Verifiable image revision from chameleon hashes

In a digital society, the rapid development of computer science and the Internet has greatly facilitated image applications. However, one of the public network also brings risks to both image tampering and privacy exposure. Image authentication is the most important approaches to verify image integrity and authenticity. However, it has been challenging for image authentication to address both issues of tampering detection and privacy protection. One aspect, image authentication requires image contents not be changed to detect tampering. The other, privacy protection needs to remove sensitive information from images, and as a result, the contents should be changed. In this paper, we propose a practical image authentication scheme constructed from chameleon hashes combined with ordinary digital signatures to make tradeoff between tampering detection and privacy protection. Our scheme allows legitimate users to modify contents of authenticated images with a privacy-aware purpose (for example, cover some sensitive areas with mosaics) according to specific rules and verify the authenticity without interaction with the original authenticator. The security of our scheme is guaranteed by the security of the underlying cryptographic primitives. Experiment results show that our scheme is efficient and practical. We believe that our work will facilitate image applications where both authentication and privacy protection are desirable.


Introduction
Nowadays, we have stepped into an information era where digital data plays an important role in people's life. As the most common visual data, digital images are widely used in almost all aspects to convey crucial information. The development of information technology has contributed to significant advancements in image processing, since a digital image can be edited flexibly in computers with powerful image processing software (e.g., the Photoshop). However, flexible image editing tools also make malicious attacks (tampering, forgery, and so forth) towards images more accessible and imperceptible, which brings potential risks to image applications, especially in case if a digital image is used as a legal evidence and processing towards it should be controllable and authorizable.
Image authentication is the technology of verifying image origin, integrity and authenticity, and it is significant to security-relevant image applications for the purpose of tampering detection. Digital watermarks (Al-Otum 2014; Ur-Rehman and Zivic 2017; Lu and Liao 2001;Wang et al. 2018) and perceptual hashes (Venkatesan et al. 2000;Pun et al. 2018;Jiang and Pang 2018;Du et al. 2020) are important techniques for image authentication. Digital watermarks embed invisible information called watermarks by transforming original images at perception-tolerable levels, and verification is the extraction of the watermarks with reverse transformation.
Digital watermarks can be classified into fragile watermarks, robust watermarks, and semi-fragile watermarks according to their robustness. Fragile watermarking (Sreenivas and Prasad 2018) is mainly used in integrity detection, and it does not tolerate any editing of the Open Access Cybersecurity *Correspondence: tummy7882@hotmail.com College of Computer and Cyber Security, Fujian Normal University, Fuzhou, China image. Robust watermarking (Agarwal et al. 2019) is generally used for copyright protection, which can prove the origin of the image, however, it can not distinguish rational operations from malicious ones. Semi-fragile (Peng et al. 2010;Lin and Chang 2000;Chen et al. 2017) watermarking can support editing detection, but its universality is not satisfying. Moreover, the embedding of the watermark needs to modify the original image, which sometimes brings negative impacts on image applications.
Perceptual hashes firstly extract features based on image contents. The extracted features are quantized, compressed, and encoded into a binary vector to compute a hash value, and the hash value is used as a digital "fingerprint" to authenticate the image. Since the extracted features are robust to reasonable editing operations which do not cause content distortion, perceptual hashes are available to provide image content authentication. However, when the contents of an authenticated image need to be changed even for a rational purpose (for example, a privacy-aware editing by removing sensitive information), the perceptual hashes do not work well. In addition, computation of perceptual hash is relative to methods of feature extraction and its universality is also not satisfying.
Overall, ordinary image authentication techniques, such as semi-fragile watermarking and perceptual hashing, tend to authenticate image contents instead of image operations, and have shortages in distinguishing malicious image operations from permissible and authorized ones accurately.

