integrated into the original image, on condition that the introduced distortion to the image are kept negligible. However as far as the authors are aware, virtually all existing authentication methods are intended to authenticate an image as a whole. More specifically, an image can only be checked for its authenticity as long as its entire content is known. Even though some watermarking schemes such as [6-9] can offer block-level authentication granularity (localization) and such a concept as finer granulated authentication is not new, they with no exception base their authentication functionality on the whole image. In contrast, we in this paper present a flexible authentication scheme for images that raises a novel authentication concept in the sense that with a single digital signature that spans all constituent parts of an image, localization (finer authentication granularity) for certain parts of the image is achieved even without knowing the remaining parts. Furthermore, in its most general form that an image is partitioned into blocks as in [6], the method is extremely flexible that any single block or any combination of the blocks can be authenticated while ignoring the other blocks. Formally, let b = {b1, b2, …, bn} be the set of blocks of an image and B be the superset of b, where bi is the ith block of the image, then with a single digital signature on b, our method is able to authenticate any sub-set Bi ∈ B without the presence B i , where B i ∈ B and B i ∪ Bi = B .
SPIE USE, V. 2 5150-208 (p.1 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
Furthermore, by carefully handling the system parameters, we are able to keep a fixed amount of authentication data regardless of the number of blocks. This feature is rarely provided by other methods. Once the digital signature is obtained, it can be either appended to or embedded into the image (or parts of the image), as the aforementioned authentication techniques do. This in fact attests to the added flexibility of our method. Such an authentication method has many applications. For example, in security sensitive scenarios such as military or commercial environment where access restrictions are imposed such that a principal can only inspect certain parts of an image that match his privilege, by our method the principal can check the authenticity of the inspected part without having to know other parts of the image. As another example, consider information systems for healthcare. Once acquired, medical images are usually segmented, among other processing procedures, into various ROIs (Region of Interests) prior to be archived into database. To protect privacy of the patients or simply to save communication bandwidth, a healthcare provider may wish to expose to the requestor (e.g., the patient’s personal doctor) only those ROIs that suffice for the requestor’s responsibility and liability. In such a case, the requestor must be assured of the authenticity of the ROIs delivered to him with respect to the whole image. This can be exactly achieved by our method. Besides flexibly authenticating parts of an image as described above, our authentication method can also be naturally extended to the case of a group of images: A single piece of authenticating on all the images in a group is obtained, and then authentication of any sub-group of the images can be accomplished in the absence of the other images. Here, we simply want to envision some possible applications of our method, more discussion of the application scenarios will be provided in Section 5. The rest of the paper is organized as follows: In Section 2, the Chinese Remainder Theory is briefly reviewed, followed by a detailed description of our method. In Section 3, we shed some lights on the security issues involved in our proposed method. We then discuss the advantages and limitations of our method in Section 4. Section 5 explores a wide range of potential application scenarios in order to further understand the method as well as to justify the value of it. Finally, Section 6 summarizes the paper.
2. Method In this section, we will give a detailed description of our method. Since our proposed authentication scheme is developed by virtue of the Chinese Remainder Theorem (CRT) [11], for the completeness as well as easy understanding of this paper, we provide a brief introduction of CRT prior to delving into our scheme.
2.1.
Chinese Remainder Theorem (CRT)
Let n1, n2, …, nl be positive integers that are pairwise coprime and a1, a2, …, al be integers, the following simultaneous congruence (1) has a unique solution x < n, where n = n1*n2*…* nl, x = a1 mod n1 x = a2 mod n2
(1)
... x = al mod nl. CRT solves the set of equations in (1) as follows: Let Ni = n/ni, i∈ [1...l],
SPIE USE, V. 2 5150-208 (p.2 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
then since the ni (i∈ [1...l]) are pairwise coprime, we have gcd(ni, Ni) = 1, i∈ [1...l].
Therefore, for each Ni we can compute yi such that yiNi = 1 mod ni, i∈ [1...l]. Then x is solved as
l x = ∑ a i y i N i mod n i =1 For detailed discussions on CRT, we refer interested readers to any textbook on number theory or cryptography (e.g., [10, 11]). In what follows, we introduce in detail our authentication scheme.
2.2.
