Encrypted Domain DCT Based on Homomorphic Cryptosystems

Signal processing in the encrypted domain (s.p.e.d.) appears an elegant solution in application scenarios, where valuable signals must be protected from a possibly malicious processing device. In this paper, we consider the application of the Discrete Cosine Transform (DCT) to images encrypted by using an appropriate homomorphic cryptosystem. An s.p.e.d. 1-dimensional DCT is obtained by defining a convenient signal model and is extended to the 2-dimensional case by using separable processing of rows and columns. The bounds imposed by the cryptosystem on the size of the DCT and the arithmetic precision are derived, considering both the direct DCT algorithm and its fast version. Particular attention is given to block-based DCT (BDCT), with emphasis on the possibility of lowering the computational burden by parallel application of the s.p.e.d. DCT to different image blocks. The application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images is analyzed; whereas a case study demonstrates the feasibility of the s.p.e.d. DCT in a practical scenario.

The availability of signal processing modules that work directly on encrypted data would be of great help to satisfy the security requirements stemming from applications wherein valuable or sensible signals have to be processed by a nontrusted party [1, 2]. In the image processing field, there are two recent examples regarding buyer-seller watermarking protocols [3] which prevent the seller from obtaining a plaintext of the watermarked copy, so that the image containing the buyer's watermark cannot be illegally distributed to third parties by the seller, and the access to image databases by means of encrypted queries [4], in order to avoid the disclosure of the content of the query image.

Signal processing in the encrypted domain (s.p.e.d.) is a new field of research aiming at developing a set of specific tools for processing encrypted data to be used as building blocks in a large class of applications. In image processing, one of such tools is the discrete cosine transform (DCT). The availability of an efficient s.p.e.d. DCT would allow a large number of processing tasks to be carried out on encrypted images, like the extraction of encrypted features from an encrypted image, or watermark embedding in encrypted images. As a simple example, let us consider a scenario where a party needs to process an image by means of a signal processing system known by another party . Let us assume that is concerned about the privacy of his image, so that not to reveal the image content to the service provider , he will send the image in encrypted form. In the processing chain, it is possible that there is the need to apply a DCT to the image, for example, to apply a watermark in such a domain, or to reduce to zero some coefficients in order to reduce the image bit rate. After this step, an Inverse DCT (IDCT) will be needed; in such a scenario, both DCT and IDCT will need to be performed in the encrypted domain.

In [5, 6], we considered the similar problem of implementing a discrete Fourier transform on encrypted data. Here, we will extend the previous results by considering an s.p.e.d. implementation of the DCT. In the following we will concentrate on images, however we point out that a similar approach can be applied to 1-dimensional signals as well, like digitized audio. We will assume that an image is encrypted pixelwise by means of a cryptosystem homomorphic with respect to the addition that is, there exists an operator such that

(1)

where and denote the encryption and decryption operators. With such a cryptosystem it is indeed possible to add two encrypted values without first decrypting them and it is possible to multiply an encrypted value by a public integer value by repeatedly applying the operator . Moreover, we will assume that the cryptosystem is probabilistic, that is, given two encrypted values it is not possible to decide whether they conceal the same value or not. This is fundamental, since the alphabet to which the input pixels belong usually has a limited size. As it will be detailed in the following section, a widely known example of a cryptosystem fulfilling both the above requirements is the Paillier cryptosystem [7], for which the operator is a modular multiplication. Apart from [5, 6], previous examples of the use of homomorphic cryptosystems for performing encrypted computations can be found in buyer-seller protocols [3, 8], zero-knowledge watermark detection [9], and private scalar product computation [10].

