Signal Processing in the Encrypted Domain

EURASIP Journal on Information Security

Guest Editors: Alessandro Piva and Stefan Katzenbeisser Signal Processing in the Encrypted Domain EURASIP Journal on Information Security Signal Processing in the Encrypted Domain

This is a special issue published in volume 2007 of “EURASIP Journal on Information Security.” All articles are open access articles distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Editor-in-Chief Mauro Barni, University of Siena, Siena, Italy

Associate Editors

JeﬀreyA.Bloom,USA D. Kirovski, USA Hans Georg Schaathun, UK G. Doerr,¨ UK Deepa Kundur, USA Martin Steinebach, Germany Jean-Luc Dugelay, France E. Magli, Italy Q. Sun, Singapore T. Furon, France Kivanc Mihcak, Turkey W. Trappe, USA Miroslav Goljan, USA Lawrence O’Gorman, USA C. Vielhauer, Germany S. Katzenbeisser, The Netherlands Fernando Perez-Gonz´ alez,´ Spain S. Voloshynovskiy, Switzerland Hyoung Joong Kim, Korea A. Piva, Italy Andreas Westfeld, Germany Contents

Signal Processing in the Encrypted Domain, Alessandro Piva and Stefan Katzenbeisser Volume 2007, Article ID 82790, 1 page

A Survey of Homomorphic Encryption for Nonspecialists, Caroline Fontaine and Fabien Galand Volume 2007, Article ID 13801, 10 pages

Secure Multiparty Computation between Distrusted Networks Terminals, S.-C. S. Cheung and Thinh Nguyen Volume 2007, Article ID 51368, 10 pages

Protection and Retrieval of Encrypted Multimedia Content: When Cryptography Meets Signal Processing, Zekeriya Erkin, Alessandro Piva, Stefan Katzenbeisser, R. L. Lagendijk, Jamshid Shokrollahi, Gregory Neven, and Mauro Barni Volume 2007, Article ID 78943, 20 pages

Oblivious Neural Network Computing via Homomorphic Encryption, C. Orlandi, A. Piva, and M. Barni Volume 2007, Article ID 37343, 11 pages

Eﬃcient Zero-Knowledge Watermark Detection with Improved Robustness to Sensitivity Attacks,JuanRamon´ Troncoso-Pastoriza and Fernando Perez-Gonz´ alez´ Volume 2007, Article ID 45731, 14 pages

Anonymous Fingerprinting with Robust QIM Watermarking Techniques, J. P. Prins, Z. Erkin, andR.L.Lagendijk Volume 2007, Article ID 31340, 13 pages

Transmission Error and Compression Robustness of 2D Chaotic Map Image Encryption Schemes, Michael Gschwandtner, Andreas Uhl, and Peter Wild Volume 2007, Article ID 48179, 16 pages Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 82790, 1 page doi:10.1155/2007/82790

Editorial Signal Processing in the Encrypted Domain

Alessandro Piva1 and Stefan Katzenbeisser2

1 Department of Electronics and Telecommunications, University of Florence, Via S. Marta 3, 50139 Firenze, Italy 2 Information & System Security Group, Philips Research Europe, High Tech Campus 34 MS 61, 5656 AE Eindhoven, The Netherlands

Correspondence should be addressed to Alessandro Piva, [email protected]ﬁ.it

Received 31 December 2007; Accepted 31 December 2007

Copyright © 2007 A. Piva and S. Katzenbeisser. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Recent advances in digital signal processing enabled a num- The first part of the special issue contains three survey ber of new services in various application domains, ranging papers: Fontaine and Galand give an overview of homomor- from enhanced multimedia content production and distri- phic encryption, which is one of the key tools for signal pro- bution, to advanced healthcare systems for continuous health cessing in the encrypted domain, in their paper “A survey of monitoring. At the heart of these services lies the ability homomorphic encryption for nonspecialists.” An introduc- to securely manipulate “valuable” digital signals in order to tion to the field of secure multiparty computation is provided satisfy security requirements such as intellectual property by the paper “Secure multiparty computation between dis- management, authenticity, privacy, and access control. Cur- trusted networks terminals” by Cheung and Nguyen. Finally, rently available technological solutions for “secure manipu- research in the area of signal processing under encryption is lation of signals” apply cryptographic primitives by build- surveyed in the paper “Protection and retrieval of encrypted ing a secure layer on top of existing signal processing mod- multimedia content: when cryptography meets signal pro- ules, able to protect them from leakage of critical infor- cessing” by Erkin et al. mation, assuming that the involved parties or devices trust The second part of the special issue contains four re- each other. This implies that the cryptographic layer is used search papers. Orlandi et al. introduce the notion of obliv- only to protect the data against access through unautho- ious computing with neural networks in the paper “Obliv- rized third parties or to provide authenticity. However, this ious neural network computing via homomorphic encryp- is often not enough to ensure the security of the application.” Troncoso-Pastoriza and Perez-Gonz´ alez´ present new tion, since the owner of the data may not trust the process- protocols for zero-knowledge watermark detection in their ing devices, or those actors that are required to manipulate paper “Efficient zero-knowledge watermark detection with them. improved robustness to sensitivity attacks.” Prins et al. It is clear that the availability of signal processing algo- show in their paper “Anonymous fingerprinting with robust rithms that work directly on encrypted signals would be of QIM watermarking techniques” how advanced quantization- great help for application scenarios where signals must be index-modulation watermarking schemes can be used in produced, processed, or exchanged securely. conjunction with buyer-seller watermarking protocols. Fi- Whereas the development of tools capable of processing nally, Gschwandtner et al. explore properties of specialized encrypted signals may seem a formidable task, some recent, image encryption schemes in their paper “Transmission er- still scattered, studies, spanning from secure embedding and ror and compression robustness of 2D chaotic map image detection of digital watermarks and secure content distri- encryption schemes.” bution to compression of encrypted data and access to en- Finally, we would like to thank all the authors, as well as crypted databases, have shown that performing signal pro- all reviewers, for their contribution to this issue. We hope cessing operations in encrypted content is indeed possible. that the readers will enjoy this special issue and that it en- We are delighted to present the first issue of a journal, en- courages more colleagues to devote time to this novel and tirely devoted to signal processing in the encrypted domain. exciting field of research. The issue contains both survey papers allowing the reader to become acquainted with this exciting field, and research pa- Alessandro Piva pers discussing the latest developments. Stefan Katzenbeisser Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 13801, 10 pages doi:10.1155/2007/13801