Our Scheme
To explain our method clearly, we would like to consider it in a general context, i.e., the scheme is intended to authenticate an image M that is partitioned into n parts (either intersecting or not), m1, m2, …, mn. In addition, a set of sequenced distinct primes as public system parameters are chosen, i.e., {p1, p2, …, pk, …}. They are certainly pairwise coprime. As system parameters, these primes are public and common to all images; therefore the number of them should be equal to or greater than the maximal number of parts that the images in the system are expected to be partitioned. By saying the parameters are public, we mean that any user of the system has ways to know them and they do not need to be transmitted together with the images. We further employ a hash function such as MD5 or SHA [10], denoted as h(.), to calculate message digest of each part together with its unique index. For simplicity, the unique index for each part is simply its sequence number in the image, in which case the message digest of part i is thus h(mi, i). Note that with i being involved in the message digest computation, collage attacks are hence prevented. With these, we then compute H such that
H = h(m1, 1) mod p1 H = h(m2, 2) mod p2
(2)
... H = h(mn, n) mod pn.
Since pi, i∈ [1...n], are primes, they are therefore pairwise coprime. According to the Chinese Remainder Theorem there exists a unique H satisfying the set of equations in (2). Consequently H is signed as the digital signature of the image M, denoted here as Hs. H and Hs are then archived together with image M. We call this procedure signing process, which is
SPIE USE, V. 2 5150-208 (p.3 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
normally performed by the server equipped with high computation capacity. Later, upon request of any single or any combination of mi, i∈ [1...n], H and Hs are delivered along with the required parts for authentication purpose. Note that in practice, H and Hs can be either appended to or embedded into the requested parts, in which case the former is a so called digital signature scheme and the latter is a watermarking scheme. Given the requested parts, H and Hs, it is straightforward for a verifier to check whether the delivered parts are authentic. Without loss of generality, Assume that ml and mj are the requested parts. With Hs, the verifier can easily determine the authenticity of H. Next, the verifier computes hl = h(ml, l) and hj = h(mj, j) respectively. To authenticate ml, the verifier checks to see whether H = hl mod pl. As long as it holds, ml is deemed authentic; otherwise ml has been tampered with. Authentication of mj follows a similar procedure. In this way, localization is thus achieved. It is straightforward to see that, using our method, any part mi of M can be authenticated without any knowledge of the other parts. There are variants of the above method. Rather than using digital signature, we can instead use a secret key k directly in the hash value computations. This type of computation in fact amounts to the calculation of Keyed-Hash Message Authentication Code (HMAC) [10] of the message. To this end, H is computed as
H = h(m1, 1, k) mod p1 H = h(m2, 2, k) mod p2
(3)
... H = h(mn, n, k) mod pn.
H is then archived together with the image and will be used in the same way as the digital signature does for the purpose of authentication. Verification follows a similar process as described above with the assumption that the verifier knows the secret key k.
3. Security Analysis In this section, we provide a security analysis of the proposed method. It is apparent that security of the proposed scheme lies in the size of pi, i∈ [1...n]. To see this, given any mi and hi = h(mi, i), in order to compromise our authentication method an adversary has to find an hi’, where hi’ = h(mi’, i) and mi’ is an arbitrary meaningful image, such that hi’ = hi mod pi.
(4).
The probability of finding such a hi’ is apparently 2-l, where l is the size of pi in bits. Note that birthday attack [10] does not apply here for the following reasons: birthday attack is intended to find any arbitrary pair of messages with equal hash values, the attack here nevertheless relates to finding another message whose hash value is equal to that of a given message. From cryptographic perspective, to counter against such an attack l should be at least 40 bits in length. More bits such as 50-60 bits make our scheme more robust. However, from practical point of view, for those less sensitive mi, pi of 20-30 bits may be enough depending on specific applications.
SPIE USE, V. 2 5150-208 (p.4 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
4. Discussion Briefly, the proposed scheme authenticates an image in a novel and flexible way: with a single digital signature, authentication of any part or any group of the parts with respect to the entire image can be readily accomplished, and more importantly such an authentication is done without needing to know the other parts. The scheme offers a number of advantages. 9
It is efficient both in terms of computation and space. As to computation, only H and its digital signature are computed (for the variant scheme, only H is computed and computation of digital signature is not needed at all) in the signing process. Furthermore, the computation for verification seems more light-weighted compared to the signing process since arithmetic operations are performed modulo much smaller numbers. From this perspective, our scheme suits the situations wherein the verifier (client) has limited computation capacity, e.g., PDAs. For space efficiency, it follows from the Chinese Remainder Theorem that the size of H is comparable to |p1*p2*…*pn|, where |.| by convention denotes the size. Thus H is much shorter than the concatenation of all h(mi, i) due to the fact that hash values are normally of much longer length (e.g., MD5: 128 bits; SHA: 160 bits) . Moreover, with only one signature for all the parts, the scheme simplifies the management of image archiving.