Adopting such a cryptosystem, the DCT can be computed on the encrypted pixel values by relying on the homomorphic properties and the fact that the DCT coefficients are public. However, this requires several issues to be solved. The first one is that we must represent the pixel values, the DCT coefficients, and the transformed values in the domain of the cryptosystem, that is, as integers on a finite field/ring. Another problem is that encrypted values cannot be scaled or truncated by relying on homomorphic computations only. In general, for scaling the intermediate values of the computation we should allow two or more parties to interact [11, 12]. However, since we would keep the s.p.e.d. DCT as simple as possible, it is preferable to avoid the use of interactive protocols. A final problem is that encrypting each pixel separately increases the size of the encrypted image and affects the complexity.

1.1. Our Contributions

Solutions to the above issues will be provided in this paper, whose rest is organized as follows. In Section 2 a brief review of homomorphic cryptosystems, with particular attention to the Paillier scheme, is given. In order to properly represent the pixel values, the DCT coefficients and the transformed values in the encrypted domain, a convenient s.p.e.d. signal model is proposed in Section 3. Such a model allows us to define in Section 4 both an s.p.e.d. DCT and an s.p.e.d. fast DCT and to extend them to the 2D case. The proposed representation permits also to avoid the use of interactive protocols, by letting the magnitude of the intermediate results propagates to the end of the processing chain. A solution to the problem of encrypting each pixel separately is proposed in Section 5. A block-based s.p.e.d. DCT, relying on a suitable composite representation of the encrypted pixels, permits the parallel application of the s.p.e.d. DCT algorithm to different image blocks, thus lowering both the bandwidth usage and the computational burden. In Section 6 we consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. Section 7 describes a case study where the feasibility of the s.p.e.d. DCT in a practical scenario is analyzed. Finally, conclusions are drawn in Section 8.

As already defined in the previous section, a homomorphic cryptosystem allows to carry out some basic algebraic operations on encrypted data by translating them into corresponding operations in the plaintext domain. The concept of privacy homomorphism was first introduced by Rivest et al. [13] that defined privacy homomorphisms as encryption functions which permit encrypted data to be operated on without preliminary decryption of the operands.

According to the correspondence between the operation in the ciphertext domain and the operation in the plaintext domain, a cryptosystem can be additively homomorphic or multiplicatively homomorphic. In this paper we are interested in the former. Additively homomorphic cryptosystems allow, in fact, to perform additions, subtractions and multiplications with a known (nonencrypted) factor in the encrypted domain. More extensive processing would be allowed by the availability of an algebraically homomorphic encryption scheme, that is, a scheme that is additive and multiplicative homomorphic. Very recently, a fully homomorphic scheme has been proposed in [14], but its complexity seems too high for practical applications.

Another crucial concept for the s.p.e.d. framework is probabilistic encryption. As a matter of fact, many of the most popular cryptosystems are deterministic, that is, given an encryption key and a plaintext, the ciphertext is univocally determined. The main drawback of these schemes for s.p.e.d. applications is that it is easy for an attacker to detect if the same plaintext message is encrypted twice. Indeed, since usually signal samples assume only a limited range of values, an attacker will be easily able to decrypt the ciphertexts, or at least to derive meaningful information about them. In [15] the concept of probabilistic or semantically secure cryptosystem has been proposed. In such schemes, the encryption function is a function of both the secret message and a random parameter that is changed at any new encryption. Specifically, two subsequent encryptions of the same message result in two different encrypted messages and . Of course, the scheme has to be designed in such a way that , that is, the decryption phase is deterministic and does not depend on the random parameter . Luckily, encryption schemes that satisfy both the homomorphic and probabilistic properties detailed above do exist. One of the most known examples is the scheme presented by Paillier in [7], and later modified by Damgård and Jurik in [16]. It should be pointed out that homomorphic cryptosystems are usually more computationally demanding than symmetric ciphers, like AES, and require longer keys to achieve a comparable level of security. Furthermore, probabilistic cryptosystems cause an intrinsic data expansion due to the adoption of randomizing parameters in the encryption function.

2.1. Paillier Cryptosystem

The Paillier cryptosystem [7] is based on the problem to decide whether a number is an th residue modulo . This problem is believed to be computationally hard in the cryptographic community, and is linked to the hardness to factorize , if is the product of two large primes.

