Encrypted Domain DCT Based on Homomorphic Cryptosystems
© Tiziano Bianchi et al. 2009
Received: 30 March 2009
Accepted: 29 September 2009
Published: 27 December 2009
Signal processing in the encrypted domain (s.p.e.d.) appears an elegant solution in application scenarios, where valuable signals must be protected from a possibly malicious processing device. In this paper, we consider the application of the Discrete Cosine Transform (DCT) to images encrypted by using an appropriate homomorphic cryptosystem. An s.p.e.d. 1-dimensional DCT is obtained by defining a convenient signal model and is extended to the 2-dimensional case by using separable processing of rows and columns. The bounds imposed by the cryptosystem on the size of the DCT and the arithmetic precision are derived, considering both the direct DCT algorithm and its fast version. Particular attention is given to block-based DCT (BDCT), with emphasis on the possibility of lowering the computational burden by parallel application of the s.p.e.d. DCT to different image blocks. The application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images is analyzed; whereas a case study demonstrates the feasibility of the s.p.e.d. DCT in a practical scenario.
The availability of signal processing modules that work directly on encrypted data would be of great help to satisfy the security requirements stemming from applications wherein valuable or sensible signals have to be processed by a nontrusted party [1, 2]. In the image processing field, there are two recent examples regarding buyer-seller watermarking protocols  which prevent the seller from obtaining a plaintext of the watermarked copy, so that the image containing the buyer's watermark cannot be illegally distributed to third parties by the seller, and the access to image databases by means of encrypted queries , in order to avoid the disclosure of the content of the query image.
Signal processing in the encrypted domain (s.p.e.d.) is a new field of research aiming at developing a set of specific tools for processing encrypted data to be used as building blocks in a large class of applications. In image processing, one of such tools is the discrete cosine transform (DCT). The availability of an efficient s.p.e.d. DCT would allow a large number of processing tasks to be carried out on encrypted images, like the extraction of encrypted features from an encrypted image, or watermark embedding in encrypted images. As a simple example, let us consider a scenario where a party needs to process an image by means of a signal processing system known by another party . Let us assume that is concerned about the privacy of his image, so that not to reveal the image content to the service provider , he will send the image in encrypted form. In the processing chain, it is possible that there is the need to apply a DCT to the image, for example, to apply a watermark in such a domain, or to reduce to zero some coefficients in order to reduce the image bit rate. After this step, an Inverse DCT (IDCT) will be needed; in such a scenario, both DCT and IDCT will need to be performed in the encrypted domain.
In [5, 6], we considered the similar problem of implementing a discrete Fourier transform on encrypted data. Here, we will extend the previous results by considering an s.p.e.d. implementation of the DCT. In the following we will concentrate on images, however we point out that a similar approach can be applied to 1-dimensional signals as well, like digitized audio. We will assume that an image is encrypted pixelwise by means of a cryptosystem homomorphic with respect to the addition that is, there exists an operator such that
where and denote the encryption and decryption operators. With such a cryptosystem it is indeed possible to add two encrypted values without first decrypting them and it is possible to multiply an encrypted value by a public integer value by repeatedly applying the operator . Moreover, we will assume that the cryptosystem is probabilistic, that is, given two encrypted values it is not possible to decide whether they conceal the same value or not. This is fundamental, since the alphabet to which the input pixels belong usually has a limited size. As it will be detailed in the following section, a widely known example of a cryptosystem fulfilling both the above requirements is the Paillier cryptosystem , for which the operator is a modular multiplication. Apart from [5, 6], previous examples of the use of homomorphic cryptosystems for performing encrypted computations can be found in buyer-seller protocols [3, 8], zero-knowledge watermark detection , and private scalar product computation .
Adopting such a cryptosystem, the DCT can be computed on the encrypted pixel values by relying on the homomorphic properties and the fact that the DCT coefficients are public. However, this requires several issues to be solved. The first one is that we must represent the pixel values, the DCT coefficients, and the transformed values in the domain of the cryptosystem, that is, as integers on a finite field/ring. Another problem is that encrypted values cannot be scaled or truncated by relying on homomorphic computations only. In general, for scaling the intermediate values of the computation we should allow two or more parties to interact [11, 12]. However, since we would keep the s.p.e.d. DCT as simple as possible, it is preferable to avoid the use of interactive protocols. A final problem is that encrypting each pixel separately increases the size of the encrypted image and affects the complexity.
