支持安全转码的图像加密与认证方法研究

随着多媒体处理技术和计算机网络的迅速发展，多媒体通信应用日益普及。数字图像作为一种重要的多媒体数据，在经济、军事及日常生活中得到广泛应用。支持安全转码的图像加密及认证是信息安全的重要研究领域，也是实现图像安全传输的一项关键技术，具有重要的理论研究意义及实际应用价值。本论文在深入分析本领域国内外研究与发展现状的基础上，针对支持安全转码的图像加密与认证方法展开研究，主要创新性贡献如下：（1）针对图像数据的安全转码传输问题，提出了一种支持透明转码的加密方法。该方法实现了对密文图像码流的码率转换，保证了图像数据的端到端安全传输。在分析码流结构特征的基础上，设计了支持安全转码的图像数据安全传输分发框架。在安全传输框架中，利用编码流的语法结构等信息，实现了保持码流结构的层次化组包策略和安全数据包格式，并且引入了安全透明转码机制以支持对密文域码流进行码率转换。基于安全传输框架，针对CCSDS IDC码流和JPEG 2000码流分别实现了支持透明转码的加密算法。（2）针对图像数据安全转码中的认证问题，提出了支持可伸缩验证的认证方法，该方法在支持透明转码条件下同时实现了对图像码流的端到端可伸缩验证。为了无缝地兼容支持透明转码的图像加密方案，设计了支持可伸缩验证的图像传输框架。在该传输框架下，完善了安全数据包格式定义。结合CCSDS IDC码流的编码特征信息，实现了适用于CCSDS IDC码流的可伸缩认证算法。该算法通过联合哈希链和哈希树技术，在保证支持安全透明转码前提下达到了对整体码流&ldquo;一次签名，可伸缩验证&rdquo;的目的。（3）针对流级认证方法的丢包鲁棒性问题，提出了面向质量优化的可伸缩认证方法，该方法在降低认证代价条件下获得等同无认证时的端到端可信质量。以图像质量和认证代价为优化目标，设计了面向质量优化的图像传输框架。在分析传统认证优化模型不足的基础上，给出了达到最优的端到端率失真性能的两个基本条件。在此基础上，建立了一般化的基于率失真的认证优化模型，通过结合基于图认证和基于FEC码认证的思想，保证了认证相关性与编码相关性的一致。利用码流的编解码相关性等信息，证明了认证优化模型获得最优解的等价条件，进而给出构建最优认证图的两个基本操作。基于该优化模型，分别实现了适用于CCSDS IDC码流和JPEG 2000码流的认证优化算法。（4）针对图像数据安全传输中的端到端率失真优化问题，提出了基于联合信源信道编码的图像加密与认证优化方法，该方法能够达到最优的端到端率失真性能。利用信源重要信息和信道状态信息，设计了基于联合编码的图像安全传输框架，实现了对图像数据的不平等认证保护及非均衡差错保护。实现了一种完整的安全数据包格式，并结合安全传输框架中各模块分析了加密、认证及信道编码的实施对象。根据不平等认证保护和非均衡差错保护的基本原理，建立了一个跨层优化资源分配模型。在不同信道误码条件下，该模型实现了对跨层的信源-认证-信道码率资源的最优分配，进而获得最优的端到端率失真性能。With much rapid development of the multimedia processing technology and computer networks, multimedia communication applications are becoming increasingly popularity. The digital image as a very important multimedia data is pervasively used in the fields of economy, military, and daily routines. The image encryption and authentication with supporting secure transcoding is an important research field in information security and is also a key technology for secure image delivery. It is significant to the theoretical research and the practical value.In this academic dissertation, we study image encryption and authentication methods with supporting secure transcoding according to the deeply analyze on the development and problems of national and international research work. The contributions of our work are as follows:Firstly, to solve the security transcoding problem in image data transmission, encryption schemes with supporting transparent transcoding are proposed to perform secure transparent transcoding on the encrypted image codestreams and to ensure end-to-end secure delivery. By analyzing the structural features of the image codestreams, a security framework of image data delivery is designed for supporting secure transcoding. Under this framework, a structure-maintained hierarchical packetization strategy and a secure packet format are proposed by using the syntactic structures of codestreams. And then, a secure transparent transcoding mechanism is achieved for transcoding on encrypted streaming. Based on the security framework, encryption schemes of supporting transparent transcoding are realized for the CCSDS image data compression (CCSDS IDC) coder and the JPEG 2000 coder.Secondly, to solve the authentication problem in secure transcoding of the image data, authentication schemes with supporting scalable verification are proposed to ensure end-to-end secure authentication of image streams under the transparent transcoding. An image transmission framework of scalable verification is designed to seamlessly support or compatible with the image secure transmission schemes supporting secure transparent transcoding. Under this framework, secure packet format is updated and improved. An authentication scheme with scalable verification is realized for CCSDS IDC streaming via using codestream features. With supporting secure transparent transcoding, the proposed scheme achieves the goal that &ldquo;once signature, scalable verification&rdquo; by utilizing joint hash chain and hash tree techniques.Thirdly, to improve the packet-loss robustness for stream-level authentication methods, quality-optimized scalable authentication schemes are proposed to obtain the same end-to-end authentic quality without authentication at cost of a low authentication overhead. A quality-optimized image delivery framework is designed to optimize the image quality and the authentication overhead. According to the analysis of conventional authentication optimization models, we give two basic conditions that authentication schemes are required to be satisfied for realizing the optimal end-to-end rate-distortion (R-D) performance. And then, a general R-D based authentication optimization model (AOM) is constructed by integrating graph-based and forward error correction (FEC) based authentication methods to guarantee that the authentication dependency is accordance with the coding dependency. The condition of equivalence for solving the AOM is proved by using the codec dependencies of the codestreams. After that, we give two basic operations to construct the optimal authentication graph (OAG). According to the proposed AOM, optimizing authentication schemes are respectively realized for the CCSDS IDC streaming and the JPEG 2000 streaming.Finally, to solve the end-to-end R-D performance optimization problem for secure image data delivery, security optimization schemes are proposed based on the JSCC to realize optimal end-to-end R-D performance. A secure image delivery framework based on the JSCC is designed to perform unequal authentication protection (UAP) and unequal error protection (UEP) on the image streams by using source significance information (SSI) and channel state information (CSI). After that, a complete secure packet format is designed and the encrypted, authenticated, and channel coded objects are analyzed by combining the corresponding modules in the proposed secure delivery framework. And then, a cross-layer optimization resource allocation (CLORA) model is devised via using the principles of the UAP and the UEP. Under the CLORA model, cross-layer source-authentication-channel bit-rate resources are optimally allocated to achieve the optimum end-to-end R-D performance in varied channel conditions.</p

