JP2009213083A - Image compression method and apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that, when performing encryption processing or decryption processing using a processor with a software, arithmetic with a great processing load such as, e.g., exclusive OR is required, further, when simultaneously performing image compression processing using the processor, throughput margin is easily exhausted but when the encryption processing load is great, entire throughput is lacked, image compression processing can not be performed in real time, and frame omission may occur occasionally. <P>SOLUTION: Regrading image compression data of a variable length coding system, an encryption processing section is periodically operated so that encrypted data and plaintext data coexist periodically. Therefore, since a data portion concealed by encryption cannot be known, regarding the plaintext data that appear periodically, its value or code length are not known, either, so that a data portion to be encrypted cannot be estimated, either, as a result. Thus, by periodically operating the encryption processing section, the processing load of a processor is reduced. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an image compression apparatus that periodically encrypts and outputs image data.

With the recent development of network technology, image data has been digitized and transmitted over a network. In order to transmit via a network, image data is generally subjected to image compression processing to reduce the amount of transmission data.
However, with the widespread use of networks, digital data such as image data is often transmitted via a public network such as the Internet, and the contents of the transmitted data may be received by anyone. Is also increasing.
For this reason, for example, when using a network camera for the purpose of monitoring or the like, when data is transmitted over a network, the confidentiality of the transmitted data becomes a problem. Is required.

  There are two main approaches to encrypting data for use in network transmission. The first method is to encrypt the entire transmission line of the network. A typical technology is VPN (Virtual Private Network). The second method is a method of encrypting and transmitting digital data. The second method can perform encryption regardless of the type of transmission path. For this reason, even when a recording device such as a hard disk recorder is connected, the digital data can be recorded as it is encrypted.

In the encryption method for the purpose of transmitting image data, the stream encryption method that sequentially encrypts in bit units or byte units has an arbitrary data length rather than the block encryption method that encrypts every fixed size. It is suitable for real-time transmission of compressed image data.
Further, in recent transmission devices, an increasing number of products execute image compression processing by software using a processor or the like, and encryption processing is also executed by software. However, in the case of moving image data acquired and transmitted for the purpose of monitoring or the like, even if the data is compressed, the data amount is several [Mbps: Mega bit per second]. For the stream encryption method, a high-speed algorithm has been devised for real-time transmission. However, when executed by software, the processing time is limited due to the ability of the processor to execute the software.

A conventional encryption method will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of an image compression apparatus that encrypts image data using conventional software and transmits the encrypted data. Reference numeral 150 denotes a camera that acquires a moving image within the visual field range, 1 denotes video data output from the camera 150, 7 denotes a compression processing unit that compresses the video data 1, 2 denotes compressed data output from the compression processing unit 7, and 11 denotes compression A memory unit for recording data, 2 'is compressed data that is encrypted data output from the memory unit 11, 8 is an encryption processing unit, 4 is encryption data output by the encryption processing unit, and 12 is recording encryption data The memory unit 4 ′ is encrypted data output from the memory unit 12, 9 is a distribution processing unit that converts the encrypted data 4 ′, 5 is distribution data output from the distribution processing unit 9, and 160 transmits the distribution data 5. Network, 100 is an image compression apparatus, 101 is a processor unit, and 19 and 19 'are memory read control signals.
The image compression apparatus 100 mainly includes a compression processing unit 7, an encryption processing unit 8, a distribution processing unit 9, and a processor unit 101 including the three processing units, a memory unit 11, and a memory unit 12. The processor unit 101 is a processor unit that incorporates the functions of the components 7 to 9 in the image compression apparatus 100 and accesses the memory unit 11 and the memory unit 12 to execute software processing.
In the configuration of FIG. 1, an example is shown in which the compression processing unit 7 and the distribution processing unit 9 are part of software processing executed by the processor of the processor unit 101. However, a configuration in which the processing of the two processing units is processing executed outside the processor unit 101 may be used.