Review Article A Survey of Homomorphic Encryption for Nonspecialists

Caroline Fontaine and Fabien Galand

CNRS/IRISA-TEMICS, Campus de Beaulieu, 35042 Rennes Cedex, France

Correspondence should be addressed to Caroline Fontaine, [email protected]

Received 30 March 2007; Revised 10 July 2007; Accepted 24 October 2007

Recommended by Stefan Katzenbeisser

Processing encrypted signals requires special properties of the underlying encryption scheme. A possible choice is the use of homomorphic encryption. In this paper, we propose a selection of the most important available solutions, discussing their properties and limitations.

Copyright © 2007 C. Fontaine and F. Galand. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION momorphic encryption; it is particularly aimed at noncryp- tographers, providing guidelines about the main characteris- The goal of encryption is to ensure confidentiality of data tics of encryption primitives: algorithms, performance, secu- in communication and storage processes. Recently, its use rity. Section 3 provides a survey of homomorphic encryption in constrained devices led to consider additional features, schemes published so far, and analyses their characteristics. such as the ability to delegate computations to untrusted Most schemes we describe are based on mathematical no- computers. For this purpose, we would like to give the un- tions the reader may not be familiar with. In the cases these trusted computer only an encrypted version of the data to notions can easily be introduced, we present them briefly. process. The computer will perform the computation on this Thereadermayreferto[15] for more information concern- encrypted data, hence without knowing anything on its real ing those we could not introduce properly, or algorithmic value. Finally, it will send back the result, and we will decrypt problems related to their computation. it. For coherence, the decrypted result has to be equal to the Before going deeper in the subject, let us introduce some intended computed value if performed on the original data. notation. The integer (x) denotes the number of bits con- For this reason, the encryption scheme has to present a par- stituting the binary expansion of x.Asusual,Zn will denote ∗ ticular structure. Rivest et al. proposed in 1978 to solve this the set of integers modulo n,andZn the set of its invertible issue through homomorphic encryption [1]. Unfortunately, elements. Brickell and Yacobi pointed out in [2]somesecurityflaws in the first proposals of Rivest et al. Since this first attempt, 2. TOWARDS HOMOMORPHIC ENCRYPTION a lot of articles have proposed solutions dedicated to numerous application contexts: secret sharing schemes, thresh- 2.1. Basics about encryption old schemes (see, e.g., [3]), zero-knowledge proofs (see, e.g., [4]), oblivious transfer (see, e.g., [5]), commitment schemes In this section, we will recall some important concepts con- (see, e.g., [3]), anonymity, privacy, electronic voting, elec- cerning encryption schemes. For more precise information, tronic auctions, lottery protocols (see, e.g., [6]), protection the reader may refer to [16] or the more recent [17]. of mobile agents (see, e.g., [7]), multiparty computation (see, Encryption schemes are, first and foremost, designed to e.g., [3]), mix-nets (see, e.g., [8, 9]), watermarking or finger- preserve confidentiality. According to Kerckoffs’ principle printing protocols (see, e.g., [10–14]), and so forth. (see [18, 19] for the original papers, or any book on cryp- The goal of this article is to provide nonspecialists with tography), their security must not rely on the obfuscation of a survey of homomorphic encryption techniques. Section 2 their code, but only on the secrecy of the decryption key. We recalls some basic concepts of cryptography and presents ho- can distinguish two kinds of encryption schemes: symmetric 2 EURASIP Journal on Information Security and asymmetric ones. We will present them shortly and dis- the receiver with the secret key needed to recover the data, the cuss their performance and security issues. sender encrypts this key with an asymmetric cipher. Hence, the asymmetric cipher is used to encrypt only a short data, Symmetric encryption schemes while the symmetric one is used for the longer one. The sender and the receiver do not need to share anything be- Here “symmetric” means that encryption and decryption are fore performing the encryption/decryption as the symmet- performed with the same key. Hence, the sender and the re- ric key is transmitted with the help of the public key of the receiver. Proceeding this way, we combine the advantages of ceiver have to agree on the key they will use before perform- ffi ing any secure communication. Therefore, it is not possi- both: e ciency of symmetric schemes and functionalities of ble for two people who never met to use such schemes di- the asymmetric schemes. rectly. This also implies to share a