An Efficient Secret Key Homomorphic Encryption Used in Image Processing Service

Homomorphic encryption can protect user’s privacy when operating on user’s data in cloud computing. But it is not practical for wide using as the data and services types in cloud computing are diverse. Among these data types, digital image is an important personal data for users. There are also many image processing services in cloud computing. To protect user’s privacy in these services, this paper proposed a scheme using homomorphic encryption in image processing. Firstly, a secret key homomorphic encryption (IGHE) was constructed for encrypting image. IGHE can operate on encrypted floating numbers efficiently to adapt to the image processing service.Then, by translating the traditional image processingmethods into the operations on encrypted pixels, the encrypted image can be processed homomorphically. That is, service can process the encrypted image directly, and the result after decryption is the same as processing the plain image. To illustrate our scheme, three common image processing instances were given in this paper. The experiments show that our scheme is secure, correct, and efficient enough to be used in practical image processing applications.


Introduction
Along with the arrival of the cloud computing fever, there emerge a lot of service outsourcing applications based on cloud computing platform (such as SaaS). Users who request the service just need to upload their data to the service and wait for the result. This brings users great benefits, but also the risk of privacy disclosure, because the service provider (SP) can access users' plain sensitive information arbitrarily. To balance the privacy with usability of data in cloud computing, many computable encryption technologies are proposed, such as homomorphic encryptions [1][2][3][4][5]. The idea of these encryptions can be represented as follows.
"Enc" represents the encryption process, and "Dec" represents the decryption process. For a function ( 0 , 1 , . . . , ) taking the plaintexts as input, there exists a function ( 0 , 1 , . . . , ) (where = Enc( )) taking the ciphertexts as input, such that Dec ( ( 0 , 1 , . . . , )) = ( 0 , 1 , . . . , ) . (1) According to (1), user uploads the encrypted data to service, and instead of using to operate on user's plain data, the service can operate on the encrypted data by using and return to user the encrypted result. After decryption, user will get the expected result which is the same as . Thus, the service can run correctly without knowing user's plain data. And then, the privacy is safe from disclosure.
Homomorphic encryption seems a good way to protect privacy in service outsourcing applications, especially when handling the integer data type. But as the data types in cloud computing are diverse, how to use homomorphic encryption in other types is still a challenging problem. For example, with the popularization of photograph equipment, a large amount of digital images are generated every day. It has become one of the most popular forms of personal data for users. Consequently, the online image processing services are widely used for users to edit their images. But the image may also contain privacy that the user does not want SP to see. To protect the privacy in this data type, we proposed a scheme using homomorphic encryption in image processing services.
In broad terms, image processing includes all kinds of operations on the image. But it is hard to handle the privacy issues in all kinds of image processing using one scheme. So in this paper, the image processing mainly refers to the processes based on pixels. That is, the new color of pixel is computed according to the old ones. The operations on plain pixels can be seen as a function . Taking the old pixels and some other parameters (if necessary) as inputs, outputs the new pixel. When using the traditional image encryptions [6][7][8], operating on the encrypted pixels is meaningless. Thus no one can process the encrypted image without decryption. However, by encrypting each pixel separately using homomorphic encryption, the service can operate on the encrypted pixels using . Then the service can process the encrypted image without decryption. Unfortunately, there are no appropriate homomorphic encryptions which can be used in image encryption yet. Unpadded-RSA [1] and ElGamal [2] cryptosystems satisfy (1) when consists of only multiplication operations. But it needs both addition and multiplication operations in image processing. Neither do Goldwasser and Micali [3] or Paillier [4] cryptosystems fit image encryption, as consists of only addition operations. Gentry's fully homomorphic encryption [5] is too complex to apply in image processing, because it encrypts one bit each time, with the runtime more than 30 seconds even in "toy" security level [9]. The homomorphic cryptosystems proposed in [10,11] are oriented to integers, but as the floating numbers are involved in operations in image processing, these cryptosystems cannot be used either. Besides, these are all public key encryptions which need a large key size to ensure the security. Thus, the sizes of ciphertexts are too large to store or transmit online.
Through the above analysis, we need an efficient homomorphic encryption which can support both addition and multiplication operations on floating numbers. Then we can use it to encrypt the image and process the encrypted image directly. It seems that no existing work has ever proposed any solution for this problem. Our contributions are as follows: (i) We propose an encrypted image processing model based on homomorphic encryption.
(ii) We improve Gentry's homomorphic encryption to propose an efficient secret key homomorphic encryption which can support addition and multiplication operations on floating numbers (IGHE).
(iii) We use IGHE in image encryption and give the instances of processing encrypted image.
The rest of this paper is organized as follows. Section 2 outlines our encrypted image processing model and defines the notions that we need. In Section 3, we describe the improvement of Gentry's homomorphic encryption (IGHE). Section 4 gives the method of image encryption using IGHE, followed by the instances of processing encrypted image. The experimental results are presented in Section 5. Finally, Section 6 concludes the paper.