In FIG. 1, video data 1 output from the camera 150 is input to the compression processing unit 7 of the image compression apparatus 100.
In the image compression apparatus 100, the compression processing unit 7 performs image compression processing on the input video data 1 and outputs the compressed data 2 to the memory unit 11. The memory unit 11 stores the input compressed data and outputs it as compressed data 2 ′. The encryption processing unit 8 performs encryption processing of the compressed data 2 ′ input from the memory 11 and outputs the encrypted data 4 to the memory unit 12.
The memory unit 12 stores the input encrypted data 4 and outputs it as encrypted data 4 ′. The distribution processing unit 9 converts the encrypted data 4 input from the memory unit 12 into data conforming to the protocol of the network 160, and outputs the converted data to the network 160 as distribution data 5 (see, for example, Patent Document 1). ).
In the memory units 11 and 12, the input data and the reference number of the output data are different from each other. However, there is no substantial difference in the format and contents of the data, and for the sake of explanation, they are distinguished. Are given different reference numbers.

JP 2006-109428 A (FIG. 7, etc.)

As described above, as a feature of the stream encryption method, sequential encryption is performed in units of bits or bytes. In addition, MPEG-4 (Moving Picture Experts Group), JPEG (Joint Photographic Expert Group), MPEG-4 AVC / H. An image compression technique represented by H.264 (MPEG-4 Part 10 Advanced Video Coding / ITU-T Rec H.264) or the like generates compressed data in byte units. For this reason, the affinity between the two is very high.
However, in the above-described prior art, when this encryption processing is executed by the software of the processor, an operation with a large processing load, for example, exclusive OR (hereinafter referred to as XOR) is required.
Furthermore, when the image compression processing is executed simultaneously by the processor, it is easy to lose the processing capacity. Therefore, if the load of encryption processing is large, the overall processing capability is insufficient, and in the worst case, the image compression processing cannot be executed in real time, and frame loss may occur.
The above problem is the same in the decryption process of the encrypted data. In the case of the decryption process, there is a problem that the processing capacity of the processor is insufficient on both the transmission side and the reception side when the processing load is large. It was.
An object of the present invention is to provide an image compression method and apparatus capable of solving the above-described problems and reducing the processor processing load of encryption processing and decryption processing that is a pair thereof.

In order to achieve the above object, the image compression method of the present invention does not encrypt the entire encryption target area of the variable length encoded image compressed data, but periodically performs encryption processing and non-encryption processing. The encryption data and the plaintext data are periodically mixed.
That is, the image compression method of the present invention is an image compression method for encrypting compressed image data composed of variable length codes and distributing it to a network. Data and unencrypted data are arranged.

The image compression apparatus according to the present invention includes a compression processing unit that performs variable-length encoding on image data and outputs compressed image data, an encryption processing unit that performs encryption processing on the image compression data and outputs encrypted data, and the encryption An image compression apparatus comprising a distribution processing unit for distributing data to a network, wherein the encryption processing unit partially encrypts data in an encryption target area in a frame of the image compression data and outputs partial encryption data A partial cipher processing unit, a data switch for inputting the image compression data and the partial cipher data, and outputting one of the data, and a control unit for controlling the data switch. The control unit encrypts the data in the encryption target area at a predetermined cycle, and sets the data in the encryption target area of the compressed image data as encrypted data at the predetermined cycle. Goka was not data is obtained by arranging the.
Preferably, the compression processing unit of the image compression apparatus according to the invention is a compression processing unit that outputs size information of compressed data, and the control unit of the encryption processing unit performs the encryption according to the size information of the compressed data. The data in the target area is arranged with the encrypted data and the unencrypted data in the predetermined cycle.

  According to the present invention, it is possible to reduce the processor processing load in encryption processing and decryption processing by using the image data compression apparatus that periodically operates the encryption processing unit.

The image compression apparatus of the present invention does not encrypt all the data area to be encrypted in one image frame of variable-length-encoded image compressed data, performs encryption processing and non-encryption processing at a predetermined cycle, Encryption data and plaintext data are mixed in a predetermined cycle.
In the case of normal electronic data, the data value of the encrypted data portion is expected due to the presence of plaintext data. However, if the compressed image data adopting variable-length encoding is to be encrypted, this data value is expected. Even if plaintext is mixed as in processing, it is impossible to know where the data part hidden by encryption is. For this reason, even plaintext data that appears periodically does not know its value or code length, and as a result, the encrypted data portion cannot be predicted.
Further, the processing load on the processor can be reduced by stopping the cryptographic processing operation at a predetermined cycle in this way.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the drawings including the drawings used for the description of the prior art, components having a common function are denoted by the same reference numerals, and description thereof is omitted to avoid duplication.