different key with every one we want to communicate with. Nevertheless, symmet- Security issues ric schemes present the advantage of being really fast and are used as often as possible. In this category, we can distinguish Security of encryption schemes was formalized for the first block ciphers (AES [20, 21])1 and stream ciphers (One-time time by Shannon [26]. In his seminal paper, Shannon in- pad presented in Figure 1 [22], Snow 2.0 [23]),2 which are troduced the notion of perfect secrecy/unconditional secu- even faster. rity, which characterizes encryption schemes for which the knowledge of a ciphertext does not give any information either about the corresponding plaintext or about the key. He Asymmetric encryption schemes proved that the one-time pad is perfectly secure under some conditions, as explained in Figure 1. In fact, no other scheme, In contrast to the previous family, asymmetric schemes in- neither symmetric nor asymmetric, has been proved uncon- troduce a fundamental difference between the abilities to en- ditionally secure. Hence, if we omit the one-time pad, any crypt and to decrypt. The encryption key is public, as the encryption scheme’s security is evaluated with regard to the decryption key remains private. When Bob wants to send an computational power of the opponent. In the case of asym- encrypted message to Alice, he uses her public key to encrypt metric schemes, we can rely on their mathematical structure the message. Alice will then use her private key to decrypt it. to estimate their security level in a formal way. They are based Such schemes are more functional than symmetric ones since on some well-identified mathematical problems which are there is no need for the sender and the receiver to agree on hard to solve in general, but easy to solve for the one who anything before the transaction. Moreover, they often pro- knows the trapdoor, that is, the owner of the keys. Hence, vide more features. These schemes, however, have a big draw- it is easy for the owner of the keys to compute his/her pri- back: they are based on nontrivial mathematical computa- vate key, but no one else should be able to do so, as the tions, and much slower than the symmetric ones. The two knowledge of the public key should not endanger the private most prominent examples, RSA [24] and ElGamal [25], are key. Through reductions, we can compare the security level presented in Figures 2 and 3. of these schemes with the difficulty of solving these mathematical problems (factorizing large integers or computing Performance issues a discrete logarithm in a large group) which are famous for their hardness. Proceeding this way, we obtain an estimate A block cipher like AES is typically 100 times faster than RSA of the security level, which sometimes turns out to be op- ffi encryption and 2000 times than RSA decryption, with about timistic. This estimation may not be su cient for several 60 MB per second on a modest platform. Stream ciphers reasons. First, there may be other ways to break the system are even faster, some of them being able to encrypt/decrypt than solving the reference mathematical problem [27, 28]. 100 MB per second or more.3 Thus, while encryption or de- Second, most of security proofs are performed in an ideal- cryption of the whole content of a DVD will take about a ized model called the random oracle model,inwhichinvolved minute with a fast stream cipher, it is simply not realistic to primitives, for example, hash functions, are considered truly use an asymmetric cipher in practice for such a huge amount random. This model has allowed the study of the security of data as it would require hours, or even days, to encrypt or level for numerous asymmetric ciphers. Recent works show decrypt. that we are now able to perform proofs in a more realistic Hence, in practice, it is usual to encrypt the data we want model called the standard model.From[29]to[30], a lot of to transmit with an efficient symmetric cipher. To provide papers compared these two models, discussing the gap between them. In parallel with this formal estimation of the security level, an empirical one is performed in any case, and 1 AES has been standardized; see http://csrc.nist.gov/groups/ST/toolkit/ new symmetric and asymmetric schemes are evaluated ac- block ciphers.html formoredetails. cording to published attacks. 2 Snow 2.0 is included in the draft of Norm ISO/IEC 18033-4, http://www The framework of a security evaluation has been stated .iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER by Shannon in 1949 [26]: all the considered messages are =3997. 3 See, for example, http://www.ecrypt.eu.org/stream/perf/alpha/bench- encrypted with the same key—so, for the same recipient— marks/snow-2.0 for some benchmark of Snow 2.0, or openssl for AES and and the opponent’s challenge is to take an advantage from all RSA. his observations to disclose the involved secret/private key. C. Fontaine and F. Galand 3