1.1. Our Contributions
Solutions to the above issues will be provided in this paper, whose rest is organized as follows. In Section 2 a brief review of homomorphic cryptosystems, with particular attention to the Paillier scheme, is given. In order to properly represent the pixel values, the DCT coefficients and the transformed values in the encrypted domain, a convenient s.p.e.d. signal model is proposed in Section 3. Such a model allows us to define in Section 4 both an s.p.e.d. DCT and an s.p.e.d. fast DCT and to extend them to the 2D case. The proposed representation permits also to avoid the use of interactive protocols, by letting the magnitude of the intermediate results propagates to the end of the processing chain. A solution to the problem of encrypting each pixel separately is proposed in Section 5. A block-based s.p.e.d. DCT, relying on a suitable composite representation of the encrypted pixels, permits the parallel application of the s.p.e.d. DCT algorithm to different image blocks, thus lowering both the bandwidth usage and the computational burden. In Section 6 we consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. Section 7 describes a case study where the feasibility of the s.p.e.d. DCT in a practical scenario is analyzed. Finally, conclusions are drawn in Section 8.
2. Probabilistic Homomorphic Encryption
As already defined in the previous section, a homomorphic cryptosystem allows to carry out some basic algebraic operations on encrypted data by translating them into corresponding operations in the plaintext domain. The concept of privacy homomorphism was first introduced by Rivest et al.  that defined privacy homomorphisms as encryption functions which permit encrypted data to be operated on without preliminary decryption of the operands.
According to the correspondence between the operation in the ciphertext domain and the operation in the plaintext domain, a cryptosystem can be additively homomorphic or multiplicatively homomorphic. In this paper we are interested in the former. Additively homomorphic cryptosystems allow, in fact, to perform additions, subtractions and multiplications with a known (nonencrypted) factor in the encrypted domain. More extensive processing would be allowed by the availability of an algebraically homomorphic encryption scheme, that is, a scheme that is additive and multiplicative homomorphic. Very recently, a fully homomorphic scheme has been proposed in , but its complexity seems too high for practical applications.
Another crucial concept for the s.p.e.d. framework is probabilistic encryption. As a matter of fact, many of the most popular cryptosystems are deterministic, that is, given an encryption key and a plaintext, the ciphertext is univocally determined. The main drawback of these schemes for s.p.e.d. applications is that it is easy for an attacker to detect if the same plaintext message is encrypted twice. Indeed, since usually signal samples assume only a limited range of values, an attacker will be easily able to decrypt the ciphertexts, or at least to derive meaningful information about them. In  the concept of probabilistic or semantically secure cryptosystem has been proposed. In such schemes, the encryption function is a function of both the secret message and a random parameter that is changed at any new encryption. Specifically, two subsequent encryptions of the same message result in two different encrypted messages and . Of course, the scheme has to be designed in such a way that , that is, the decryption phase is deterministic and does not depend on the random parameter . Luckily, encryption schemes that satisfy both the homomorphic and probabilistic properties detailed above do exist. One of the most known examples is the scheme presented by Paillier in , and later modified by Damgård and Jurik in . It should be pointed out that homomorphic cryptosystems are usually more computationally demanding than symmetric ciphers, like AES, and require longer keys to achieve a comparable level of security. Furthermore, probabilistic cryptosystems cause an intrinsic data expansion due to the adoption of randomizing parameters in the encryption function.
2.1. Paillier Cryptosystem
The Paillier cryptosystem  is based on the problem to decide whether a number is an th residue modulo . This problem is believed to be computationally hard in the cryptographic community, and is linked to the hardness to factorize , if is the product of two large primes.
For a complete analysis of the Paillier cryptosystem we refer to the original paper . Here, we simply describe the set-up, encryption, and decryption procedures.
Select big primes.The private key is the least common multiple of , denoted as . Let and in an element of order for some . The order of an integer modulo is the smallest positive integer such that . In such a case, is usually a convenient choice. is the public key.
3. Signal Model for the Encrypted Domain
The corresponding integer DCT of type II is defined as 
4. s.p.e.d. DCT
where all computations are done modulo .
where is an upper bound on . The value of both and will depend on the particular implementation of the DCT. In the following, we will add to , , and the additional subscripts and to denote direct and fast DCT, respectively whereas the superscript will denote the 2-dimensional versions.
4.1. Direct Computation
4.2. Fast DCT
In order to obtain an s.p.e.d. version of the fast DCT, we will refer to the recursive matrix representation in . Given , we have
As to the upper bound analysis, let us consider the th stage of the recursion and express the quantized matrices as and , where and denote the quantization errors on the corresponding matrix entries. We can rewrite (21) as
from which we derive the upper bound on the quantization error as
It is easy to show that the model in (27) can be applied also to the integer IDCT, so that the upper bound in (30) holds for the IDCT as well.