  An embodiment of the image compression apparatus of the present invention will be described with reference to FIGS. FIG. 2 is a block diagram showing the configuration of an embodiment of the image compression apparatus of the present invention. Reference numeral 200 denotes an image compression apparatus, 3 denotes an encryption processing unit, 6 and 6 'denote encrypted data, and 14 denotes compressed data size information. The configuration of the image compression apparatus 200 in FIG. 2 is substantially the same as the configuration of the conventional image compression apparatus 100 in FIG. 1, except that the cryptographic processing unit 8 is replaced with a cryptographic processing unit 3 that is different in operation from the internal configuration. Different from 1. The compressed data size information 14 is output from the compression processing unit 7 to the encryption processing unit 3.

The configuration and operation of the compression processing unit 7 in FIG. 2 will be described with reference to FIG. FIG. 3 is a block diagram showing the configuration of an embodiment of the compression processing unit used in the image compression apparatus of the present invention. 27 is an image compression unit, 13 is compressed data output from the image compression unit 27, 14 is compressed data size information output from the image compression unit 27, 16 is stuffing size information, 17 is a stuffing number calculation unit, and 18 is stuffing. The generation unit 15 is stuffing data output from the stuffing generation unit 18, and 102 is an addition unit.
The image compression processing unit 7 includes an image compression unit 27, a stuffing number calculation unit 17, and a stuffing generation unit 18. The stuffing data is “stuffing data”, which is data that is added to adjust to a predetermined number of data and is unrelated to the compressed image data. For example, in the MPEG-4 standard, stuffing is data in which the first 1 bit is “0”, the subsequent bits are “1”, and “1” continues to the byte boundary by the required amount of data. is there.

In FIG. 3, the video data 1 input to the image compression apparatus 200 is input to the image compression unit 27 of the image compression processing unit 7. The image compressing unit 27 compresses the input video data 1 and outputs the compressed data 13 to the adding unit 102 as well as the data size of the compressed data 13 to the stuffing calculating unit 17 as the compressed data size information 14. At the same time, the data is output to the encryption processing unit 3.
The stuffing number calculation unit 17 calculates the stuffing number necessary to match the target data size based on the input compressed data size information 14 and outputs the stuffing size information 16 to the stuffing generation unit 18. .
The stuffing generator 18 outputs a necessary number of stuffings from the input stuffing size information 16 to the adder 102 as stuffing data 15.
The adding unit 102 adds the stuffing data 15 to the compressed data 13 input from the image compression unit 27 and outputs the compressed data 2 to the memory unit 11.

In the stuffing number calculation unit 17, a target data size is assumed to be predetermined and is changed by a user operation or pre-registered software.
The purpose of adding stuffing is to adjust the data amount to adjust to the target generated code amount, or to adjust the data size to a size suitable for hardware, for example, a multiple of 4.

  Next, the configuration and operation of the cryptographic processing unit 3 in FIG. 2 will be described with reference to FIG. FIG. 4 is a block diagram showing a configuration of an embodiment of an encryption processing unit used in the image compression apparatus of the present invention. 103 is an XOR operation unit, 19 is a memory read control signal, 20 is a data switching signal, 25 is a key stream, 26 is key data, 28 is an initial vector, 29 is a key stream generation control signal, 34 is a flag addition control signal, 32 Is a flag, 24 is an encryption processing control unit, 104 is a data switch, 105 is a flag switch, 23 is a key stream generator, 21 is an initial vector generator that generates an initial vector 28 and outputs it to the key stream generator 23, An encryption key management unit 22 outputs the key data 26 to the key stream generation unit 23, and a flag generation unit 33 generates a flag 32 and outputs the flag 32 to the flag switch 105.

In FIG. 4, the cryptographic processing control unit 24 of the cryptographic processing unit 3 outputs a memory read control signal 19 to the memory unit 11 to read the compressed data 2 ′ from the memory unit 11.
The input compressed data 2 ′ is divided into a first system that is directly input to the data switch 104 and a second system that is input to the XOR operation unit 103. In addition, the compressed data size information 14 output from the compression processing unit 7 is input to the cryptographic processing control unit 24 of the cryptographic processing unit 3, and the data switching signal 20 is sent to the data switching unit 104 according to the compressed data size. The key stream generation control signal 29 is output to the key stream generation unit 23, and the flag addition control signal 34 is output to the flag switch 105. For example, the encryption processing control unit 24 compares the compressed data size 14 with a predetermined threshold value, and outputs a data switching signal 20, a key stream generation control signal 29, and a flag addition control signal 34 according to the result. The threshold value will be described later.
There are several types of flags 32 output by the flag generator 33. A flag type selection signal 35 for selecting the type of the flag is output from the encryption processing unit 24 to the flag generation unit 33. The type of flag will be described later.