Usually, to evaluate the attack capacity of the opponent, we of information about the plaintext m, namely, the so- distinguish among several contexts [31]: ciphertext-only at- called Jacobi symbol; tacks (where the opponent has access only to some cipher- (iii) when using a deterministic encryption scheme, it is texts), known-plaintext attacks (where the opponent has ac- easy to detect when the same message is sent twice cess to some pairs of corresponding plaintext-ciphertexts), while processed with the same key. chosen-plaintext attacks (same as previous, but the opponent can choose the plaintexts and get the corresponding cipher- So, in practice, we prefer encryption schemes to be prob- texts), and chosen-ciphertext attacks (the opponent has access abilistic. In the case of symmetric schemes, we introduce a to a decryption oracle, behaving as a black-box, that takes random vector in the encryption process (e.g., in the pseudo- a ciphertext and outputs the corresponding plaintext). The random generator for stream ciphers, or in the operating first context is the most frequent in real life, and results from mode for block ciphers), generally called IV. This vector eavesdropping the communication channel; it is the worst may be public, and transmitted as it is, without being en- case for the opponent. The other cases may seem difficult to crypted, but IV must be changed every time we encrypt achieve, and may arise when the opponent has a more pow- a message. In the case of asymmetric ciphers, the security erful position; he may, for example, have stolen some plain- analysis is more mathematical, and we want the randomized texts, or an encryption engine. The “chosen” ones exist in schemes to remain analyzable in the same way as the deter- adaptive versions, where the opponent can wait for a compu- ministic schemes. Some adequate modes have been proposed tation result before choosing the next input. to randomize already published deterministic schemes, as the Optimal Asymmetric Encryption Padding OAEP for RSA (or any scheme based on a trap-door one-way permutation) How do we choose the right scheme? [33].8 Some new schemes, randomized by nature, have also been proposed [25, 34, 35] (see also Figures 3 and 4). The right scheme is the one that fits your constraints in the A simple consequence of this requirement to be proba- best way. By constraints, we may understand constraints in bilistic appears in the so-called expansion: since for a plain- time, memory, security, and so forth. The two first criteria text we require the existence of several possible ciphertexts, are very important in highly constrained architectures, of- the number of ciphertexts is greater than the number of pos- ten encountered in very small devices (PDAs, smart cards, sible plaintexts. This means the ciphertexts cannot be as short RFID tags, etc.). They are also important if we process a huge as the plaintexts, they have to be strictly longer. The ratio amount of data, or numerous data at the same time, for ex- between the length, in bits, of ciphertexts and plaintexts is ample, video streams. Some schemes as AES or RSA are usu- called the expansion. Of course, this parameter is of practical ally chosen because of their reputation, but it is important importance. We will see in the sequel that efficient proba- to note that new schemes are proposed each year. Indeed, it bilistic encryption schemes have been proposed with an ex- is necessary to keep a diversity in the proposals. First, it is pansion less than 2 (e.g., Paillier’s scheme). necessary in order to be able to face new kinds of requirements. Second, because of security purpose, having all the 2.3. Homomorphic encryption schemes relying on the same structure may lead to a disaster in case an attack breaks this structure. Hence, huge interna- We will present in this section the basic definitions related to tional projects have been funded to ask for new proposals, homomorphic encryption. The state of the art will be given in with a fair evaluation to check their advantages and draw- Section 3. backs, for example, RIPE, NESSIE,4 and NIST’s call for the M 5 6 7 The most common definition is the following. Let design of the AES, CRYPTREC, ECRYPT, and so forth. (resp., C) denote the set of the plaintexts (resp., ciphertexts). An encryption scheme is said to be homomorphic if for any 2.2. Probabilistic encryption given encryption key k the encryption function E satisfies The most well-known cryptosystems are deterministic:for ∀m1, m2 ∈ M, E m1Mm2 ←− E m1 C E m2 (1) a fixed encryption key, a given plaintext will always be encrypted in the same ciphertext. This may lead to some draw- for some operators M in M and C in C,where← means backs.RSAisagoodexampletoillustratethispoint: “can be directly computed from,” that is, without any inter- (i) particular plaintexts may be encrypted in a too much mediate decryption. M C structured way: with RSA, messages 0 and 1 are always If ( , M)and( , C )aregroups,wehaveagroup ho- encryptedas0and1,respectively; momorphism.Wesayaschemeisadditively homomorphic if (ii) it may be easy to compute partial information about we consider addition operators, and multiplicatively homo- the plaintext: with RSA, the ciphertext c leaks one bit morphic if we consider multiplication operators. A lot of such homomorphic schemes have been published that have been widely used in many applications. Note that 4 see http://www.cryptonessie.org. 5 see http://csrc.nist.gov and http://csrc.nist.gov/CryptoToolkit/aes. 6 see http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html. 8 Note that there are a lot of more recent papers proposing variants or im- 7 see http://www.ecrypt.eu.org. provements of OAEP, but it is not our purpose here. 4 EURASIP Journal on Information Security

Prerequisite: Alice and Bob share a secret random keystream, say a binary one. Goal:AlicecansendanencryptedmessagetoBob,andBobcansendanencryptedmessagetoAlice. Principle: To encrypt a message, Alice (resp., Bob) XORs the plaintext and the keystream. To decrypt the received message, Bob (resp., Alice) applies XOR on the ciphertext and the keystream. Security: This scheme has been showed to be unconditionally secure by Shannon [26] if and only if the keystream is truly random, has the same length as the plaintext, and is used only once. Thus, this scheme is used only for very critical situations for which these constraints may be managed, as the red phone used by the USA and the USSR [32, pp. 715-716]. What we may use more commonly is a similar scheme, where the keystream is generated by a pseudorandom generator, initialized by the secret key shared by Alice and Bob. A lot of such stream ciphers has been proposed, and their security remains only empirical. Snow 2.0 is one of these.

Figure 1: One-time pad—1917(used)/1926 (published [22]). Note that this scheme may be transposed in any group (G,+)otherthan ({0, 1}, XOR), encryption being related to addition of the keystream, while decryption consists in subtracting the keystream.