Let us now explain what an -th residue is and how it can be used to encrypt data. Given the product of two large primes , the set of the integer numbers modulo , and the set representing the integer numbers belonging to that are relatively prime with , is said to be a -th residue modulo if there exists a number such that

(2)

For a complete analysis of the Paillier cryptosystem we refer to the original paper [7]. Here, we simply describe the set-up, encryption, and decryption procedures.

2.1.1. Set-Up

Select big primes.The private key is the least common multiple of , denoted as . Let and in an element of order for some . The order of an integer modulo is the smallest positive integer such that . In such a case, is usually a convenient choice. is the public key.

2.1.2. Encryption

Let be the plaintext, and a random value. The encryption of is

(3)

2.1.3. Decryption

Let be the ciphertext. The plaintext hidden in is

(4)

where . From the above equations, we can easily verify that the Paillier cryptosystem is additively homomorphic, since

(5)

We will describe the proposed representation assuming the signals are 1D sequences. The extension to the 2D case is straightforward by using separable processing along rows and columns. Let us consider a signal ,  . In the following, we will assume that the signal has been properly scaled so that . In order to process in the encrypted domain, its values have to be represented as integer numbers belonging to . This is accomplished by first defining an integer version of as

(6)

where is the rounding function, and is a suitable scaling factor and then encrypting the modulo representation of , that is, (for the sake of brevity, we omit the random parameter ).

As long as does not exceed the size of —that is, the difference between the maximum and minimum values of is less than —its value can be represented in without loss of information. If we assume , then the original value can be approximated from as

(7)

The above representation can be used to define an integer approximation of the DCT. Let us consider the scaled DCT of type II (DCT-II) of , defined as

(8)

The corresponding integer DCT of type II is defined as [6]

(9)

where and is a suitable scaling factor for the cosine values.

A similar approach leads to the definition of the integer inverse DCT (IDCT). The scaled IDCT, also referred to as scaled DCT of type III, is defined as

(10)

where

(11)

The integer IDCT or integer DCT of type III can be defined as in (9) by using in place of the following integer coefficients:

(12)

Since all computations are between integers and there is no scaling, the expression in (9) can be evaluated in the encrypted domain by relying on the homomorphic properties. For instance, if the inputs are encrypted with the Paillier cryptosystem, the s.p.e.d DCT is

(13)

where all computations are done modulo [7].

The computation of the DCT using (9) requires two problems to be tackled with. The first one is that there will be a scaling factor between and . The second one is that, if the cryptosystem encrypts integers modulo , one must ensure that there is a one-to-one mapping between and . A solution is to find an upper bound on such that and verify that . We will show that can be expressed in general as

(14)

where is a suitable scaling factor and models the quantization error. Based on the above equation, the desired DCT output can be estimated as , and the upper bound is

(15)

where is an upper bound on . The value of both and will depend on the particular implementation of the DCT. In the following, we will add to , , and the additional subscripts and to denote direct and fast DCT, respectively whereas the superscript will denote the 2-dimensional versions.

4.1. Direct Computation

Let us express and . If the DCT is directly computed by applying (9), then we have

(16)

where . The scaling factor is . As to the quantization error, we obtain the following upper bound:

(17)

from which .

4.2. Fast DCT

In order to obtain an s.p.e.d. version of the fast DCT, we will refer to the recursive matrix representation in [17]. Given , we have

(18)

where ,

(19)

is obtained by the identity matrix by reversing the column order, and is a permutation matrix given as

(20)

Since the only noninteger matrix in (18) is , the corresponding s.p.e.d. structure can be recursively defined as

(21)

where we define .

The s.p.e.d. fast DCT can be implemented according to the block diagram in Figure 1. If we define ,  , and we denote as ,  , the results of the intermediate computations in one recursion of the s.p.e.d. fast DCT structure, the different blocks can be defined as follows. The butterfly block performs the following s.p.e.d. computations

(22)

whereas the scale block can be defined as

Block diagram of s. p.e.d. fast DCT.