The data switch 104 is switched by the data switching signal 20 output from the encryption processing control unit 24, and outputs one of the two input systems. Thereby, plaintext (first input system) data and ciphertext (second input system) data that are not encrypted can be switched and output to the memory 12 as encrypted data 6 via the flag switch 105. it can.
The key stream generation unit 23 generates a pseudo random number from the input initial vector 28 and the key data 26, and outputs the generated pseudo random number as the key stream 25 to the XOR operation unit 103. The XOR operation unit 103 generates encrypted data 6-1 by combining the two input data (the key stream 25 and the compressed data 2 ′). The combination method is, for example, a process of executing XOR (XOR process).

The encryption processing control unit 24 also controls the data switch 104. That is, the encryption processing control unit 24 generates the data switching signal 20 and outputs the data switching signal 20 to the data switching unit 104, and the data switching unit 104 switches the output of the input data at the switching timing based on the input data switching signal 20.
Further, the encryption processing control unit 24 outputs a memory read control signal 19 for reading the compressed data 2 ′ from the memory unit 11 to the memory unit l1 in accordance with the switching timing of the data switching signal 20.
The cryptographic processing control unit 24 also outputs a key stream generation control signal 29 that controls the timing at which the key stream generation unit 23 outputs the key stream 25 to the key stream generation unit 23.
The encryption processing control unit 24 outputs a flag addition control signal 34 to the flag switch 105. In accordance with this flag addition control signal 34, the flag switch 105 outputs either the compressed data 6-2 input from the data switch 104 or the flag 32 input from the flag generator 33. The flag 32 is data in which various types of information relating to encryption are stored in a predetermined location of the encrypted data 6. The meaning of this flag will be described later.

  By such processing, the compressed data 2 ′ output from the memory unit 11 passes through the data switch 104 and is first encrypted encrypted data 6-1 and unencrypted plaintext data (compressed data 2 Encryption data 6-2 in which ') is mixed in a predetermined cycle is output. Further, by passing through the flag switch 105, the encrypted data 6 in which the flag 32 is inserted into the respective data is output to the memory unit 12.

There are various methods for encryption. For example, as an example, the encrypted data 6-1 is generated by XORing the compressed data 2 ′ and the key stream 25. The key stream 25 generates a random number sequence from the key data 26 and an initial vector 28 whose initial value changes every time. Since the random number sequence generated by software is not a true random number, it is called a pseudo-random number.
The operation of the encryption processing unit 3 will be further described with reference to FIG. FIG. 5 is a diagram for explaining the data structure of encrypted data according to an embodiment of the present invention. The horizontal axis is a time axis, and time elapses from left to right (the left is the older processing order in time). 500-1 and 500-2 are image frame data for one frame, 511 is a header data area of the image frame data 500-1, 512 is an encryption target data area of the image frame data 500-1, and 52 is a header data area. Reference numeral 511 denotes a frame header area, 53 denotes an initial vector area of the header data area 511, 54 denotes a flag area of the header data area 511, and 55-1, 55-2, and 55-3 denote ciphertext data in the encryption target data area 512. Areas 56-1, 56-2, and 56-3 are plaintext data areas of the encryption target data area 512.

In FIG. 5, the horizontal axis is an inter-axis, which is input or output in the order of data from the left part to the right part.
As shown in FIG. 5, the configuration of the encrypted data 6 output from the encryption processing unit 3 is data in which a plurality of image frames (...,..., Image frames 500-1, 500-2,. It is a stream.
For one image frame, the header data area 511 is a plaintext data area that is not encrypted.
The encryption target area 512 is a data area in which image data or audio data input from the camera 150 or the like is written, and a part of the plaintext data area 56-1, 56-2, 56- is included in one frame. 3, the plaintext data written in 3 etc. and the data area are divided into encrypted data written in the ciphertext data areas 55-1, 55-2, 55-3, etc. Two types of data, namely encrypted data and non-encrypted plaintext data, are written together.