Prerequisite: Alice computed a (public, private) key: an integer n = pq,wherep and q are well chosen large prime numbers, an integer e such that gcd (e, φ(n)) = 1, and an integer d which is the inverse of e modulo φ(n), that is, ed ≡ 1modφ(n); φ(n) denotes the Euler function, φ(n) = φ(pq) = (p − 1)(q − 1). Alice’s public key is (n, e), and her private key is d; p and q have also to be kept secret, but are no more needed to process the data, they were only useful for Alice to compute d from e. Goal: Anyone can send an encrypted message to Alice. Principle: To send an encrypted version of the message m to Alice, Bob computes c = me mod n. To get back to the plaintext, Alice computes cd mod n which, according to Euler’s theorem, is precisely equal to m. Security: It is clear that if an opponent may factor n and recover p and q,hewillbeabletocomputeφ(n), then d,andwillbeable to decrypt Alice messages. So, the RSA problem (accessing m while given c) is weaker than the factorization problem. It is not known whether the two problems are equivalent or not.

Figure 2: RSA—1978 [24]. in some contexts it may be of great interest to have this prop- provide any useful information on the plaintext to some hy- erty not only for one operator but for two at the same time. pothetical adversary having only a reasonably restricted com- Hence, we are also interested in the design of ring/algebraic putational power. More formally, for any function f and homomorphisms. Such schemes would satisfy a relation of the any plaintext m, and with only polynomial resources (that form is, with algorithms which time/space complexities vary as a polynomial function of the size of the inputs), the probabil- ∀m , m ∈ M, E m +Mm ←− E m +C E m , 1 2 1 2 1 2 (2) ity to guess f (m) (knowing f but not m) does not increase E m ×Mm ←− E m ×C E m . 1 2 1 2 if the adversary knows a ciphertext corresponding to m. This As it will be further discussed, no convincing algebraic ho- might be thought of as a kind of perfect secrecy in the case momorphic encryption scheme has been found yet, and their when we only have polynomial resources. design remains an open problem. Together with this strong requirement, the notion of Less formally, these definitions mean that, for a fixed key polynomial security was defined: the adversary chooses two k, it is equivalent to perform operations on the plaintexts plaintexts, and we choose secretly at random one plaintext before encryption, or on the corresponding ciphertexts after and provide to the adversary a corresponding ciphertext. The encryption. So we require a kind of commutativity between adversary, still with polynomial resources, must guess which encryption and some data processing operations. plaintext we chose. If the best he can do is to achieve a prob- Of course, the schemes we will consider in the following ability 1/2+ε of success, the encryption is said to be polyno- have to be probabilistic ciphers, and we may consider E to mially secure. Polynomial security is now known as the indis- behave in a probabilistic way in the above definitions. tinguishability of encryptions following the terminology and definitions of Goldreich [36]. 2.4. New security considerations Quite amazingly, Goldwasser and Micali proved the equivalence between polynomial security and semantic se- Probabilistic encryption was introduced with a clear pur- curity [34]; Goldreich extended these notions [36] preserv- pose: security. This requires to properly define different se- ing the equivalence. With this equivalence, it is easy to state curity levels. Semantic security wasintroducedin[34], at the that a deterministic asymmetric encryption scheme cannot same time as probabilistic encryption, in order to define what be semantically secure since it cannot be indistinguishable: could be a strong security level, unavailable without proba- the adversary knows the encryption function, and thus can bilistic encryption. Roughly, a probabilistic encryption is se- compute the single ciphertext corresponding to each plain- mantically secure if the knowledge of a ciphertext does not text. C. Fontaine and F. Galand 5

Prerequisite: Alice generated a (public, private) key: she ﬁrst chose a large prime integer p, a generating element g of the cyclic ∗ = − ∈ group Zp , and considered q p 1, the order of the group; building her public key, she picked at random a Zq = a ∗ and computed yA g in Zp , her public key being then (g, q, yA); her private key is a. Goal: Anyone can send an encrypted message to Alice. ∈ = k k Principle:Tosendanencryptedversionofthemessagem to Alice, Bob picks at random k Zq,computes(c1, c2) (g , myA) ∗ a −1 ∗ in Zp . To get back to the plaintext, Alice computes c2(c1) in Zp ,whichispreciselyequaltom. Security: The security of this scheme is related to the Diﬃe-Hellman problem: if we can solve it, then we can break ElGamal encryption. It is not known whether the two problems are equivalent or not. This scheme is IND-CPA.

Figure 3: ElGamal—1985 [25].