Full size image

(23)

where is the th element on the diagonal of . The output of the scale block is split in two halves, which are recursively processed by two half size fast DCT. The lower half is further processed by the add block, which can be defined as

(24)

(25)

Lastly, the two halves are combined and permuted according to in order to yield the DCT outputs in the right order.

As to the upper bound analysis, let us consider the th stage of the recursion and express the quantized matrices as and , where and denote the quantization errors on the corresponding matrix entries. We can rewrite (21) as

(26)

From the previous equation, we have both a recursive relation on the scaling factor and a recursive relation on the quantization error. Let us consider the vector of quantized inputs . With a notation similar to the scalar case, we can express , where is vector containing the input values and is a vector of quantization errors. Hence, the s.p.e.d. fast DCT is given by

(27)

As to the scaling factor, we have . Since , it is easy to derive the final scaling factor as . As to the quantization error, we have , where denotes the maximum absolute row sum norm of a matrix. Based on (26), we can give an equivalent recursive relation on as

(28)

where we used ,  ,  , and . At the start of the recursion we have , since and there is no quantization error. Hence, an upper bound on can be derived as

(29)

from which we derive the upper bound on the quantization error as

(30)

Finally, the upper bound on is .

The above analysis can be extended also to the fast IDCT. It suffices to consider and, thanks to ,

(31)

It is easy to show that the model in (27) can be applied also to the integer IDCT, so that the upper bound in (30) holds for the IDCT as well.

4.3. Extension to 2D-DCT

In the case of separable processing of the rows and the columns of an image, the expressions derived in the preceding section can be extended to the 2D case in an easy way. Let us assume that the 2D-DCT processes first the rows and then the columns. After the processing of the rows, the input to the next DCT will be expressed as in (14). Hence, the scaling factor can be obtained by substituting with ; whereas the upper bound on the quantization error can be derived by noting that and .

In the case of the direct DCT implementation, this leads to

(32)

(33)

(34)

whereas in the case of the fast DCT we obtain

(35)

(36)

(37)

In the case of nonseparable processing, the upper bound on the output of the s.p.e.d. DCT can be derived in the same way as in the one-dimensional case. For instance, a direct nonseparable 2D-DCT will lead to the same upper bound as in (17). Even if this will reduce the upper bound with respect to the separable case, a nonseparable implementation will have a greater complexity. In the following, only the separable case will be considered.

4.4. Security

Concerning the security of the s.p.e.d. DCT, if we work with a semantically secure cryptosystem, the security is automatically achieved that is, the output of the s.p.e.d. DCT does not reveal anything about the DCT inputs. Under the assumption that deciding -residuosity classes in is hard, that is, given it is not possible to decide in polynomial time whether is an -residue or not, the Paillier cryptosystem can be proved to be semantically secure [7]. If the assumption is relaxed to the hardness of computing -residuosity classes, the security of the plaintext bits of a Paillier encryption, and hence of the proposed scheme, depends on the knowledge of the size of the plaintext. The interested reader can find a discussion on such topics in [18].

Several image processing algorithms, instead of applying the DCT to the whole image, subdivide it into equal sized (usually square) blocks and compute the DCT of each block. The size of such blocks is usually quite small: typically blocks or blocks are used in most of the applications.

From the s.p.e.d. perspective, this suggests two things. Firstly, even if rescaling is not applied, in the case of a block based s.p.e.d. DCT the maximum value of the DCT outputs will not be very high. However, the size of the encrypted word, that is, , is fixed by the security requirements. Minimum security requirements for the Paillier cryptosystem impose the use of at least 1024 bits for . This means that, irrespective of the size of the plaintext pixels, each encrypted pixel will be represented as an encrypted word of at least 1024 bits. The result is that the outputs of the block-based s.p.e.d. DCT will be far from exploiting the full bandwidth of the modulus . Secondly, each block undergoes exactly the same processing. Hence, this could permit a parallel processing of several blocks by simply packing the pixels having the same position within the blocks in a single word.