Motivations and contributions
Let us begin with an example. When there is a traffic accident, images/video captured by the dashcam can be used as important evidence by the Officer to make a responsibility-confirmation report. The raw image captured by hardware may contain some sensitive information that is not suitable to be disclosed. When the image is used as evidence in a court, the sensitive area of the image should be hidden away (covered with some mosaics) for privacy protection. In this case, an image authentication scheme is required to ensure that images are still authentic after undergoing some privacy-aware local revisions (Fig. 1). However, we think that even an authorized editor could have dishonest motives to edit the image. In our design, the image is divided into editable and non-editable parts. The non-editable parts which are hashed by an ordinary hash function are important and necessary. These parts refer to core contents of the image which should not be changed to avoid excessive content distortion. If the entire image is editable and the editor can change all the contents at will, we think it is not so practical in some real-world applications.
In this paper, we propose a practical image authentication scheme for privacy protection (Fig. 1). Our scheme allows legitimate users to modify the image contents with the privacy-aware purpose (for example, cover some sensitive areas with mosaic) according to specified rules. The verification of the modified image does not need any interaction with the original authenticator. In our design, the signer and editor are distinct entities. The signer is the image copyright owner and an editor is an image user who is authorized to edit the image limitedly. The owner's purpose of authenticating an image is to allow a specific user to edit the image in controllable ways, but not deny his behavior. Our contributions mainly consist of the following two aspects.

Flexible but verifiable image revision
In our scheme, we use chameleon hashing  combined with digital signatures to design an image authentication scheme, to achieve both flexible and verifiable revision. In our scheme, the original image is blocked and divided into several areas. An image producer authenticates the image and defines an editing rule. The rule denotes which areas in the authenticated image can be masked/edited. These editable areas are hashed with chameleon hashes to compute authentication codes (Fig. 2). A specific user (trapdoor holder of the

Image Producer Image Editor Image User
Authenticated image R evised image Revision Fig. 1 The workflow of a privacy-aware image authentication system chameleon hash) edits/revises the image by replacing the editable areas with arbitrary contents but not invalidate the codes. This provides a flexible image revision. In addition, for non-editable areas, image blocks are hashed by ordinary hashes. Any change (even 1-bit change) of the non-editable areas will invalidate the authentication. This provides a verifiable revision to the authenticated image.
In summary, editable areas in authenticated images can be replaced with arbitrary contents while the rest areas should be the same as before. That is, our scheme is verifiable by limiting image editing. Therefore, the flexible revision is useful for privacy-aware editing and the verifiable revision contributes to detecting tampering.

Authority
Image editor in our scheme is authorizable. In our scheme, nobody except the trapdoor holder of chameleon hashing can make collisions for the revised values. That is, our scheme achieves user control by specifying the editor of the image. Concretely, no one except a specific user can revise an image without invalidating the original authentication. If an image is revised and verified as true, the reviser can not repudiate his/her behavior.

Organization
The rest of the paper is organized as follows. In "Related work", we briefly review the literature on image editing authentication . In "Preliminaries", we present the relevant knowledge required by this paper. In "Definition", we present the formal definitions of our scheme. In "Construction", we describe the scheme and analyze its security in "Security analysis". In "Experiments and evaluation", theoretical analysis and experimental simulation of the scheme are given and we conclude this paper in "Conclusions" section.