4.3. Extension to 2D-DCT
In the case of separable processing of the rows and the columns of an image, the expressions derived in the preceding section can be extended to the 2D case in an easy way. Let us assume that the 2D-DCT processes first the rows and then the columns. After the processing of the rows, the input to the next DCT will be expressed as in (14). Hence, the scaling factor can be obtained by substituting with ; whereas the upper bound on the quantization error can be derived by noting that and .
In the case of nonseparable processing, the upper bound on the output of the s.p.e.d. DCT can be derived in the same way as in the one-dimensional case. For instance, a direct nonseparable 2D-DCT will lead to the same upper bound as in (17). Even if this will reduce the upper bound with respect to the separable case, a nonseparable implementation will have a greater complexity. In the following, only the separable case will be considered.
Concerning the security of the s.p.e.d. DCT, if we work with a semantically secure cryptosystem, the security is automatically achieved that is, the output of the s.p.e.d. DCT does not reveal anything about the DCT inputs. Under the assumption that deciding -residuosity classes in is hard, that is, given it is not possible to decide in polynomial time whether is an -residue or not, the Paillier cryptosystem can be proved to be semantically secure . If the assumption is relaxed to the hardness of computing -residuosity classes, the security of the plaintext bits of a Paillier encryption, and hence of the proposed scheme, depends on the knowledge of the size of the plaintext. The interested reader can find a discussion on such topics in .
5. s.p.e.d. Block-Based DCT
Several image processing algorithms, instead of applying the DCT to the whole image, subdivide it into equal sized (usually square) blocks and compute the DCT of each block. The size of such blocks is usually quite small: typically blocks or blocks are used in most of the applications.
From the s.p.e.d. perspective, this suggests two things. Firstly, even if rescaling is not applied, in the case of a block based s.p.e.d. DCT the maximum value of the DCT outputs will not be very high. However, the size of the encrypted word, that is, , is fixed by the security requirements. Minimum security requirements for the Paillier cryptosystem impose the use of at least 1024 bits for . This means that, irrespective of the size of the plaintext pixels, each encrypted pixel will be represented as an encrypted word of at least 1024 bits. The result is that the outputs of the block-based s.p.e.d. DCT will be far from exploiting the full bandwidth of the modulus . Secondly, each block undergoes exactly the same processing. Hence, this could permit a parallel processing of several blocks by simply packing the pixels having the same position within the blocks in a single word.
In order to exploit the above ideas, we propose an s.p.e.d. block DCT (BDCT) based on a composite representation of the input pixels . For the sake of simplicity, we can assume the image as a one-dimensional signal, since the extension to the 2D case is straightforward using separable processing. Moreover, let us assume that the input pixel values have been quantized as in Section 3, that is, they satisfy the relation .
For the composite representation, the following theorem is valid.
from which (43) follows hence completing the proof.
When dealing with encrypted data, the first part of the previous theorem demonstrates that the composite representation can be safely encrypted by using a homomorphic cryptosystem defined on modulo arithmetic: as long as the hypotheses of the theorem hold, the composite data takes no more than distinct values, so the values of the composite signal can be represented modulo without loss of information. (i.e., it is possible to define a one-to-one mapping between and .)
We propose now an s.p.e.d. block DCT (BDCT) based on the composite representation of the input pixels. Let us consider distinct blocks of an image, assumed as one-dimensional, having size . Let us define the block bandwidth as . Moreover, let us assume that the input pixel values have been quantized.
By exploiting the composite representation, we can process blocks by using a single s.p.e.d. DCT. This means that the complexity of the s.p.e.d. BDCT is reduced by a factor with respect to that of a pixelwise implementation, since the size of the encrypted values will be the same irrespective of the implementation. Moreover, the bandwidth usage is also reduced by the same factor, since we pack pixels into a single ciphertext.
Finally, we would like to point out that the fast DCT algorithm can be used for the BDCT as well. The fast BDCT algorithm is simply obtained by computing the fast DCT of the composite signal . In order to verify that the above algorithm is correct, it suffices to substitute in (49) with the element of the matrix as defined in (21).
6. Numerical Examples
We will consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to square 8-bit greyscale images. The quantization scaling factor can be assumed as . As to , we will assume that the cosine values are quantized so as not to exceed the quantization error of the corresponding plaintext implementation. Three plaintext implementations are considered: (1) 16-bit fixed point (XP); (2) single precision floating point (FP1); (3) double precision floating point (FP2). In the first case, we can assume . In the floating point case, since the smallest magnitude of a cosine value is equal to , we need , where is the number of bits of the fractional part of the floating point representation. For the sake of simplicity, we will assume , so that we can choose (FP1) and (FP2).