The header data area 511 includes, in addition to the frame header area 52, an area for storing flags indicating various states (flag area 54), and an initial vector to be acquired as a pre-stage for decrypting encrypted data on the receiver side. It is a special collection of unencrypted data such as a called data area (initial vector area 53).
When the header of the image compression data is included in the data written in the header data area 511, the cycle in which the plain text data appears is related to the cycle in which the header of the image compression data appears. For example, when plaintext data includes a header representing each frame of an NTSC (National Television Standards Committee) image, the cycle in which plaintext data appears is about 30 times per second.
Furthermore, when the initial vector 28 used for encryption is included in the encrypted data 6 ′ and transmitted, the initial vector 28 is used for decryption of the encrypted data, and therefore needs to be transmitted as plain text data. For example, the initial vector 28 is written in the initial vector area 53.

The encryption target data area 512 has a configuration in which ciphertext and plaintext, which are one of the features of the present invention, are arranged at a predetermined cycle.
In normal image data encryption, all data in the encryption target area 512 is encrypted for each frame. However, in the present invention, the data in the encryption target area 512 is switched so that the plaintext data is not cryptographically processed in a predetermined cycle, and the plaintext data and the encrypted data are mixed in a predetermined cycle.
The operation of the data switch 104 will be described with reference to FIG. FIG. 6A is a diagram for explaining an example of the operation of switching between ciphertext and plaintext (intermittent processing) in the encryption processing of the present invention. FIG. 6B is a truth table of the XOR operation unit 103. In addition, c1, d2, c3, d4, c5, and d6 are data written in the data area corresponding to the data area of the encryption target area 512 in FIG. 5, and the data c1 is the data area 55 of the ciphertext. -1 is written, data d2 is written to the plaintext data area 56-1, data c3 is written to the ciphertext data area 55-2, and data d4 is written to the plaintext data area 56-2. The data c5 is written in the ciphertext data area 55-3, and the data d6 is written in the plaintext data area 56-3. D1 to d6 are compressed data 2 ′ (see FIG. 4) data corresponding to the data c1, d2, c3, d4, c5, and d6, respectively.

In FIG. 6, when encryption processing is performed on 6-byte plaintext data (compressed data 2 ′) to be encrypted, the key stream 25 has half the number of data s1 to s3 for the plaintext data d1 to d6. Is output. That is, the plaintext data d1 to d6 are input to the encryption processing unit 3 (see FIG. 4) in order of data d1, d2, d3,..., And the data d1 is input to the XOR operation unit 103. In synchronization, the data s 1 of the key stream 25 is input from the key stream generation unit 23 to the XOR operation unit 103. Similarly, data s2 is input in synchronization with data d3, and data s3,... Is input in synchronization with data d5.
First, the plaintext data d1 and the data s1 of the key stream 25 are XORed to obtain the data c1 of the encrypted data 6-2. At this time, the data switch 104 is switched by the data switch signal 20 so that the plaintext data (compressed data 2 ′) and the data c1 obtained by XORing the key stream 25 are output to the flag switch 105.
Next, when the plain text data d2 is input, the data switch 104 is switched, and is output as it is as the plain text data d2 without passing through the XOR processing operation unit 103.
Similarly, when plaintext data d3 is input, s2 is output from the key stream 25, XOR calculation processing is performed, and encrypted data c3 is output. Next, when plaintext data d4 is input, it is output as plaintext data d2 as it is.
Hereinafter, this is repeated. That is, the key stream 25 is output from the key stream generation unit 23 at half the speed at which plaintext data (compressed data 2 ′) is input.

In the embodiment of FIG. 6, a key stream having a data amount half that of plaintext data is output. As a result, the data written in the encryption target area 512 of the encrypted data 6 is the ratio between the encrypted data and the plaintext data. Is a 1: 1 ratio in bytes. That is, the encryption process including the XOR operation process can be reduced to half of the usual.
Note that the ratio of the encryption data and the plaintext data need not be 1: 1. For example, the ratio may be 2: 1, or a ratio (4: 4) in which 4 bytes of plaintext data continues after 4 bytes of encrypted data continues. In order to control this switching process, the cryptographic process control unit 24 controls the key stream generation unit 23 to output the data switching signal 20. The operation of the encryption processing control unit 24 will be described later.