Related work
As mentioned in the introduction, digital watermarks and digital signatures are important technology for image authentication. However, both schemes are expected to be very sensitive to any malicious modification used on the image. A good image authentication system should be able to tolerate modifications that are sufficiently needed. In order to make the image authentication system tolerate reasonable modification, various schemes in the field of watermarks and digital signatures have been actively investigated and proposed. We introduce some related designs as follows.
The semi-fragile watermark is introduced in image authentication to protect copyright and tolerate some normal image processing. In Yu et al. (2017), a detection method is proposed to calculate and measure the error between watermark image and tampered image. A novel wavelet domain image authentication scheme is proposed in Al-Otum (2014), which uses a semi-fragile watermark to detect and locate malicious tampering accurately in images. An algorithm with both robust watermarking and semifragile watermarking is proposed in Fridrich et al. (2002). The algorithm can realize the dual functions of copyright protection and integrity authentication. Though semifragile watermarks provide solutions for image authentication with robustness, it is difficult to prove the security of a watermark-based image authentication scheme. Therefore, it is difficult to decide if a specific editing (such as add a logo or covered with mosaics) is an authorized operation.
Another approach based on digital signatures in image authentication was proposed in Zhu and Hu (2008). In the proposed scheme, a image is authenticated by signing features extracted from the image. The scheme allows the image to be modified by setting a threshold value, and the modified image can be verified successfully as long as the difference value between the modified image and the signature image is less than the predefined threshold value. The scheme can tolerate some operations but is not suitable for privacy-aware authenticating methods of the image since its sensitivity of image content alternation.
To solve the problem of privacy protection, some attractive designs are proposed in Chen et al. (2018) Chen et.al proposed privacy-aware image authentication from commitments (Chen et al. 2018) and accumulators ). These schemes allow users to crop the image according to the signer's predefined rules and output a valid signature. The disadvantage of this scheme is that it does not support authority. Any user can edit the image, which may lead to repudiation.
Kim et al. proposed a privacy-aware security signature scheme using chameleon hashing (Kim et al. 2017). In the proposed scheme, users can delete the object of the image legally, and the original signature is still valid. This scheme supports privacy-aware image processing operations. However, there is no editing rule defined in the scheme and the editor can edit the whole image at will, even replacing the image with a new one entirely. Overall, existing designs have at least one of the following two drawbacks: (1) Sensitive to content revision: most of the existing schemes based on watermarks and perceptual hashes are used to provide content authentication. They are robust to operations which do not cause content distortion, but sensitive to privacy-aware operations which would change contents of the images. (2) The authority is not well addressed. Image authentication from cryptographic primitives (accumulators and commitments) detects operations but does not identify its users. Anyone is considered as an honest user if the processing operations do not invalidate the authentication, which could lead to repudiation of the revision behavior.

Preliminaries
In this section, we will present the cryptographic tools used in our scheme.

Digital Signature Schemes
A digital signature scheme ( DSS ) consists of three polynomial-time algorithms: DSS = (KeyGen, Sign, Verify): • KeyGen : The key generation algorithm takes a security parameter 1 as an input, and outputs a public key pk sig and a private key sk sig . That is (pk sig , sk sig ) ← KeyGen(1 ). • Sign : The signing algorithm takes a private key sk sig and a message M as input, and outputs a σ . That is σ ← Sign(sk sig , M). • Verify : The verifying algorithm takes a public key pk sig , a signature σ , and a message M as input, and outputs a bit b ∈ {0, 1} . That is b ← Verify(pk sig , M, σ ).

Security requirements of DSS
It should be computationally infeasible for any adversary to compute a valid signature with a fixed public key pk sig and the access to signing oracle Sign(sk sig , .) to obtain signatures of messages chosen by himself. We give the formalized definition of this security property as follows. (1) where is a set of messages which has been inquired to sign oracle Sign(sk sig , ·) by A.

Chameleon hashing schemes
A chameleon hash function is a trapdoor collision-resistant hash function with a key pair (pk, sk) Chen et al. 2004). Anyone who knows the public key pk can efficiently compute the hash value for each input. Besides, there is an efficient algorithm for the holder of the private key sk, called a trapdoor, to find collisions for any given input. Formally, a chameleon hash scheme ( CHS ) consists of three algorithms: • Key Generation : KeyGen takes a security parameter as input. It returns a key pair (pk, sk), where pk is a public key and sk is a secret key of the user to find collisions for any given input. • Hash Computation : CHash that takes a public key pk, a message m, and a randomness r ∈ Z * q as input, returns a hash value h = CHash(pk, m, r).
• Collision Computation : Adapt that takes the secret key sk of the user, a message m, a randomness r ∈ Z q * , and another message m ′ as input, outputs an integer r ′ = Adapt(sk, M, r, M ′ ) that satisfies

Security of chameleon hashes
The security requirements of a chameleon hash is Collision-resistance (Ateniese and de Medeiros 2004): By giving only public key pk, message m and randomness r, there is no efficient algorithm that can find a second pair (m ′ , r ′ ) such that a hash value C = Hash(pk, m, r) with more than negligible probability.