9
It provides good localization. This point is evident from the scheme itself as described so far. In addition, there is no restriction on the partition pattern of the images, i.e., the partitioned parts may overlap; the partition may be conventional blocks or in other forms such as segmentation of the image; and so forth. Therefore it offers flexible fine granularity.
9
It offers scalability. To recompute H by CRT, it is not a much involved process to add or remove a part or parts of an image.
9
As analyzed above, security of the scheme lies in pi’s. Therefore we are able to manipulate the prime parameter for each mi according to its sensitivity, i.e., we choose big primes for the security-critical parts yet comparatively smaller primes for the less critical parts. In this way we achieve adjustable confidence of the scheme. Such a feature is unlikely to be seen in other methods. In a similar manner, we can make H fixed.
We next explain an inherent limitation concerning the proposed scheme. We know from CRT that H is computed modulo |p1*p2*…*pn|, which means if |p1*p2*…*pn| is long enough, arithmetic operations modulo |p1*p2*…*pn| would become prohibitively cumbersome. This fact actually puts restrictions on the number of parts an image can be partitioned, to qualify our scheme for practical implementation. Taking current computation capacity of most computers into account, we suggest the number of parts should not exceed 50, supposing that the lengths of pi’s average around 40 bits. For this suggestion, we in fact presume that arithmetic operations modulo a 2,000-bit number are feasible. The suggested upper bound of the number of parts fortunately suffices for most practical systems.
5. Applications As introduced in Section 1, our method has many applications, therefore we in this section elaborate on several such potential application scenarios within. (1) Application Scenario 1 Let’s first look at potential applications of our method in the healthcare context. It is a normal practice that once acquired, medical images are usually segmented, among other processing procedures, into various ROIs (Region of Interests, they may or may not intersect) prior to be archived into database. These ROIs will be inspected by different
SPIE USE, V. 2 5150-208 (p.5 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
medical personnel. Conventionally, upon request, an entire image will be delivered to the requestors as long as they are authorized users. However, doing so has some drawbacks. First, medical images usually contain a large amount of data (of big size), especially those with high resolutions. Transmission of the entire image may consume lots of communicating resources (bandwidth and time). If only some ROIs contained in the image are of interest to the requestor, obviously there is no need to transfer the whole image. Second, privacy of the healthcare information is now a big concern to both the patients and the healthcare providers. Exposing more information than is needed to some requestors (e.g., the patient’s personal doctor) may lead to the leakage of the patient’s privacy. As a result, if only certain ROIs are required, then only the required parts, not the entire image, should be sent in order to minimize leakage of sensitive healthcare information. In both cases, the need for our method to save the communicating bandwidth, to protect privacy of the patients or prevent leakage of sensitive medical information (medical imagery is a main form of it) arises. The healthcare provider can utilize our method to reveal to the requestor (e.g., the patient’s personal doctor) simply those ROIs that suffice for the requestor’s responsibility, while in the same time assure the requestor of their authenticity with respect to the whole image. To this end, the healthcare provider can compute H in (2) with mi is respective ROI.
(2) Application Scenario 2 Images used in some applications such as weather forecast are very large. These images (e.g., digital weather maps) are normally fabricated in the central unit and then distributed to various branch units. However, to a local unit (e.g., a provincial unit), only the part of an image that relates to its area is of real significance. In other words, different local units want different parts of the image, not necessarily the whole image. There are in fact no needs to transmit a whole image to each local unit. In other scenarios such as in sensitive military or commercial circumstances where access restrictions are imposed so that a principal can only inspect certain part of an image that matches his privilege, it will become compulsory to deliver parts instead of a whole image. In all these cases, the receivers must have ways to check the authenticity of the parts given to them without knowing other parts of the image. The application scenarios described here actually bear similarity with the above healthcare example. Possible distinctions include: first they are different application context for our method, and secondly the images in current applications are expected to be partitioned into regular blocks as normally done in other methods, except that the blocks are much larger and may not necessarily be of equal size.