The above-described periodic arrangement of the encrypted data and plaintext data and the nature of the compressed image data will be described in detail with reference to FIG. FIG. 7 is a diagram for explaining an embodiment of encryption processing in which encrypted data and plaintext data appear in a predetermined cycle according to an embodiment of the present invention. The horizontal axis is a time axis, and time elapses from left to right (the left is the older processing order in time).
(a) shows that it appears every 8 bits in the figure showing byte boundaries. The amount of data delimited by this boundary is one byte.
(b) is a data switching signal 20, which is output to the data switch 104, encrypts the data d1, d3, d5 at the Hi level, and outputs the data d2, d4, d6 as plain text at the Lw level. These are signals for controlling the data switch 104.

(c) shows the compressed data 2 ′, which is variable-length encoded, so that the code length differs in bit units.
(d) shows that the code length which differs in bit units of the compressed data 2 ′ in (c) differs depending on the code value (compressed data size information 14). In the embodiment of (d), the code length of each code of the compressed data 2 ′ is 3 bits, 3 bits, 4 bits, 3 bits, 2 bits, 5 bits, and 4 bits in order.

(e) is encrypted data 6 obtained by performing encryption processing on data having such a code length in accordance with the data switching signal 20. The data area 74 is a part of a data area in which data 71 having a bit length of 4 is written. However, since the two bits in the first half of the code value are encrypted, the first two bits have a data value different from that in plain text. Since the data 71 is variable-length code data including the portion of the encrypted data area hidden, the data value of the data area 74 and the data value of the hidden data area are not known. And the position where the data 71 starts cannot be specified. Therefore, the data in the data area 74 cannot be determined.
Further, if the data value from the beginning of the variable length code cannot be discriminated even by 1 bit, the code length itself is not known, so that the delimiter itself of the data area 74 cannot be specified after the encryption processing. Since the delimiter of the data area 74 is not known, it does not know where the data area 75 that is not encrypted as plaintext following the data area 74 starts, and the code length is unknown. Therefore, the data in the data area 75 cannot be determined. Thereafter, the code of the data area 76 is similarly unknown, and the data cannot be discriminated.
As described above, since the encryption target data 512 is a variable-length code, even if plaintext data that is not encrypted is sandwiched between the encrypted data, it is not possible to specify which code is the plaintext data itself. Therefore, it is impossible to guess the encrypted data.

However, when a still image portion is included in the input image, the still image portion becomes the same digital image data in successive image frames. In the case of the moving image compression method, when the data of the previous image frame and the data of the image frame to be compressed are the same, it is only necessary to set a flag (hereinafter referred to as an encoded flag) indicating the same data. In some cases, the compression process for one block of a rectangular area is completed. For example, when the upper half of the image data in one frame is the same as the data of the previous image frame, the encoded data flag is only set for the first few bytes of the compressed data. As a result of this processing, the output compressed data is a set of only encoded flags regardless of the complexity and picture of the input image, and the same compressed data may continue to be output every frame.
As already mentioned, since plaintext data appears in a predetermined cycle, this plaintext data is used to confirm how the plaintext data has been encoded flag for those who try to decrypt the code illegally. Give clues.
In other words, since it is variable-length encoded data, it does not know the code breaks of periodically appearing plaintext data, and contrary to the premise that plaintext data cannot be specified without being classified, it is easy to The plaintext data can be guessed. This is not desirable because it leads to decrypting the ciphertext.
Therefore, processing for a series of encoded flags is added.

For example, if one frame of image data is compressed and the data size is smaller than a certain value, it can be determined that the data size is reduced because the encoded flag is continuous.
This is because the compression efficiency when consecutively encoded flags are added can be several times more efficient and the data size can be reduced compared to the case where an image is compressed by a normal compression means.
Therefore, in order to correspond to an input image including a still image portion, when the compressed data size is smaller than a certain threshold, the appearance of periodic plaintext data is stopped and the process is switched so as to encrypt all the compressed data. Since this method is also a countermeasure when the processing load due to encryption is large, if only the compressed data size is small, even if all the compressed data is encrypted, the processing load is small and the performance is hardly affected. That is, it is desirable to calculate the data size threshold that can encrypt all the compressed data from the margin of processing load due to encryption.
Note that how the compressed data size changes due to the continuation of the encoded flag may be determined from an actually measured value. This data size depends on the compression processing method.
Further, in order to inform the receiving side whether all the compressed data has been encrypted or whether plain text data periodically appears, identification information is added to the compressed data by the flag generation unit 33 as will be described later.