But with asymmetric encryption schemes, the adversary broken in subexponential time [45]. Note that this last point knows the whole encryption material E involving both the does not mean that deterministic algebraically homomor- encryption function and the encryption key. Thus, he can phic cryptosystems are insecure, but that one can find the compute any pair (m, E(m)). Naor and Yung [37]andRack- plaintext from a ciphertext in a subexponential time (which off and Simon [38] introduced different abilities, relying on is still too long to be practicable). For example, we know the different contexts we discussed above. From the weak- that the security of RSA encryption depends on factorization est to the strongest, we have the chosen-plaintext, nonadap- algorithms and we know subexponential factorization algo- tive chosen ciphertext and the strongest is the adaptive cho- rithm. Nevertheless, RSA is still considered strong enough. sen ciphertext. This leads to the IND-CPA, IND-CCA1, and IND-CCA2 notions in the literature. IND stands for indistin- 3. HOMOMORPHIC ENCRYPTION: STATE OF THE ART guishability whereas CPA and CCA are acronyms for chosen plaintext attack and chosen-ciphertext attack. Finally, CCA1 First of all, let us recall that both RSA and ElGamal encryp- refers to nonadaptive attacks, and CCA2 to adaptive ones. tion schemes are multiplicatively homomorphic. The prob- Considering the previous remarks on the ability for anyone lem is that the original RSA being deterministic, it cannot to encrypt while using asymmetric schemes, the adversary achieve a security level of IND-CPA (which is the highest has always the chosen-plaintext ability. security level for homomorphic schemes, see Section 2.4). Another security requirement termed nonmalleability Furthermore its probabilistic variants, obtained through has also been introduced to complete the analysis. Given a OAEP/OAEP+, are no more homomorphic. In contrast to ciphertext c = E(m), it should be hard for an opponent to RSA, ElGamal offers the best security level for a homomor- produce a ciphertext c such that the corresponding plain- phic encryption scheme, as it has been shown to be IND- text m , that is not necessary known to the opponent, has CPA. Moreover, it is interesting to notice that an additively some known relation with m. This notion was formalized homomorphic variant of ElGamal has also been proposed ff di erently by Dolev et al. [39, 40], and by Bellare et al. [41], [48]. Comparing it with the original ElGamal, this variant both approaches being proved equivalent by Bellare and Sa- also involves an element G (G may be equal to g) that gen- hai [42]. erates (Z , +) with respect to the addition operation. To send ff q We will not detail the relations between all these di er- an encrypted version of the message m to Alice, Bob picks at ent notions and the interested reader can refer to [41–43]for ∈ = k m k random k Zq and computes (c1, c2) (g , G yA). To get a comprehensive treatment. Basically, the adaptive chosen- a −1 back the plaintext, Alice computes c2(c1) , which is equal to ciphertext indistinguishability IND-CCA2 is the strongest re- Gm; then, she has to compute m in a second step. Note that quirement for an encryption; in particular, it implies non- this last decryption step is hard to achieve and that there is malleability. no other choice for Alice than to use brute force search to get It should be emphasized that a homomorphic encryption back m from Gm. It is also well known that ElGamal’s con- cannot have the nonmalleability property. With the notation = struction works for any family of groups for which the dis- of Section 2.3, knowing c,wecancomputec c C c and de- crete logarithm problem is considered intractable. For exam- duce, by the homomorphic property, that c is a ciphertext of = ple, it may be derived in the setup employing elliptic curves. m m Mm. According to the previous remark on adaptive Hence, ElGamal and its variants are known to be really in- chosen-ciphertext indistinguishability, an homomorphic en- teresting candidates for realistic homomorphic encryption cryption has no access to the strongest security requirement. schemes. The highest security level it can reach is IND-CPA. We will now describe another important family of homo- To conclude this section on security, and for the sake morphic encryption schemes, ranging from the first proba- of completeness, we point out some security considerations bilistic system9 proposed by Goldwasser and Micali in 1982 about deterministic homomorphic encryption. First, it was proved that a deterministic homomorphic encryption for which the operation is a simple addition is insecure [44]. 9 To be more precise, the first published probabilistic public-key encryption Second, Boneh and Lipton showed in 1996 that any de- schemeisduetoMcEliece[49], and the first to add the homomorphic terministic algebraically homomorphic cryptosystem can be property is due to Goldwasser-Micali. 6 EURASIP Journal on Information Security

Prerequisite: Alice computed a (public, private) key: she ﬁrst chose n = pq, p and q being large prime numbers, and g a quadratic nonresidue modulo n whose Jacobi symbol is 1; her public key is composed of n and g, and her private key is the factorization of n. Goal: Anyone can send an encrypted message to Alice. ∈ ∗ = b 2 Principle: To encrypt a bit b, Bob picks at random an integer r Zn ,andcomputesc g r mod n (remark that c is a quadratic residue if and only if b = 0). To get back to the plaintext, Alice determines if c is a quadratic residue or not. To do so, she uses the property that the Jacobi symbol (c/p)isequalto(−1)b. Please, note that the scheme encrypts 1 bit of information, while its output is usually 1024 bits long! Security: This scheme is the ﬁrst one that was proved semantically secure against a passive adversary (under computational assumption).

Figure 4: Goldwasser-Micali—1982 [34, 46].

Prerequisite: Alice computed a (public, private) key: she ﬁrst chose an integer n = pq, p and q being two large prime numbers and = = ∗ ∈ n satisfying gcd (n, φ(n)) 1, and considered the group G Zn2 of order k. She also considered g G of order n.Her public key is composed of n and g, and here private key consists in the factors of n. Goal: Anyone can send a message to Alice. ∈ ∈ ∗ = m n 2 Principle: To encrypt a message m Zn, Bob picks at random an integer r Zn ,andcomputesc g r mod n .Togetbackto λ(n) 2 the plaintext, Alice computes the discrete logarithm of c mod n , obtaining mλ(n) ∈ Zn,whereλ(n)denotesthe − Carmichael function. Now, since gcd (λ(n), n) = 1, Alice easily computes λ(n) 1 mod n and gets m. Security: This scheme is IND-CPA.

Figure 5: Paillier—1999 [47].