Definition
This section focuses on formal definitions of verifiable image revision from chameleon hashes.

Definition of our scheme
Our scheme consists of the following six algorithms: KeyGen , OrigAuth , Edit , Verify , Proof , and Judge (Fig. 3).
• KeyGen : The key generation algorithm takes a security parameter as input and returns two key pairs (pk sig , sk sig ) and (pk ed , sk ed ) . That is: ( (pk sig , sk sig ) , (pk ed , sk ed )) ← KeyGen(1 ). • OrigAuth : The authentication algorithm OrigAuth takes a signer's private key sk sig , an editor's public key pk ed , an editing rule ER, and an image M as input. It outputs an original signature σ . That is: σ ← OrigAuth(sk sig , pk ed , M, ER).
• Edit : The editing algorithm Edit takes the signer's public key pk sig , the editor's private key sk ed , an image M, an editing strategy ES, and an original signature σ as input. It outputs a signature σ E together with the processed image M E . That is (σ E , M E ) ← Edit(pk sig , sk ed , M, σ , ES). • Verify : The verification algorithm Verify takes the signer's public key pk sig , the editor's public key pk ed , a signature σ , an image M, and an editing rule ER as input. It outputs a bit b ∈ {0, 1} . That is: b ← Verify(pk sig , pk ed , M, σ , ER). • Proof : The proof algorithm Proof takes the signer's private key sk sig , the signer's public key pk sig , the editor's public key pk ed , and an image/signature pair (M, σ ) which has been obtained by a polynomial entity as input. It outputs a proof π . That is π ← Proof(sk sig , pk sig , pk ed , M, σ ) . This algorithm is issued by the signer. • Judge: The judge algorithm Judge takes the signer's public key pk sig , the editor's public key pk ed , the signature σ , a proof π , and an image M as input. It outputs d ∈ {Signer, Editor, ⊥} . That is d ← Judge(pk sig , pk ed , M, σ , π).

Security model
Given free access to two oracles O OA and O ED , our scheme requires that these is no PPT adversary can compute a valid signature for an image which has been edited against the editing rule, or a new image which is completely different from the original one. The security is defined as unforgeability and formalized with the following game EXPU: Definition 2 Our scheme is unforgeable if any probabilistic polynomial time (PPT) adversary has a negligible success probability: Pr[EXPU ( ) = 1] ≤ neg( ) , here neg is a negligible function of . EXPU ( ) (pk sig , sk sig ), (pk ed , sk ed ) ← KeyGen(1 ); � ← ∅; (M, σ ) ← O OA (sk sig , ., ., .); On input(M i , ER i ), O OA is defined as

Construction
We present a design based on previous achievements of existing works Ateniese et al. 2005;Chabanne et al. 2017;Guo et al. 2016). When an image needs to be edited in some areas, image pixels are modified and even substituted by arbitrary other pixels. Motivated by sanitizable signature schemes based on chameleon hashes, our design overview is shown in Fig. 4. The signer uses OrigAuth algorithm to authenticate the image, in which the chameleon hashing algorithm is used to calculate the hash value of editable image block and the collision-resistance hashing function is used to calculate the hash value of non-editable region. The editor uses the Edit algorithm to modify the image and update the randomness so that the original signature remains valid. The verifier can use the Verify algorithm to verify the authenticity of the image. We give the technical details as follows: Algorithm 1 KeyGen: The key generation algorithm

Input:
A signer's private key sk sig ; An editor's public key pk ed ; An image M ; An image editing rule denoted by ER; Output: An original signature σ; 1: Divide M into n non-overlapping image blocks with the same sizes denoted by {M i } 1≤i≤n ; 2: H : {0, 1} * → {0, 1} q ; 3: for all i = 1 to n do 4: Draw randomness r i ∈ Z q ; 5: if i ∈ ER then 6: end if 10: end for 11: t ← DSS.Sign(h 1 ||h 2 || . . . ||h n ||ER, sk sig ); 12: σ ← (t, < r i > 1≤i≤n , ER); 13: return σ; In Algorithm 2, on input sk sig , pk ed , image M and an editing rule ER, it outputs a signature σ . The function of the algorithm is to set the editable area of the image and the authenticated image is run by the signer. Algorithm 3 takes the signer's public key pk sig , the editor's private key sk ed , an image M, an original signature σ , and an editing strategy denoted by ES as input. It outputs