Now, it is the encryption processing control unit 24 that implements the function of switching between encrypted data and plaintext data periodically or at a predetermined cycle of the present invention (see FIG. 4).
The operation of the encryption processing control unit 24 will be described with reference to the flowchart of FIG. FIG. 8 is a flowchart for explaining an embodiment of the control method of the cryptographic processing unit of the present invention. The processing in the flowchart of FIG. 8 is processing for compressed data (plaintext data) for one frame of an image.
The meaning of the symbols in the figure is as follows: i is the position of the compressed data currently being processed, and j is the cipher and plaintext in the encryption target area 512 as a unit (hereinafter referred to as a cipher / equal share pair). Number of processed bytes, L is the total number of bytes of compressed data of one frame, F is a position where a flag is inserted, P is an end position of plaintext data (header data 511) including a header, and C is an end position of the encryption target area 512 (= L−1), M is the number of bytes in the encrypted part of the encryption / plaintext pair, and N is the number of bytes in the plaintext part of the encryption / plaintext pair. In the case of processing in which 1 byte of encrypted data and 1 byte of plaintext data appear periodically in the embodiment of FIG. 7, M = 1 and N-1.

In FIG. 8, in the counter value initialization processing step 81, the counter values of i and j are set to 0 (i = 0, j = 0).
In the frame length determination processing step 82, it is determined whether or not the position i currently being processed is smaller than the total number of bytes L of compressed data (i <L?). The process ends.
In the flag position determination processing step 83, it is determined whether or not the current processing position i is equal to the position F where the flag is inserted (i = F?). If they are equal, the process proceeds to step 84, and if they are not equal, the process proceeds to step 85.
In the flag addition process 84, after adding a flag to the compressed data, the process proceeds to step 84.
In the encryption range determination processing step 85, it is determined whether or not the current processing position i is after the end position P of the plaintext data and before or equal to the end position C of the encryption target area 512 (P <i ≦ C?). If it is determined and this is true, it is the encryption target area, so the process proceeds to step 86. If not, the process proceeds to step 91 without performing the encryption process because it is the header data area 511.

In the signal switching determination process 86, it is determined whether or not the counter value j indicating the processing position of the cipher / plaintext pair is smaller than the length M of the cipher part of the cipher / plaintext pair (j <M), or compression. It is determined whether or not the data size is equal to or smaller than the threshold value. If either of them is established, the process proceeds to step 87.
That is, when the counter value j is smaller than the length M of the encryption part of the encryption / plaintext pair, the process proceeds to the encryption process. If not, the compressed data size is further confirmed and the data size is set to a predetermined threshold value. It is determined whether or not: If it is equal to or less than the threshold value, the process proceeds to an encryption process, and if not, the process proceeds to a process for outputting the plain data.
In step 86, the compressed data size is first checked to determine whether the data size is equal to or smaller than a predetermined threshold value. If not, the counter value j is set to the cipher / plaintext pair cipher. It may be determined whether or not the length is smaller than the length M of the portion (j <M).

In the data switching signal Hi output step 87, the data switching signal 20 is output as Hi (see FIG. 7B). In the data switching signal Lw output step 88, the data switching signal 20 is output as Lw (see FIG. 7B).
In the signal switching cycle determination processing step 89, it is determined whether or not the current value j of the number of bytes is smaller than the sum of M and N, that is, whether or not one unit of the cipher / plaintext pair is still being processed (j <M + N ?) Is determined, and if smaller, the process proceeds to step 90, and if not, the process proceeds to step 91.
The counter value addition processing unit 90 adds 1 to the value j (j = J + 1) in order to process the next data of the encrypted / plaintext pair.
Further, in the counter value initialization processing step 91, assuming that the processing of the current cipher / plaintext pair is completed, the value j is set to 0 and the process proceeds to step 92 to prepare for the start of the processing of the next cipher / plaintext pair.
In the counter value addition processing step 92, since the processing of the current processing position value i is completed, 1 is added to i (i = i + 1), and the processing returns to the frame length determination processing step 82 in order to perform the processing of the next data position.
With such processing operation, the signal level of the data switching signal 20 is switched to Hi (high) or Lw (low).