JPEG2000 Digital Image Encryption Algorithm Supporting Ciphertext Transcoding

针对异构化程度不断加剧的通信网络环境对码率转换能力的需求,提出了一种支持密文域转码的层次化加密算法CT-HEA.与以往基于JPEG2000图像的加密算法相比,CT-HEA针对率失真优化截断模型的特点,按照图像质量层和分辨率对压缩流重新进行截断与合并,对重组后的码流采用密码学算法进行分层加密.该算法支持对加密压缩流的透明码率转换.仿真实验结果表明,CT-HEA算法复杂度低、保密性好,具有灵活的安全转码特性和低的转码代价.Aiming at the increasing demand for transcoding capacity caused by the aggravating isomerization degree in communication networks,a digital image hierarchical encryption algorithm supporting ciphertext domain transcoding named CT-HEA(Ciphertext Transcoding-Hierarchical Encryption Algorithm)was proposed.Compared with the tradi-tional JPEG2000image encryption algorithms,aiming at the feature of rate-distortion optimized truncation model,CT-HEA truncates and combines the compressed codestream according to image quality layer and resolution,applies hierarchical encryption to the codestream after reorganization by using cryptographic algorithms.It supports transparent transcoding operations directly on the encrypted and compressed bitstream.Simulation results demonstrate that CT-HEA is characterized by low complexity,high performance of secure,high secure transcoding flexibility and low transcoding overhead