Input:
A signer's public key sk sig ; A editor's public key pk ed ; An image M ; The original signature σ; An image editing rule denoted by ER; Output: A bit b ∈ {0, 1}; 1: Divide M into n non-overlapping image blocks with the same sizes denoted by {M i } 1≤i≤n ; 2: for i = 1 to n do 3: if i ∈ ER then 4: h i ← CHS.Hash(pk ed , M i , r i ); 7: end if 8: end for 9: b ← DSS.Verify(pk sig , h 1 ||h 2 || . . . ||h n ||ER, t); 10: return b; a signature σ E together with the edited image M E . The algorithm is run by the signer to modify the image and produce a valid signature for the modified image.
Algorithm 4 takes the signer's public key pk sig , the editor's public key pk ed , an image M, a signature σ and an editing rule ER as input. It outputs a bit b ∈ {0, 1} . The algorithm is run by a verifier to detect the authenticity of the image. If b = 1 , the image is authentic; otherwise, the image is untrusted.
Algorithm 5 Proof: The proving algorithm

Security analysis
In our paper, the original image is blocked and divided into several non-overlapped parts. The image owner decides which parts can be modified but which cannot, which we called editing rule denoted by ER. To handle the rule, the non-editable image blocks are hashed by collision-resistance hash functions, while the editable image blocks are hashed by chameleon hash functions. These hash values are used to compute a signature. If the editor modifies the non-editable areas, the hash values computed by the collision-resistance hash functions will be changed, which will invalidate the signature. Therefore, the editor can only modify the content of editable image blocks hashed by the chameleon hash functions.
Second, to allow an image editor to modify the editable areas in the image, the image owner generates randomness r and computes a hash value h = CHS.Hash(b, r) for each block b. With security of chameleon hash functions, only an authorized editor (the trapdoor holder) can generate another randomness r ′ for a modified block b ′ which stratifies CHS.Hash(b, r) = CHS.Hash(b ′ , r ′ ) , which will not invalidate the signature. Since the aforementioned editing behavior is public verifiable (with a unique pubic key of the trapdoor holder), editing operation is undeniable and accountable. Furthermore, the ER is also input of the signature, so the ER is also immutable. The security of our scheme is guaranteed by the unforgeability of the digital signature and both security of collision-resistant hash functions and chameleon hash functions.
In this section, we will analyze the security of our scheme according to the security definition.
Theorem 6.1 Our scheme is unforgeable if an ordinary signature scheme is EUF-CMA secure and a chameleon hash scheme is collision-resistance.