[34, 46] (described in Figure 4), to the famous Paillier’s en- Then, encryption selects a random element of Mb to encrypt cryption scheme [47] (described in Figure 5) and its im- b, and decryption allows to know in which part the ran- provements. Paillier’s scheme and its variants are famous for domly selected element lies. The core point lies in the way their efficiency, but also because, as ElGamal, they achieve the to choose the subset, and to partition it into M0 and M1.GM highest security level for homomorphic encryption schemes. uses group theory to achieve the following: the subset is the We will not discuss their mathematical considerations in group G of invertible integers modulo n with a Jacobi sym- detail, but will summarize their important parameters and bol, with respect to n, equal to 1. The partition is generated properties. by another group H ⊂ G, composed of the elements that are (i) We begin with the rather simple scheme of invertible modulo n with a Jacobi symbol, with respect to a Goldwasser-Micali [34, 46]. Besides some historical impor- fixed factor of n, equal to 1; with these settings, it is possible tance, this scheme had an important impact on later pro- to split G into two parts: H and G \ H. posals. Several other schemes, that will be presented below, The generalizations of Goldwasser-Micali play with these were obtained as generalizations of this one. For these rea- two groups; they try to find two groups G and H such that G sons, we provide a detailed description in Figure 4.Here,as can be split into more than k = 2 parts. for RSA, we use computations modulo n = pq,aproduct (ii) Benaloh [50] is a generalization of GM, that enables of two large primes. Encryption is simple, with a product to manage inputs of (k) bits, k being a prime satisfying and a square, whereas decryption is heavier, with an expo- some particular constraints. Encryption is similar as in the nentiation. Nevertheless, this step can be done in O((p)2). previous scheme (encrypting a message m ∈{0, ..., k − 1} ∈ ∗ = m k Unfortunately, this scheme presents a strong drawback since means picking an integer r Zn and computing c g r its input consists of a single bit. First, this implies that en- mod n) but decryption is more complex. The input and out- crypting k bits leads to a cost of O(k·(p)2). This is not very put sizes being, respectively, of (k)and(n) bits, the expan- efficient even if it is considered as practical. The second con- sion is equal to (n)/(k). This is better than in the GM case. sequence concerns the expansion: a single bit of plaintext is Moreover, the encryption cost is not too high.√ Nevertheless, encrypted in an integer modulo n, that is, (n) bits. Thus, the the decryption cost is estimated to be O( k(k)) for pre- expansion is really huge. This is the main drawback of this computation, and the same for each dynamical decryption. scheme. This implies that k has to be taken quite small, which limits Before continuing our review, let us present the the gain obtained on the expansion. Goldwasser-Micali (GM) scheme from another point of view. (iii) Naccache-Stern [51] is an improvement of Benaloh’s This is required to understand how it has been generalized. scheme. Considering a parameter k that can be greater The basic principle of GM is to partition a well-chosen sub- than before, it leads to a smaller expansion. Note that set of integers modulo n into two secret parts: M0 and M1. the constraints on k are slightly different. The encryption C. Fontaine and F. Galand 7 step is precisely the same as in Benaloh’s scheme, but the (vii) Galbraith proposed in [58] an adaptation of the pre- decryption is different. To summarize, the expansion is vious scheme in the context of elliptic curves. Its expansion still equal to (n)/(k), but the decryption cost is lower: is equal to 3. The ratio of the encryption (resp., decryption) O((n)5 log ((n))), and the authors claim it is reasonable to cost of this scheme in the case s = 1 over Paillier’s can be choose the parameters as to get an expansion equal to 4. estimatedtobeabout7(resp.,14).But,incontrasttothe (iv) In order to improve previous schemes, Okamoto and previous scheme, the larger the s is, the more the cost may de- Uchiyama decided to change the base group G [52]. Consid- crease. Moreover, as in the case of Damgard-Jurik’s˚ scheme, ering n = p2q, p and q still being two large primes, and the the higher the s is, the stronger the scheme is. = ∗ = 10 group G Zp2 , they achieve k p. Thus, the expansion (viii) Castagnos explored in [59, 60] another improve- is equal to 3. As Paillier’s scheme is an improvement of this ment direction considering quadratic fields quotients. We one and will be fully described below, we will not discuss its have the same kind of structure regarding ns+1 as before, but description in detail. Its advantage lies in the proof that its se- in another context. To summarize, the expansion is 3 and the curity is equivalent to the factorization of n. Unfortunately, ratio of the encryption/decryption cost of this scheme in the a chosen-ciphertext attack has been proposed leading to this case s = 1overPaillier’scanbeestimatedtobeabout2(plus2 factorization. This scheme was used to design the EPOC sys- computations of Legendre symbols for the decryption step). tems [53], currently submitted for the supplement P1363a to (x) To close the survey of this family of schemes, let us the IEEE Standard Specifications for Public-Key Cryptogra- mention the ElGamal-Paillier amalgam, which merges Pail- phy (IEEE P1363). Note that earlier versions of EPOC were lier and the additively homomorphic variant of ElGamal. subject to security flaws as pointed out in [54], due to a bad More precisely, it is based on Damgard-Jurik’s˚ (presented use of the scheme. above) and