一种粒子模拟前处理系统的研究与设计

根据大规模并行粒子模拟通用软件平台的需求,设计了相应的前处理系统,包括模拟边界条件处理和粒子生成两个部分。它不但可以完成平台粒子模拟的几何模型建模工作,而且还可以将用户的计算模拟区域,离散为以特定方式排布的填充粒子,实现连续模拟区域的颗粒离散化。前处理系统设计了一套完整的图形用户界面,加入非法输入的检测功能。该系统在拟颗粒粒子模拟计算中做过应用测试,结果表明本工作为粒子方法的推广和应用,提供一个实用的工具,在一定程度上实现了通用化,为大规模并行粒子模拟通用软件平台的计算部分,提供可靠的数据,有力地保证其正常运行

一种粒子模拟前处理系统的研究与设计

根据大规模并行粒子模拟通用软件平台的需求，设计了相应的前处理系统，包括模拟边界条件处理和粒子生成两个部分。它不但可以完成平台粒子模拟的几何模型建模工作，而且还可以将用户的计算模拟区域，离散为以特定方式排布的填充粒子，实现连续模拟区域的颗粒离散化。前处理系统设计了一套完整的图形用户界面，加入非法输入的检测功能。该系统在拟颗粒粒子模拟计算中做过应用测试，结果表明本工作为粒子方法的推广和应用，提供一个实用的工具，在一定程度上实现了通用化，为大规模并行粒子模拟通用软件平台的计算部分，提供可靠的数据，有力地保证其正常运行

一种粒子模拟前处理系统的研究与设计

根据大规模并行粒子模拟通用软件平台的需求，设计了相应的前处理系统，包括模拟边界条件处理和粒子生成两个部分。它不但可以完成平台粒子模拟的几何模型建模工作，而且还可以将用户的计算模拟区域，离散为以特定方式排布的填充粒子，实现连续模拟区域的颗粒离散化。前处理系统设计了一套完整的图形用户界面，加入非法输入的检测功能。该系统在拟颗粒粒子模拟计算中做过应用测试，结果表明本工作为粒子方法的推广和应用，提供一个实用的工具，在一定程度上实现了通用化，为大规模并行粒子模拟通用软件平台的计算部分，提供可靠的数据，有力地保证其正常运行

Packet-loss robust scalable authentication algorithm for compressed image streaming

基于图像编码流的结构和相关性特点,提出了一种分组丢失顽健的可伸缩流认证方法。通过利用散列链和纠错编码算法构造认证算法,该方法可实现优化的码率分配 以及非平等认证保护(UAP, unequal authentication protection)。首先对图像编码码流进行解析,获得层次结构信息和编解码依赖性;然后,根据码流数据对重构图像质量的重要程度,利用散列链将次重 要的码流数据链接到重要数据上;最后对解码独立码流的散列值和整个码流的数字签名进行纠错编码,提高认证算法对分组丢失的顽健性。该方法仅需要对整个图像 码流做一次签名,具有很低的认证代价。实验结果表明,与其他3种流认证算法相比,此法的认证图像具有更高的重构质量。Based on structures and dependencies of the image codestreams, a scalable stream-level authentication approach was proposed to resist packet loss. To construct the authentication algorithm by hash chaining and error-correction coding, the proposed approach can realize optimizing bit-rate allocations and unequal authentication protection. Firstly, the compressed streams of the original image are analyzed to obtain hierarchical structures and coding dependencies. Secondly, in accordance with the differentiation-importance of codestreams to the reconstructed image, sub-important packet is linked to more important packets via hash chains. Finally, these hash values of decoding-independent packets and the digital signature of the whole bitstream are encoded with an error-correction coding algorithm. The proposed scheme has a very low authentication overhead because it signs on the whole image once. Experimental results show that the authenticated image of the proposed scheme has high reconstructed quality than the other three stream-level authentication schemes

槽流拟颗粒模型的并行算法

将流体处理为离散粒子,应用拟颗粒硬球模型来研究槽流中的流动现象,与分子动力学模拟的算法类似,是研究槽流机理的一种行之有效的方法。为了作大规模的模拟,本文采用区域分解算法和消息传递编程模型技术,将该模型串行程序并行化,应用一维划分、单相传递的方法简化了并行算法,采用轮换搜索法来避免硬球碰撞次序对结果的影响。在可扩展的机群系统上用实例计算,通过与串行程序的对比,验证了并行程序的正确性,表明本文设计的并行算法取得了较高的并行计算效率