Proof
Let A be a PPT adversary against our scheme. Suppose that A has forged a signature σ * with a value t * for an image M * . Let M i be A 's ith query to the authenticating oracle O OA and its answer is σ i which contains t i . We first define two events.
Let P [Ev] represent the probability that the adversary A outputs a successful forgery. Let P[Ev1] denote the probability that Event 1 occurs and P[Ev2] denote the probability of Event 2 occurs.
In the following, we show that successful completion of Event 1 breaks the unforgeability of the signature scheme and successful completion of Event 2 breaks the collision resistance of the chameleon hash. If the digital signature is unforgeable and the chameleon hash function is collision-resistant, the probability of the adversary successfully completing Event 1 and Event 2 is negligible, so our scheme is unforgeable.
In Event 1, let D be a PPT adversary of DSS. D just needs to simulate the authentication oracle O OA . First, D generates CHS's public and private key pair and sends the CHS public key and DSS's challenge public key to adversary A . Then, to answer A 's i th query, D runs the OrigAuth algorithm to compute the signature σ for A with the help of the signing oracle in DSS.
In Event 2, A can be used to build an adversary C of a collision-resistant chameleon hash. First, C generates DSS's public and private key pair and sends the DSS public key and CHS's challenge public key to adversary A . Then, C uses the underlying signing algorithm to simulate the Editing oracle O ED .
Then, to answer A 's i th query, C runs the Edit algorithm to compute the signature (M i E , σ i E ) for (M i , ES i ) to A with the help of the chameleon hash oracle in CHS.
(4) Let (M * , σ * ) be the output of A . Let's assume that t * = t k , here M * � = M k ∧ M * � = M k E . C can be calculated from the effective chameleon hash h * i = h i without using trapdoor with the help of (M * , σ * ) . Observe that in Event 2, r * i is different from each σ k E 's r i which C has queried to its own underlying chameleon hash oracle. This breaks the collision-resistance of the underlying chameleon hash. Assuming the underlying CHS satisfies collision-resistance, P[Ev|Ev2] is negligible.
Therefore, if an ordinary signature scheme (DSS) is EUF-CMA secure and an CHS scheme is collision-resistance, the probability for an adversary A to forge a valid signature for a new image in our scheme is negligible. We complete the proof of Theorem 1.1.

Experiments and evaluation
In this section, we provide the simulation of our scheme.

General analysis
For a concrete instantiation, we choose the RSA signature scheme and the chameleon hash in . Since the computation of the hash function: H : {0, 1} * → {0, 1} q are efficient, we only consider the following two more time-consuming operations in our scheme. (1) Multiplication operation denoted by P; (2) Exponentiation operation denoted by E. The communication cost of a digital signature denoted by l, size of randomness r i denoted by Q, size of the editing rule ER denoted by le, and the edited image M E denoted by ME.
Assuming that the image is divided into n sub-images and the number of editable areas is m, we summarize the computation and communication costs in Table 1.
From the perspective of efficiency, the computational cost of our scheme increases with the number of editable areas, and the communication cost increases with grain of the image segmentation.

Instantiation and performances
We carry out our experiments in a PC (CPU: IntelCore I5 7500; Memory: 8 GB (3400 MHz)). We use C++ language coding cryptographic algorithms combined with OpenCV and the Miracl libraries, and the code is compiled by Visual Studio 2017.
Firstly, we demonstrate the efficiency of our scheme through simulation experiments. We use 512 × 512 images to simulate the application of the scheme. In this image, the total number of original pixels is 262144, which is divided into 16 blocks with 16384 pixels in each block. The rule ER is defined to determine which areas cannot be changed. We concatenate the immutable areas and takes them as the input of SHA-256 together with ER. The size of the original message is 6291888 bits. We use SHA-256 to compress the original image to a 256-bit message. The key size of an RSA signature is 1024 bits.
We select more standard images and adopt the control variable method in Fig. 5 to evaluate the efficiency of the scheme and the main factors affecting the efficiency. We summarize the information about these pictures in Table 2. The results are given in Tables 3, 4 and 5. OrigAuth m · P + (2m + 1) · E l + n · Q + le Edit 2m · P + (3m + 1) · E l + n · Q + le Verify m · P + (2m + 1) · E − shows the results of the same image with a different number of areas. For example, when picture NO. 5 is divided into 16 blocks and the number of editing blocks is 1, the size of the areas is 128 × 128 , the average time of the Sign algorithm is 6.1 ms, the execution time of Edit is 4.8 ms, and the execution time of Verify is 3.2 ms. The results in Table 3 also show that the more segmented areas there are, the longer the computation time will be. In other words, the smaller the size of the image block, the greater the calculation cost. Table 4 shows the results of different numbers of editing areas in the same image, and the computation time increases linearly with the number of editing areas. When image NO. 5 is divided into 16 blocks and the number of editing blocks is 8, the average time of Sign algorithm is 13.5 ms, the execution time of Edit is 26.4 ms, and the execution time of Verify is 11.5 ms. Table 5 shows the results of different images with the same editable areas. Figure 6 provides the results of different images with different editable areas. From Table 5