Upper bounds on the number of blocks that can be processed in parallel by an s.p.e.d. 2D-BDCT. indicates a direct or a fast implementation of the DCT. is equivalent to a 16-bit fixed point implementation. and are equivalent to a single precision and a double precision floating point implementations, respectively. We have assumed .
7. Implementation Case Study
The feasibility of the s.p.e.d. DCT in a practical scenario is verified by considering its use in a buyer-seller watermarking protocol. Namely, we consider the secure embedding of a watermark as described in [8, 21]. In this scenario, a seller receives the bits of the watermark encrypted with the public key of a buyer—the output of a previous protocol between him and the buyer—and embeds them into a set of features extracted from the digital content he owns. The output of this procedure is a set of watermarked and encrypted features that are sent to the buyer. In the following, such a protocol will be referred to as secure watermark embedding (SWE).
In our case study, we assume that the content is an image and that the features are obtained by applying a block 2D-DCT to the pixel values. We also assume that the seller wants to perform the inverse DCT (IDCT) of the watermarked features in the encrypted domain, before sending them to the buyer. This can be justified by his wish to keep the actual transform secret, so as to expose as little details as possible regarding the watermarking algorithm. Another reason for using the s.p.e.d. IDCT is the possibility of applying some postprocessing to the watermarked image before distributing it. Common postprocessing steps are the use of a perceptual mask  or the insertion of a synchronization pattern .
The aforementioned versions have been implemented in C++ using the GNU Multi-Precision (GMP) library  and the NTL library , which provide software optimized routines for the processing of integers having arbitrary length. All versions have been run on an Intel(R) Core(TM)2 Quad CPU at 2.40 GHz, used as a single processor. In order to verify the feasibility of the s.p.e.d. approach, we measured the execution times of the four versions using three different image sizes: , , and . In all tests, the marked features are represented as 8-bit integers ( ) and the cosine values are quantized as 16-bit integers ( ). The image features are encrypted with the Paillier's cryptosystem, using a modulo of 1024 bits.
The correctness of the s.p.e.d. DCT implementation has been verified by comparing its output with the output of an analogous plaintext DCT implementation, as well as by verifying the amount of error introduced after the application of a standard plaintext DCT followed by an encrypted domain IDCT. With the used precision, the normalized MSE after the DCT-IDCT chain was on the order of . As to block DCT, its correctness has been verified by checking that the output of B-(I)DCT, after decryption and unpacking, was identical to the output of the corresponding (I)DCT.
Execution times (in seconds) of the different implementations. The row labeled as "packing" refers to the conversion from encrypted samplewise representation to encrypted composite representation. The row labeled as "DCT" refers to the actual DCT computation.
8. Concluding Remarks
We have considered the implementation of the DCT on an encrypted image by relying on the homomorphic properties of the underlying cryptosystem. It has been shown how the maximum allowable DCT size depends on the modulus of the cryptosystem, on the chosen DCT implementation, and on the required precision. We have also proposed an s.p.e.d. block DCT which is based on the packing of several pixels into a single encrypted word, thus permitting the parallel application of the s.p.e.d. DCT algorithm to different image blocks.
To evaluate the proposed solutions, we have considered the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. The results demonstrate that there can be cases in which it is preferable to employ a direct s.p.e.d. BDCT, since this will reduce the bandwidth usage at the price of a very small increase of complexity.
The feasibility of the application of the s.p.e.d. DCT in a practical buyer-seller watermarking protocol has been also verified, providing promising results. Future research will be devoted to the design and implementation of the complete buyer-seller watermarking protocol.
The work described in this paper has been partially supported by the European Commission through the IST Programme under Contract no 034238-SPEED and by the Italian Research Project (PRIN 2007): "Privacy aware processing of encrypted signals for treating sensitive information." The information in this document reflects only the author's views, is provided as is, and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.