(3) Application Scenario 3 The scenario here is again concerning healthcare applications but this time our method will authenticate image groups. Healthcare community routinely uses medical images of different modalities, such as CT (Computed Tomography), MRI (Magnetic Resonance Imaging), SPECT (Single Photon Emission Computed Tomography), and so on. To make the diagnosis more precise, it is common for a doctor to examine multi-modality images for the same content. It is not surprising to logically collect them together into a group. Instead of authenticating each of these multimodality images, we can authenticate them as a group using our method. It works as follows: to compute H regarding the group by (2), mi will be respective member image of the group. In addition, the sequence of the images in a group normally does not matter too much, h(mi, i) can hence be replaced by h(mi). In verification, with H, any image of the group can be verified. From this application, we can see that besides flexibly authenticating sub-parts of an image, our authentication method can also be naturally extended to the case of a group of images.
For the purpose of explanation, we outlined some potential applications of our method, categorized into different contexts. It is unnecessary and indeed impossible for us to enumerate all applications here, although we are still able to list countless of them as long as we would like.
SPIE USE, V. 2 5150-208 (p.6 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
Please verify that (1) all pages are present, (2) all figures are acceptable, (3) all fonts and special characters are correct, and (4) all text and figures fit within the margin lines shown on this review document. Return to your MySPIE ToDo list and approve or disapprove this submission.
6. Summary To conclude this paper, we propose a novel and flexible authentication scheme that authenticates an image in such a way that with a single piece of authenticating data (digital signature or message authentication code) on all parts of the image derived by means of the Chinese Remainder Theorem, verification of the authenticity of any part or any combination of the parts can be readily accomplished, and more importantly such a verification is done without the knowledge of the other parts. Hence, our method suits especially application scenarios where access restrictions are set such that only parts of an image are allowed to be inspected by a requestor. Under such circumstances, our method is able to assure the requestor of the authenticity of the partial image with respect to the whole image. Our scheme can be naturally extended to authenticate a group of images. The scheme offers a number of advantages, including efficiency, good localization (fine authentication granularity), adjustable confidence, and so on.
References: 1.
M. Schneider and S. F. Chang, A Robust Content Based Digital Signature for Image Authentication, IEEE International Conf. on Image Processing, 1996. 2. M. Yeung and F. Mintzer, Invisible Watermarking for Image Verification, Journal of Electronic Imaging, vol. 7, no. 3, pp. 578-591, 1998. 3. P. W. Wong, A Public Key Watermark for Image Verification and Authentication, Proc. IEEE International Conference on Image Processing, vol. 1, pp. 455-459, 1998. 4. E. T. Lin and E. J. Delp, A Review of Fragile Image Watermarks, Proc. Multimedia and Security Workshop at ACM Multimedia’99, 1999. 5. M. Wu, B. Liu, Watermarking for Image Authentication, Proc. ICIP, 1998. 6. Jessica Fridrich, Security of Fragile Authentication Watermarks with Localization, Proc. SPIE Photonic West, Vol. 4675, Electronic Imaging 2002, Security and Watermarking of Multimedia Contents, pp. 691-700, 2002. 7. M. Celik, G. Sharma, E. Saber, A Hierarchical Image Authentication Watermark with Improved Localization and Security, Proc. ICIP 2001 (CD ROM version), paper ID 3532, 2001. 8. P. W. Wong, N. Memon, Secret and Public Key Image Watermarking Schemes for Image Authentication and Ownership Verification, IEEE Tran. Image Processing, vol. 10, pp. 1593-1601, 2001. 9. M. Utku, G. Sharma, E. Saber, and A. M. Tekalp, Hierarchical Watermarking for Secure Image Authentication with Localization, IEEE Tran. Image Processing, vol. 11, pp. 585-595, 2002. 10. Bruce Schneier, Applied Cryptography, 2nd Edition. John Wiley & So 11. D. R. Stinson, Cryptography: Theory and Practice, CRC Press, Inc., Boca Raton, 1996.
SPIE USE, V. 2 5150-208 (p.7 of 7) / Color: No / Format: A4/ AF: A4 / Date: 2003-04-02 04:04:03