Next, the flag 32 output from the flag generator 33 will be described.
The flag 32 is for adding the generation cycle of the encryption / plaintext pair, the value M and the value N in the flowchart of FIG. 8 to the encrypted data 6 and notifying the reception side of the cycle. By writing the flag 32 in the plaintext data chain at the head of one frame of compressed image data, the value of the flag 32 can be read as it is on the receiving side. On the receiving side, according to the values M and N, the period or timing at which the encrypted data appears is known, and the encrypted data is decrypted. The flag 32 may take any value as long as it has the same specifications on the transmission side and the reception side.
Further, the flag 32 also has information for informing the receiving side whether all the compressed data has been encrypted or whether plain text data periodically appears at a predetermined cycle.

In the above-described embodiment, the flag is written in the plaintext data area at the head of the compressed image data of one frame for the generation period of the abbreviation / plaintext pair. This flag is a protocol for transmitting compressed data. It may be added at a higher hierarchy. For example, at the time of network transmission, a method of transmitting by a protocol such as RTP (Real-time Transport Protocol) which is an upper layer for transmitting compressed image data is conceivable.
Thus, by controlling the encryption processing of the compressed image data so that the encryption data and the plaintext data appear periodically or at a predetermined cycle, it is possible to reduce the load on the processor necessary for the encryption processing.

The block diagram which shows the structure of the conventional image compression apparatus. 1 is a block diagram showing a configuration of an embodiment of an image compression apparatus of the present invention. The block diagram which shows the structure of one Example of the compression process part used for the image compression apparatus of this invention. The block diagram which shows the structure of one Example of the encryption process part used for the image compression apparatus of this invention of this invention. The figure for demonstrating the structure of the encryption data of one Example of this invention. The figure for demonstrating one Example of the switching process operation | movement of the ciphertext and plaintext in the encryption process of this invention. The figure for demonstrating one Example of the encryption process of this invention. The flowchart for demonstrating one Example of the control method of the encryption process part of this invention.

Explanation of symbols

  1: Video data, 2, 2 ′: Compressed data, 3: Cryptographic processing unit, 4, 4 ′: Cryptographic data, 5: Distribution data, 6, 6-1, 6-2: Cryptographic data, 7: Compression processing unit 8: Cryptographic processing unit, 9: Distribution processing unit, 11, 12: Memory unit, 13: Compressed data, 14: Compressed data size information, 15: Stuffing data, 16: Stuffing size information, 17: Stuffing number calculation unit, 18: Stuffing generation unit 19, 19 ′: Memory read control signal, 20: Data switching signal, 21: Initial vector generation unit, 22: Encryption key management unit, 23: Key stream generation unit, 24: Encryption processing control unit, 25: Key stream, 26: Key data, 27: Image compression unit, 28: Initial vector, 29: Key stream generation control signal, 32: Flag, 3: Flag generator 34: Flag addition control signal 35: Flag type selection signal 52: Frame header area 53: Initial vector area 54: Flag area 55-1, 55-2, 55-3: Encryption Sentence data area, 56-1, 56-2: Plain text data area, 100: Image compression device, 101: Processor unit, 102: Adder unit, 103: XOR operation unit, 104: Data switcher, 105: Flag switch 150: camera, 160: network, 200: image compression apparatus, 500-1, 500-2: image frame data, 511: header data area, 512: data area to be encrypted.

Claims (2)

A compression processing unit that encodes image data and outputs compressed image data; an encryption processing unit that encrypts the image compressed data and outputs encrypted data; and a distribution processing unit that distributes the encrypted data to a network; In the image compression apparatus comprising:
A partial encryption processing unit that partially encrypts the data of the encryption target area in the frame of the image compression data and outputs partial encryption data;
A data switch for inputting the compressed image data and the partial cipher data, and outputting one of the data,
A control unit for controlling the data switch,
The control unit controls to encrypt the data in the encryption target area at a predetermined cycle, and does not encrypt the data in the encryption target area of the compressed image data with the encryption data at the predetermined period. An image compression apparatus characterized by arranging data. In an image compression method for encrypting compressed image data composed of variable-length codes and distributing it to a network,
An image compression method characterized in that encrypted data and unencrypted data are arranged in a predetermined cycle as data in the encryption target area of the image compressed data.

Images