- Piva A, Katzenbeisser S: Signal processing in the encrypted domain. EURASIP Journal on Information Security 2007, 2007:-1.Google Scholar
- Erkin Z, Piva A, Katzenbeisser S, et al.: Protection and retrieval of encrypted multimedia content: when cryptography meets signal processing. EURASIP Journal on Information Security 2007, 2007:-20.Google Scholar
- Memon N, Wong PW: A buyer-seller watermarking protocol. IEEE Transactions on Image Processing 2001, 10(4):643-649. 10.1109/83.913598View ArticleMATHGoogle Scholar
- Shashank J, Kowshik P, Srinathan K, Jawahar CV: Private content based image retrieval. Proceedings of the 26th IEEE Conference on Computer Vision and Pattern Recognition (CVPR '08), June 2008 1-8.Google Scholar
- Bianchi T, Piva A, Barni M: Implementing the discrete Fourier transform in the encrypted domain. Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP '08), March-April 2008, Las Vegas, Nev, USA 1757-1760.Google Scholar
- Bianchi T, Piva A, Barni M: On the implementation of the discrete Fourier transform in the encrypted domain. IEEE Transactions on Information Forensics and Security 2009, 4(1):86-97.View ArticleGoogle Scholar
- Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology, Lecture Notes in Computer Science. Volume 1592. Springer, New York, NY, USA; 1999:223-238. 10.1007/3-540-48910-X_16Google Scholar
- Kuribayashi M, Tanaka H: Fingerprinting protocol for images based on additive homomorphic property. IEEE Transactions on Image Processing 2005, 14(12):2129-2139.View ArticleGoogle Scholar
- Adelsbach A, Katzenbeisser S, Sadeghi A-R: Watermark detection with zero-knowledge disclosure. Multimedia Systems 2003, 9(3):266-278. 10.1007/s00530-003-0098-zView ArticleGoogle Scholar
- Goethals B, Laur S, Lipmaa H, Mielikäinen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th International Conference on Information Security and Cryptology (ICISC '04), 2004, Lecture Notes in Computer Science 3506: 104-120.MathSciNetGoogle Scholar
- Yao AC: Protocols for secure computations. Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, November 1982, Chicago, Ill, USA 160-164.Google Scholar
- Cramer R, Damgård I, Nielsen JB: Multiparty computation from threshold homomorphic encryption. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '01), 2001, London, UK, Lecture Notes in Computer Science. Volume 2045. Springer; 280-299.Google Scholar
- Rivest R, Adleman L, Dertouzos M: On data banks and privacy homomorphisms. In Foundations of Secure Computation. Edited by: DeMillo RA, Lipton RJ, Dobkin DP, Jones AK. Academic Press, New York, NY, USA; 1978:169-179.Google Scholar
- Gentry C: Fully homomorphic encryption using ideal lattices. Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC '09), 2009, Bethesda, Md, USA 169-178.View ArticleGoogle Scholar
- Goldwasser S, Micali S: Probabilistic encryption. Journal of Computer and System Sciences 1984, 28(2):270-299. 10.1016/0022-0000(84)90070-9MathSciNetView ArticleMATHGoogle Scholar
- Damgård I, Jurik M: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography, 2001, Lecture Notes In Computer Science 1992: 119-136.View ArticleMATHGoogle Scholar
- Zeng Y, Cheng L, Bi G, Kot AC: Integer DCTs and fast algorithms. IEEE Transactions on Signal Processing 2001, 49(11):2774-2782. 10.1109/78.960425MathSciNetView ArticleGoogle Scholar
- Catalano D, Gennaro R, Howgrave-Graham N: The bit security of Paillier's encryption scheme and its applications. In Proceedings of the International Conference on the Theory and Application of Crypto Graphic Techniques (EUROCRYPT '01), May 2001, Innsbruck, Austria. Springer; 229-243.Google Scholar
- Bianchi T, Piva A, Barni M: Efficient pointwise and blockwise encrypted operations. Proceedings of the 10th ACM Workshop on Multimedia and Security, 2008, Oxford, UK 85-90.View ArticleGoogle Scholar
- Hou H: A fast recursive algorithm for computing the discrete cosine transform. IEEE Transactions on Acoustics, Speech, and Signal Processing 1987, 35(10):1455-1461. 10.1109/TASSP.1987.1165060View ArticleGoogle Scholar
- Prins JP, Erkin Z, Lagendijk RL: Anonymous fingerprinting with robust QIM watermarking techniques. EURASIP Journal on Information Security 2007, 2007:-13.Google Scholar
- Bartolini F, Barni M, Cappellini V, Piva A: Mask building for perceptually hiding frequency embedded watermarks. Proceedings of the 5th IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA 1: 450-454.View ArticleGoogle Scholar
- Moulin P, Ivanovic A: The Fisher information game for optimal design of synchronization patterns in blind watermarking. Proceedings of the 8th IEEE International Conference on Image Processing (ICIP '01), October 2001, Thessaloniki, Greece 2: 550-553.Google Scholar
- GNU Multiple Precision Arithmetic Library http://gmplib.org/
- NTL: A library for doing number theory http://www.shoup.net/ntl/
This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.