In order to exploit the above ideas, we propose an s.p.e.d. block DCT (BDCT) based on a composite representation of the input pixels [19]. For the sake of simplicity, we can assume the image as a one-dimensional signal, since the extension to the 2D case is straightforward using separable processing. Moreover, let us assume that the input pixel values have been quantized as in Section 3, that is, they satisfy the relation .

We define the composite representation of of order and base as

(38)

where ,  , indicate disjoint subsequences of the image pixels .

The th element of the composite signal represents a word where we can pack samples of the original signal, chosen by partitioning the original signal samples into sets of samples each. In the following, we will consider the so-called -polyphase composite representation (-PCR), where the partitioning of is given by . As shown in Figure 2, in this representation each composite word contains samples which are spaced samples apart in the original sequence, that is, belonging to one of the th order polyphase components of signal .

Graphical representation of an -polyphase composite representation having order . The values inside the small boxes indicate the indexes of the samples of . Identically shaded boxes indicate values belonging to the same composite word.

Full size image

For the composite representation, the following theorem is valid.

Theorem 1.

Let us assume that

(39)

(40)

(41)

where is a positive integer, and let be defined as in (38). Then, the following holds:

(42)

where Moreover, the original pixels can be obtained from the composite representation as

(43)

Proof.

let us express

(44)

Thanks to (39) and (40), we have . Hence, can be considered as a positive base- integer whose digits are given by . Moreover, since has digits, it is bounded by

(45)

where the last inequality comes from (41). As to the second part of the theorem, for each we have

(46)

Thanks to the properties of , we have . Hence

(47)

from which (43) follows hence completing the proof.

When dealing with encrypted data, the first part of the previous theorem demonstrates that the composite representation can be safely encrypted by using a homomorphic cryptosystem defined on modulo arithmetic: as long as the hypotheses of the theorem hold, the composite data takes no more than distinct values, so the values of the composite signal can be represented modulo without loss of information. (i.e., it is possible to define a one-to-one mapping between and .)

We propose now an s.p.e.d. block DCT (BDCT) based on the composite representation of the input pixels. Let us consider distinct blocks of an image, assumed as one-dimensional, having size . Let us define the block bandwidth as . Moreover, let us assume that the input pixel values have been quantized.

The blockwise DCT can be defined as

(48)

Since the transform has a repeated structure, it is suitable for a parallel implementation. If the pixels having the same position within each block are packed in a single word according to the -PCR representation into , as in (38), we can define the equivalent parallel blockwise DCT as

(49)

Proposition 1.

If , then , , can be exactly computed from the modulo representation of .

Proof.

let us consider the following equalities:

(50)

Then, it suffices to note that and replace with in the proof of Theorem 1.

By exploiting the composite representation, we can process blocks by using a single s.p.e.d. DCT. This means that the complexity of the s.p.e.d. BDCT is reduced by a factor with respect to that of a pixelwise implementation, since the size of the encrypted values will be the same irrespective of the implementation. Moreover, the bandwidth usage is also reduced by the same factor, since we pack pixels into a single ciphertext.

Finally, we would like to point out that the fast DCT algorithm can be used for the BDCT as well. The fast BDCT algorithm is simply obtained by computing the fast DCT of the composite signal . In order to verify that the above algorithm is correct, it suffices to substitute in (49) with the element of the matrix as defined in (21).

We will consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to square 8-bit greyscale images. The quantization scaling factor can be assumed as . As to , we will assume that the cosine values are quantized so as not to exceed the quantization error of the corresponding plaintext implementation. Three plaintext implementations are considered: (1) 16-bit fixed point (XP); (2) single precision floating point (FP1); (3) double precision floating point (FP2). In the first case, we can assume . In the floating point case, since the smallest magnitude of a cosine value is equal to , we need , where is the number of bits of the fractional part of the floating point representation. For the sake of simplicity, we will assume , so that we can choose (FP1) and (FP2).