槽流拟颗粒模型的并行算法

将流体处理为离散粒子，应用拟颗粒硬球模型来研究槽流中的流动现象，与分子动力学模拟的算法类似，是研究槽流机理的一种行之有效的方法。为了作大规模的模拟，本文采用区域分解算法和消息传递编程模型技术，将该模型串行程序并行化，应用一维划分、单相传递的方法简化了并行算法，采用轮换搜索法来避免硬球碰撞次序对结果的影响。在可扩展的机群系统上用实例计算，通过与串行程序的对比，验证了并行程序的正确性，表明本文设计的并行算法取得了较高的并行计算效率

multiple group shared key management for satellite multicast

现有的多组组密钥管理方案应用于大型动态卫星多组组播环境时,受卫星资源的限制,密钥管理效率成为瓶颈。设计了一种卫星多组组密钥管理方案SMGKM(Satellite Multiple Group Key Management),根据对组播源的访问能力对用户进行分组,并在子组中设置子组管理者,通过构造组播密钥管理图和子组密钥管理结构进行多组组密钥管理,具有良好的前向和后向安全性,与现有典型方案相比,SMGKM有效降低了卫星的通信和存储开销,更适合大型动态卫星多组组密钥管理。When existing group key management schemes are used in large and dynamic satellite multiple group key management,the efficiency is low due to the limitation of the satellite network. Key management is the bottleneck. To solve this problem,a new scheme named Satellite Multiple Group Key Management (SMGKM) is proposed in this paper. Users are divided into subgroups according to their access ability to the resources. Subgroup controllers are set in each subgroup. Multiple group key management is carried out by the construction of group key management graph and subgroup key management structure. The proposed scheme has forward and backward secrecy. In contrast with the existing schemes, SMGKM decreases the amount of keys stored in the satellite and the rekeying amount of the satellite efficiently. It is suited for multiple group key management under large and dynamic satellite multicast environment

An authentication method for satellite remote sensing image via constructing directed graph

针对空间链路低带宽和高误码率下的数据安全问题,提出了一种基于有向图构造的卫星遥感图像认证算法.该算法利用率失真理论建立认证优化模型,通过构造有向图获得认证代价和丢包鲁棒性之间的优化权衡.首先,通过分析遥感图像数据压缩码流的结构和位平面编码特点,设计了一种保持码流语法结构的分层分包策略.然后在此基础上,分析了不同层数据包的质量权重和编解码依赖关系,进而采用散列链和散列树相结合的方式来构造最优的认证图,从而实现对图像数据的非平等认证保护.最后,对认证算法的代价、丢包鲁棒性进行了比较分析及仿真实验,并进行了安全性分析.实验结果表明,在不同码率下该算法较其它算法具有更高的峰值信噪比(Peak Signal-to-Noise Ratio,PSNR),即在相同代价情况下该算法较其它算法具有更强的丢包鲁棒性.An authentication method for satellite remote sensing image based on constructing directed graph is proposed in this paper for the low data transmission rate and high bit-error rate on space link. The rate-distortion theory is used to establish an authentication optimization model, our method can obtain the optimal trade-off between the authentication overhead and the packet-loss robustness via constructing the directed graph. Firstly, based on the structure of remote sensing image data compression codestream and the characteristics of the bit-plane coding, a hierarchical packetization strategy is designed to maintain the syntactic structure of original codestream. Secondly, the quality weight of packets and the codec dependencies are analyzed, and hash chain and hash tree are employed to construct the optimal authentication graph for unequal authentication protection. Finally, in terms of computation cost, communication cost, robustness to packet loss, the proposed algorithm is analyzed theoretically and compared with existing algorithms and the security of the proposed algorithm is also analyzed. Experimental results show that the algorithm has higher peak signal-to-noise ratio (PSNR) than other schemes at any bit-rate. Therefore, the proposed scheme has stronger robustness to packet loss