Encrypted Image Processing Model
First of all, we construct an encrypted image processing model based on homomorphic encryption; see Figure 1. Figure 1(a) is a common online image processing service model. The service has a set of image processing functions as { 1 , 2 , . . . , }. When image data owner (DO) uploads the image for a specific kind of process request, service provider (SP) will choose the corresponding function to process the image. As SP can access the original image, the privacy may be leaked. In Figure 1(b), DO encrypts the image using a homomorphic encryption before uploading. Thanks to this encryption, SP can operate on the encrypted image with the function corresponding to and return to DO the encrypted result image. After decryption, DO can get the correct processed image. The result is the same as Figure 1(a). But as the image in server is always in encrypted form, the privacy is preserved.
To realize the model, constructing an efficient homomorphic cryptosystem which supports both addition and multiplication operations on floating numbers is the key problem. We will discuss this in the next section. For clear description, the important notations used in this paper are summarized in Notations.

The Initial Construction of Gentry's Scheme.
Gentry denoted his initial scheme as [5]. It started by fixing a ring and an ideal lattice ⊂ , with B as the basis. Then he used an algorithm IdealGen( , B ) to output the public and secret keys B pk and B sk which are the bases of some ideal , such that + = . The plaintext space Π was [ ] B , and "Add B ", "Mult B " were the addition and multiplication in Π .
Gentry proved that scheme satisfies (1), that is, Dec (B sk , ( 0 , 1 , . . . , )) = ( 0 , 1 , . . . , ) . (2) But is too complex to encrypt image. For one thing, to prevent the attacker from working out the secret key, the dimension of public key needs to be large enough ( ≥ 512 [9]). For another, encrypts one bit each time ({0, 1} need to be translated into Π as {0, 1}). Thus, supposing that each of the elements of vector has bits, the ciphertext will be ⋅ times larger than plaintext. Therefore, the byte of the encrypted image file will be enlarged at least 512 times. This is unrealistic, not to mention the extra cost for operating on each encrypted bit in the image processing. So we need to simplify to make it more efficient.

Simplifying Gentry's Scheme.
Our simplified scheme is denoted as . To reduce the size of key, we discard the public key encryption part. That is, the part of + is reserved, but the public key encryption part (the ideal ) will no longer be used. The ciphertext of is set as ← + . In decryption, . Then, the key problem is how to construct the ideal lattice .
The security of is the same as , that is, semantic security, as they are all based on ICP.

Theorem 2.
Suppose that there is an algorithm A 1 that breaks the semantic security of with advantage . Then there is an algorithm A 2 that solves the ICP with advantage /2.
Proof. The challenger sends A 2 an ICP instance (t, B). A 2 sets ← {0, 1}, t 0 ← t and samples t 1 uniformly from mod B. Then, A 2 gives ← Enc (B, t ) to A 1 ; A 1 sends back a guess of as . Finally, A 2 guesses as = ⊙ . If = 0, 0 is a well-formed ciphertext. As t 1 is uniformly random element of [ ] B , and r is uniformly random element of , then 1 is uniformly random element of . In this case, A 1 should have advantage to get = , which translates into an advantage of for A 2 to get = ⊙ = 1.
If = 1, both t 0 and t 1 are uniformly random elements of mod B. In this case, whatever is, the ciphertexts are uniformly random element of . A 1 's advantage is 0, which translates into an advantage of 0 for A 2 to get = ⊙ = 1.
The ICP asks one to decide whether t is uniform modulo B ( = 1) or whether it was chosen according to a known "clumpier" distribution induced by Samp 1 ( = 0). According to [5], there is no such algorithm that can solve the ICP with an unnegligible probability. Thus, according to Theorem 2, the advantage of algorithm A 1 breaking the semantic security of can be ignored; that is, is semantic security. When As " * " and b −1 can be operated with ( ⋅ log ) operations using the Fast Fourier Transform (FFT) [12], the time complexity of is ( ⋅ log ). Furthermore, as a secret key encryption, a small value of will make security enough. Thus, is efficient and secure for being used in image encryption. But the plaintext space of is [ ] b , while, in image processing, the data types include integer and float. So we need a mapping between the floats and .