Since the values of in (34)–(37) can be huge, in the case of the full frame DCT we will consider an upper bound on the number of bits required in order to correctly represent the DCT outputs. If we assume , this can be expressed as

(51)

where and . Note that if , it follows that . In Table 1, we give some upper bounds considering different values of and . Highlighted in bold are the cases which cannot be implemented relying on a 1024-bit modulus, which is a standard in several cryptographic applications. As can be seen, except for the case of FP2, a full frame s.p.e.d. DCT can be always implemented relying on a standard modulus.

As to the s.p.e.d. 2D-BDCT, we consider an estimate of the number of pixels that can be safely packed into a single word. A safe implementation requires . Since we must have , this leads

(52)

In Table 2, we give some values of considering DCT sizes ranging from to and different precisions. Specifically, indicates the value of obtained with a direct implementation of the DCT, while indicates the corresponding value for a fast implementation of DCT. The results demonstrate that the composite representation permits to significantly reduce both the bandwidth requirements and the complexity, especially for the fixed point case.

It is worth noting that a direct implementation allows to increase up to seven times with respect to the fast BDCT. Since the BDCT usually works with small sized blocks, the complexity of the direct implementation will not be much higher than that of the fast implementation. To give some figures, let us consider the number of multiplications per sample required by the different implementations. The complexity of a direct -point DCT is multiplications: if we consider a separable implementation, an DCT will require  -point DCTs to compute output samples. Since a BDCT can compute DCTs in parallel, this results in a complexity of

(53)

As to the fast -point DCT, the complexity is multiplications [20]. By using similar arguments, the complexity of a fast BDCT implementation can be then evaluated as

(54)

In Figure 3, we compare the complexity of direct and fast BDCT for two different precisions. The complexity of the fast BDCT is always below that of the direct implementation. However, it is worth noting that for small BDCT sizes, for example, up to , the complexity of the direct implementation is only slightly larger than that of the fast implementation. Hence, there can be cases in which it is preferable to employ a direct s.p.e.d. BDCT, since this will reduce the bandwidth usage at the price of a very small increase of complexity.

Complexity of direct BDCT versus fast BDCT. 8-bit input values () have been assumed. We have assumed . (a) ; (b) .

Full size image

The feasibility of the s.p.e.d. DCT in a practical scenario is verified by considering its use in a buyer-seller watermarking protocol. Namely, we consider the secure embedding of a watermark as described in [8, 21]. In this scenario, a seller receives the bits of the watermark encrypted with the public key of a buyer—the output of a previous protocol between him and the buyer—and embeds them into a set of features extracted from the digital content he owns. The output of this procedure is a set of watermarked and encrypted features that are sent to the buyer. In the following, such a protocol will be referred to as secure watermark embedding (SWE).

In our case study, we assume that the content is an image and that the features are obtained by applying a block 2D-DCT to the pixel values. We also assume that the seller wants to perform the inverse DCT (IDCT) of the watermarked features in the encrypted domain, before sending them to the buyer. This can be justified by his wish to keep the actual transform secret, so as to expose as little details as possible regarding the watermarking algorithm. Another reason for using the s.p.e.d. IDCT is the possibility of applying some postprocessing to the watermarked image before distributing it. Common postprocessing steps are the use of a perceptual mask [22] or the insertion of a synchronization pattern [23].

The scheme we consider is summarized in Figure 4. The image is divided into square blocks of pixels and an (I)DCT is applied to each block. We will assume that the plaintext DCT and SWE building blocks are already available and we will concentrate on the implementation of the s.p.e.d. IDCT block. Two different implementations are considered: a separable direct IDCT as described in Section 4.1; a separable fast IDCT as described in Section 4.2. As to the data representation, both a pixelwise/coefficientwise representation and a composite representation as described in Section 5 are considered. The combination of the former choices results in four alternative s.p.e.d. implementations: pixelwise direct IDCT (IDCT), pixelwise fast IDCT (F-IDCT), composite (block) direct IDCT (B-IDCT), and composite (block) fast IDCT (BF-IDCT).

