Capturing images in digital format facilitates their storage, transmission and archiving. These facts, as well as the exponential growth of computing power, have expedited the use of digital cameras in many diverse consumer, commercial, and scientific applications. Ease of capture, archiving, sharing and especially manipulation are features inherent to digital images, as well as attractive features from the standpoint of customers.
However, these same features make the digital image data extremely susceptible to unauthorized altering. In applications where digital images are captured for purposes of establishing a record, such as property and casualty applications in the insurance industry, it is desirable to have a mechanism to authenticate each digital image (so the image can be used as credible evidence at a later date). The need for image authentication, and lack of practical means for authenticating digital images, is a main reason why insurance companies are hesitant to convert to digital photography for their photo record needs. For example, insurance companies would like to capture images of a damaged building as soon as possible to assess the damage and to stop insurance fraud (i.e., some property owners might take the chance to inflict more damage to their property in order to collect larger insurance payments). To combat fraud and limit losses incurred as a result of these activities, insurance agents routinely take film photographs of houses and automobiles as soon as possible after the accident or natural disaster (such as an earthquake). These images are usually stored in a safe archive and are not used unless the claims made by a policy owner far exceeds the estimate made by an assessor.
It is well known to insure the integrity of digital data by using a public key cryptosystem to generate a digital signature for the data. (See, e.g., "New Directions in Cryptography", by Whitfield Diffie and Martin Helena, IEEE Transactions on Information Theory, November 1976, pp. 644-654). A public-key cryptosystem uses two keys: a private key and a public (i.e., nonprivate) key. The private key is kept secret and is only provided to the authorized user; the public key is publicly provided or computed from a publicly available formula. Although the public key may be widely known, the integrity of the digital data is maintained because it is not feasible to derive the private key from this information. For the authentication of digital data, the sender maintains possession of the private key, and anyone who has the widely disseminated corresponding public key is able to decrypt the message encrypted by the sender using the private key. Consequently, this procedure provides a way to ensure that messages are not forged: only the private key could have produced a message that is decipherable by anyone having the corresponding public key.
In practice, a "hash" is created by the sender from the message by using a publicly-known mathematical function which maps values from a large domain into a smaller range. For example, a checksum is a simple kind of hash that produces a simple hash file which is much smaller than the original file yet is particularly unique to it. (For example of another algorithm see "One Way Hash Functions " by Bruce Schneier, Dr. Dobb's Journal, September 1991, pp. 148-151). many more complex and secure transformations are well known to those of skill in this art. The hash file makes it possible to encrypt a smaller representation of the message (the "hash") in order to verify the integrity and source of the larger message. Another advantageous characteristic of a hash is that changing a single bit in the original message input would produce a very different hash output if subjected to the same mathematical hash function.
The sender of a message then generates a unique digital signature by encrypting the hash message using the private key. The result is a second, smaller digital file referred to as a signature that is transmitted along with the plain (unhashed and unencrypted) text message. A recipient may decrypt the digital signature using the public key and then authenticate the message by comparison of the decrypted hash and a hash of the plain text message calculated by the recipient using the same publicly-known hash algorithm. Thus any difference between the hash outputs will readily show that the message has been altered or has been transmitted by a person other than the one possessing the private key. Moreover, as long as the private key remains private, only the private key holder can produce the message decipherable by anyone holding the public key. Without knowledge of the private key, a digital "signature" cannot be forged.
As mentioned earlier, inability to prove the authenticity of a digital photograph taken for the purpose of record keeping in their casualty and property operations is a main reason why the insurance industry is reluctant to use digital photography. One solution to insuring the integrity of digital image data in a digital camera is disclosed in U.S. Pat. No. 5,499,294. The patent discloses the process of using the aforementioned public key cryptosystem to generate a digital signature for the image. The digital signature is generated by hashing the digital image and encrypting the hash using the private key of the public key cryptosystem. Later, when the image is to be authenticated, the public key of the public key cryptosystem is used to decrypt the digital signature, a new hash is made of the image and the decrypted signature is compared with the new hash. If the new hash matches the decrypted signature, the authenticity of the image is verified.
A major drawback of such an authentication system is that a considerable amount of processing is required to generate the digital hash from the image, which has a critical impact on power usage. An important issue in using digital cameras or any portable digital device is the finite amount of on-board battery power. Since the amount of power used in an electronic device is directly proportional to the calculations performed by the device, it is desirable to have algorithms and devices which can achieve their function with a minimum number of calculations. In the case of an authenticating digital camera, it is particularly desirable to capture and authenticate a large number of digital images before a change or recharging of batteries are needed.