A Mapping between Integers and .
For ∀k ∈ , v can be written as the polynomial ∑ −1 =0 V ⋅ mod ( ). If we set a fixed value (e.g., = 2 or 10), each v is corresponding to a number; this numeralization of v is denoted as (k). Meanwhile, any integer V with |V| < ( ( )) is equal to the polynomial ∑ −1 =0 V ⋅ mod ( ), where V = ±⌊|V|/ ⌋mod ; the sign of V is the same as V. Thus, each number V is corresponding to an element in , denoted as (V). Thus, for an integer plaintext | | < ( ( )), in encryption (denoted as Enc 1 ), after getting ← ( ), it outputs ← Enc (b, ). In decryption (denoted as Dec 1 ), when getting ← Dec (b, ), it outputs ← ( ).
We have proved that is semantic security. If algorithm A 3 can break the semantic security of IGHE, then, for , one can first map the ciphertext into float and use A 2 to break the security of . Thus, IGHE is also semantic security.
So far, we have introduced our homomorphic encryption IGHE which is simplified and improved from Gentry's homomorphic encryption. The differences between IGHE and Gentry's scheme are as follows: (i) IGHE is a symmetric encryption, while Gentry is a public key encryption. The purpose of public key is for service to use the public key to operate on the encrypted data. We omitted the public key encryption part, because we have another way to let service operate on the encrypted data without using key (see Section 4.2). The main benefit of symmetric encryption is that a smaller size of secret key can reach to the security level as high as public key. Then, in the same security level, as the size of key is smaller, our scheme is more efficient than Gentry's scheme.
(ii) Gentry's scheme is universal and fully homomorphic; it takes each bit as the plaintext. As the image processing can also be presented as a batch of operations of bit, theoretically the scheme can be used for encrypted image processing. But considering the complexity, it is hard to implement. While our scheme takes the byte as plaintext, and, after inducing the homomorphic addition and multiplication operations on floats, we can easily realize the encryption image processing.

Image Encryption Using IGHE.
The values of colors are less than 256, and it usually has only one multiplication in image processing. By choosing an appropriate value of and , after process, it is easy to keep the result less than 10 − − 10 − ( ( ( )) ⋅ − when = 10) and accurate to 10 − . Thus, IGHE can be applied in encrypted image processing.
An image with width and ℎ height consists of × ℎ pixels. As we know, a pixel can be seen as a combination of the three-primary colors, we denote the pixel in the th row and th column as , ( 0 , 1 , 2 ), with 0 , 1 , 2 representing the color of red, green, and blue, respectively. Firstly, we use KeyGen to output the key b. Then, after reading the image file and getting the pixels array P = { , }, we encrypt P by calling ImgEnc(b, , P).
For a given image, there are ⋅ ℎ pixels with each having 3 integers. ImgEnc encrypts all these plaintexts separately. Thus, the time complexity of ImgEnc is ( ⋅ ℎ ⋅ ⋅ log ). C is the set of all the encrypted pixels, as each ciphertext is an -dimensional column vector; C , is an × 3 matrix. Thus, the size of C is ( ⋅ ℎ ⋅ ).
As the color must be an integer in [0, 255], after getting ← Dec(b, , c ), the result will be rounded into the nearest integer in [0, 255]. The time complexity of ImgDec is ( ⋅ ℎ ⋅ ⋅ log ).

Processing Encrypted Image.
We concentrate on the processing method which is based on addition and multiplication operations on the pixels. In these processes, the new color in a pixel is calculated by a function ( 0 , 1 , . . . , 0 , 1 , . . .), where represents the color of a pixel and represents the data from SP. As IGHE is a secret key encryption, SP does not have the key to encrypt . However, SP can translated into (⌊ ⋅ ⌉), which is a special ciphertext with r = 0 in Enc(b, , ). We denote this translation as Enc( , ), which can be run by SP without the key b.
As shown in Figure 1(b), firstly, user uploads the encrypted image by calling ImgEnc and asks for a processing method request corresponding to the function . Then, SP returns to user the encrypted result by calling Eval( , , Ψ). Finally, by calling ImgDec, user will get the correct plain result same as Figure 1(a). In Eval, the function (c 0 , c 1 , . . . , ( )0 , ( )1 , . . .) was generated to process the encrypted image, where c ← Enc(b, , ), and ( ) ← Enc( , ). In these methods, as SP does not need any key, there is no need to share the key. User just needs to keep the secret key safely.
In the image processing, we may like to change the color of the image, add a watermark (or photo frame) on the image, or change the size of the image. To illustrate our scheme, we use these three common kinds of image processing as instances.