Secure watermark embedding scenario.

Full size image

The aforementioned versions have been implemented in C++ using the GNU Multi-Precision (GMP) library [24] and the NTL library [25], which provide software optimized routines for the processing of integers having arbitrary length. All versions have been run on an Intel(R) Core(TM)2 Quad CPU at 2.40 GHz, used as a single processor. In order to verify the feasibility of the s.p.e.d. approach, we measured the execution times of the four versions using three different image sizes: , , and . In all tests, the marked features are represented as 8-bit integers () and the cosine values are quantized as 16-bit integers (). The image features are encrypted with the Paillier's cryptosystem, using a modulo of 1024 bits.

The correctness of the s.p.e.d. DCT implementation has been verified by comparing its output with the output of an analogous plaintext DCT implementation, as well as by verifying the amount of error introduced after the application of a standard plaintext DCT followed by an encrypted domain IDCT. With the used precision, the normalized MSE after the DCT-IDCT chain was on the order of . As to block DCT, its correctness has been verified by checking that the output of B-(I)DCT, after decryption and unpacking, was identical to the output of the corresponding (I)DCT.

The execution times are reported in Table 3. From the comparison between the pixelwise representation and the composite representation, it is evident that the latter permits to sensibly reduce the computational complexity of an s.p.e.d. DCT. Interestingly, the B-IDCT proves slightly more efficient than the BF-IDCT, confirming that the direct DCT implementation may be preferable when combined with the composite representation. In the considered scenario, we assume that the inputs to the s.p.e.d. DCT are encrypted samplewise. Hence, both B-IDCT and BF-IDCT require the conversion from an encrypted samplewise representation to an encrypted composite representation. Such a conversion can be done thanks to the homomorphic properties of the cryptosystem:

(55)

From Table 3, we can notice that the time required by this conversion is greater than the time required to perform an s.p.e.d. DCT. Since the overall computational complexity of B-IDCT and BF-IDCT is given as the sum of both times, this reduces the performance gain achievable by the composite representation. Namely, B-IDCT is about three times faster than F-IDCT; whereas BF-IDCT is only slightly faster than F-IDCT.

We have considered the implementation of the DCT on an encrypted image by relying on the homomorphic properties of the underlying cryptosystem. It has been shown how the maximum allowable DCT size depends on the modulus of the cryptosystem, on the chosen DCT implementation, and on the required precision. We have also proposed an s.p.e.d. block DCT which is based on the packing of several pixels into a single encrypted word, thus permitting the parallel application of the s.p.e.d. DCT algorithm to different image blocks.

To evaluate the proposed solutions, we have considered the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. The results demonstrate that there can be cases in which it is preferable to employ a direct s.p.e.d. BDCT, since this will reduce the bandwidth usage at the price of a very small increase of complexity.

The feasibility of the application of the s.p.e.d. DCT in a practical buyer-seller watermarking protocol has been also verified, providing promising results. Future research will be devoted to the design and implementation of the complete buyer-seller watermarking protocol.

The work described in this paper has been partially supported by the European Commission through the IST Programme under Contract no 034238-SPEED and by the Italian Research Project (PRIN 2007): "Privacy aware processing of encrypted signals for treating sensitive information." The information in this document reflects only the author's views, is provided as is, and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

Authors and Affiliations

1. Department of Electronics and Telecommunications, University of Florence, Via Santa Marta 3, I-50139, Florence, Italy

   Tiziano Bianchi & Alessandro Piva

2. Department of Information Engineering, University of Siena, Via Roma 56, I-53100, Siena, Italy

   Mauro Barni

Corresponding author

Correspondence to Tiziano Bianchi.

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and permissions