Color Transformation.
The original color transformation is based on the color matrix [13] CM which is a 5 × 5 matrix. The th row and th column are denoted as , where is often a floating number. Given CM and the original pixel , ( 0 , 1 , 2 ), the resulting pixel , ( 0 , 1 , 2 ) is computed as where is 0, 1, 2, and , is the transparency of the pixel , . For the image without transparency, the default value of , is 255. In the instance, DO wants to change the color of his image, such as grayness and binarization. But he does not know the value of CM, while there are many kinds of color transformation operations in SP, with each kind corresponding to a value of CM.
DO uploads the ciphertext C, then, in encrypted image color transformation, SP uses the encrypted form of CM ( ← Enc( , )) to compute each encrypted resulting pixel C , (c 0 , c 1 , c 2 ).

Image Addition.
Give two images P 1 , P 2 , add P 1 on P 2 with a transparency tp; then the resulting pixel , is In one instance, IO gives SP two encrypted images C 1 and C 2 and asks SP to add them with the transparency tp. The encrypted resulting pixel is In another instance, IO gives SP one encrypted image C and chooses a plain image P (e.g., a photo frame) from SP to add on the encrypted image with the transparency tp. In SP's image, the pixels may have different transparencies , ; when added on C , , the true transparency of , is tp ⋅ , . And the encrypted resulting pixel is As SP knows , , tp, , he can compute and then encrypt tp ⋅ , ⋅ and 1 − tp ⋅ , as one plaintext.

Experiments
We run some experiments to test the performance of our scheme. All the experiments are carried out on a computer equipped with two processors, each with 3.1 GHz clock speed, and the computer has 4 GB RAM.

Security. Now we analyze the statistical security of the encrypted image.
In our scheme, the ciphertext c ∈ is an -dimensional integer vectors. We use 4 bytes to represent the integer; then each element of c can represent a new pixel in the encrypted image. The top byte represents the transparency , and the rest represent the color of red, green, and blue, respectively. So a plain pixel will be changed into × 3 new pixels in encrypted image. We store the encrypted image in .PNG format and calculate the histograms of original and encrypted image, respectively. Figure 2(a) is the original image, and its histogram is shown in (b). Figure 2(c) is a part of the encrypted image, and the histogram is shown in (d). Figure 2 indicates that the histogram of the encrypted image is fairly uniform and is significantly different from that of the original image. Thus, our scheme can resist the statistical analysis attack.

Correctness.
We do the same type of processing both on the original image P and on the encrypted image C to get the processed image P and C . The error between , and C , is If err , ̸ = 0, the encryption pixel of C , is error. If all the err , are zero, our scheme is correct.
As the floating numbers are accurate to 10 − , the value of will affect the correctness of our scheme. To test this, we choose different value of . For each , we encrypt an image P to get C and do the same kind of image processing on P and C to get P and C . Then, we compute the err , for every pixel.
We fix = 8. Table 1 shows the correctness of our scheme with different value of . The "Error Rate" means the rate of error C , in C. "None" means decrypted C with no process. In "color transformation (CT)," each time we set the value of CM randomly. The elements of CM are accurate to 0.001. In "image addition (Add.)," we add the same image    In Table 1, the error becomes less and smaller as increases. When increases to 4, there is no error; then our scheme is correct. The error rate of "None" is zero, so no matter what is, if we decrypt an encrypted image with no process, we can get the original image with no error. That is because the value of color is integers, so the accuracy of 10 0 is enough.
In "Add.", the transparency is a number with two decimals, so when = 2, there is no error any more. In "CT", as the random value of CM has three decimals, the error is zero when = 3. In "Scal.", the data may be an infinite decimal.
But since the value of color is smaller than 256, when ≥ 4, 256 ⋅ 10 − < 0.1. So there will be no error after rounding the result to the nearest integer. Figure 3 shows some result of image P (left image) and image Dec(C ) (right image) after the image processing when = 8 and = 4. In (a), the left image is the original image. We encrypt the left image and decrypt the cipher image to get the right image. In (b), we remove the color (grayness) of the original image; this is realized by setting CM a specific value. In (c), we set the elements of CM random values. And in (d), we choose a photo frame to add on the original image; the transparency is 60%.
The two images in each figure look the same. According to Table 1, they do have the same pixel in the same position. Above all, the image can be processed in encrypted form. After decryption, user will get the same image as processing directly on plain image. Thus, our scheme is correct. Figure 4 shows the runtime of the key generation, encryption, decryption, addition, and multiplication processes of our scheme IGHE and Gentry's scheme.

Efficiency.
We can see, when, in the same value of , our scheme is more efficient than Gentry's scheme. When is 32, the runtime of "DEC" of Gentry is even more than 100 ms, which is not marked in Figure 4. What is more, note that as Gentry's scheme is a public encrypt system, to keep security, is at least 512 [9]. Then, the running time of each process will be more than 5 s. Thus, IGHE is more efficient than Gentry's scheme.
Encryption and decryption will cost extra running time. Besides, processing encrypted image is slower than processing plain image. We test the efficiency of ImgEnc, ImgDec, and the three encrypted image processing algorithms (CT, Add., and Scal.). We choose different values of and record the running time of each algorithm. Figure 5 shows the average running time of each algorithm on one pixel. The common time means the running time of plain image processing.
From Figure 5, we can see that all the running time increases as increases. When = 8, all algorithms can process each pixel in 10 s. This is 10 times slower than processing the plain pixel. But for a 1-megapixel image, the process can be finished in 10 seconds. To protect the privacy, this compromise of efficiency is worthy. When is 16 or 32, it may take a long time to process the large size image, but our scheme is still suitable for the small size image.

Size of Encrypted Image.
After encryption, the size of encrypted image is enlarged. By setting different value of , we record the size of secret key, the size of encrypted image,   Table 2. "Plain" means the original image. As described in Section 5.1, the key and ciphertext of IGHE are -dimensional vectors, with each element having a 4-byte integer. The size of secret key is ( ). A plain color takes one byte. After encryption, the encrypted color takes 4 bytes, with bytes representing the transparency. So, in the encrypted image, the width grows by 3 times, and the height grows times. And the size of .PNG file is enlarged 4 times. Figure 6 shows that, with the size of image increasing, both the size of encrypted image and the runtime of CT process are increasing. For = 16, the time for processing a 5-megapixel image is about 1 minute, but the size of the encrypted image is up to 200 megapixels. So considering both the efficiency and the communication overhead, our scheme is suitable for small size image encryption and processing, but not proper for larger size of image yet. According to Figure 6, for = 8, the proper size range may be less than 2 megapixels, and, for = 16, it should be less than 1 megapixel.

Conclusion
In this paper, we improve Gentry's homomorphic encryption to propose an efficient, simplified secret key homomorphic encryption (IGHE). We use it in the image encryption, so that the image can be processed in encrypted form to protect the privacy. Any image processing that consists of addition and multiplication operations on single pixel can be translated into the encrypted-formed process. We give the color transformation, image addition, and image scaling as the examples. By using our scheme, the image can be processed in the server in encrypted form; after decryption in client, user can get the correct processed image that is the same as processing the plain image. So our scheme can protect privacy in online image processing. Our scheme is secure, but it enlarges the running time of process and the space for storing encrypted image. So our scheme is not proper for processing large size of image yet.
As the value of color is less than 256, when translating into vector, most elements of the vector are zero. To use these elements, we will research on translating batch colors in one vector to decrease the running time and the size of encrypted image.

B. Proving Lemma 4
Proof. We fix , and suppose the floating number is accurate to − , that is, where ( ) ∈ Z[ ] is monic and of degree . In this paper, we set ( ) = − 1, same as [14] v: The bold lowercase letter represents the element of , that is, v ∈ . It can be written both as a polynomial, for example, ∑ −1 =0 V ⋅ mod ( ), and as a vector, for example, v = (V 0 V 1 ⋅ ⋅ ⋅ V −1 ) . Besides, we denote (0 0 ⋅ ⋅ ⋅ 0) as 0 and (1 0 ⋅ ⋅ ⋅ 0) as 1 : The ideal lattice in . B ∈ Z × is the basis of , that is, = {B ⋅ r | r ∈ } [15] Rot(v): The circulant matrix generated by v. The th row and th column in Rot(v) are V ( − )mod * : The multiplication in ring , u * v = (u ⋅ k)mod ( ) = Rot(u) ⋅ k. See the proof in Appendix A. Besides, the addition in is the same as the addition in Z , still denoted as "+" r ← : Th ev a l u eo fr is randomly chosen from

Conflicts of Interest
The authors declare that they have no conflicts of interest.