Cramer-Shoup’s [55] analyses and variants of (v) One of the most well-known homomorphic encryp- Paillier’s scheme, and was proposed by [9]. The goal was tion schemes is due to Paillier [47], and is described in to gain the advantages of both schemes while minimizing Figure 5. It is an improvement of the previous one, that de- their drawbacks. Preserving the notation of both ElGamal creases the expansion from 3 to 2. Paillier came back to and Paillier schemes, we will describe the encryption in the n = pq,withgcd(n, φ(n)) = 1, but considered the group particular case s = 1, which leads Damgard-Jurik’s˚ variant = ∗ = ∈ G Zn2 , and a proper choice of H led him to k (n). to the original Paillier. To encrypt a message m Zn,Bob k The encryption cost is not too high. Decryption needs one picks at random an integer k,andcomputes(c1, c2) = (g exponentiation modulo 2 to the power ( ), and a mul- m k n 2 n λ n mod n,(1+n) (yA mod n) mod n ). tiplication modulo n. Paillier showed in his paper how to Now that we have reviewed the two most famous fami- manage decryption efficiently through the Chinese Remain- lies of homomorphic encryption schemes, we would like to der Theorem. With smaller expansion and lower cost com- mention a few research directions and challenges. pared with the previous ones, this scheme is really attractive. First, as we mentioned in Section 2.1,itisimportant In 2002, Cramer and Shoup proposed a general approach to to have different kinds of schemes, because of applications gain security against adaptive chosen-ciphertext attacks for and security purposes. One direction to design homomor- certain cryptosystems with some particular algebraic prop- phic schemes that are not directly related to the same math- erties [55]. Applying it to Paillier’s original scheme, they pro- ematical problems as ElGamal or Paillier (and variants) is to posed a stronger variant. Bresson et al. proposed in [56]a consider the recent papers dealing with Weil pairing. As this slightly different version that may be more accurate for some new direction is more and more promising in the design of applications. asymmetric schemes, the investigation in the particular case (vi) Damgard˚ and Jurik proposed in [57] a generalization ∗ of homomorphic ciphers is of interest. ElGamal may not be of Paillier’s scheme to groups of the form Zns+1 with s>0. The directly used in the Weil pairing setup as the mathematical larger the s is, the smaller the expansion is. Moreover, this problem it is based on becomes easy to manage. One more scheme leads to a lot of applications. For example, we can promising direction is the use of the pairing-based scheme mention the adaptation of the size of the plaintexts, the use proposed by Boneh and Franklin [61] to obtain a secure ho- of threshold cryptography, electronic voting, and so forth. To momorphic ID-based scheme (see directions in [62] for the ∈ ∈ ∗ encrypt a message m Zn, one picks r Zn at random and ability of such schemes to provide interesting new features). m ns ∈ computes g r Zns+1 . The authors show that if one can A second interesting research direction lies in the area of = break the scheme for a given value s σ, then one can break symmetric encryption. As all the homomorphic encryption = − it for s σ 1. They also show that the semantic security of schemes we mentioned so far are asymmetric, they are not this scheme is equivalent to that of Paillier. Tosummarize, the as fast as symmetric ones could be. But, homomorphy is eas- ffi expansion is of 1+1/s, and hence can be close to 1 if s is su - ier to manage when mathematical operators are involved in ciently large. The ratio of the encryption cost of this scheme the encryption process, which is not usually the case in sym- over Paillier’s can be estimated to be (1/6)s(s +1)(s +2).The metric schemes. Very few symmetric homomorphic schemes same ratio for the decryption step equals (1/6)(s +1)(s +2). have been proposed, most of them being broken ([63]bro- Note that even if this scheme is better than Paillier’s accord- ken in [64, 65], [66]brokenin[67]). Nevertheless, it may ing to its lower expansion, it remains more costly. Moreover, if we want to encrypt or decrypt k blocks of (n) bits, running Paillier’s scheme k times is less costly than running Damgard-˚ 10 This scheme is mentioned in the conclusion of [59], and more deeply Jurik’s scheme once. presented in [60], unfortunately in French. 8 EURASIP Journal on Information Security be of interest to consider a simple generalization of the one- Notes in Computer Science, pp. 117–126, Springer, New York, time pad, where bits are replaced by integers modulo n,as NY, USA, 1987. introduced by [68]. In terms of security, it has exactly the [3] D. Rappe, Homomorphic cryptosystems and their applications, same properties than the one-time pad, that is, perfect se- Ph.D. thesis, University of Dortmund, Dortmund, Germany, crecy if and only if the keystream is truly random, of same 2004, http://www.rappe.de/doerte/Diss.pdf. length as the plaintext, and is used only once. Here again, this [4] R. Cramer and I. Damgard,˚ “Zero-knowledge for finite field arthmetic, or: can zeroknowledge be for free?” in Advances is overwhelming and the keystream could be generated by a in Cryptology (CRYPTO ’98), vol. 1462 of Lecture Notes in well-chosen pseudorandom generator (e.g., as Snow 2.0), de- Computer Science, pp. 424–441, Springer, New York, NY, USA, creasing security from unconditional to computational. Note 1998. that this scheme’s homomorphy is a little bit fuzzy, as we have [5] H. Lipmaa, “Verifiable homomorphic oblivious transfer and for any pair of encryption keys (k1, k2) private equality test,” in Advances in Cryptology (ASIACRYPT ’03), vol. 2894 of Lecture Notes in Computer Science, pp. 416– ∀ ∈ M ←− m1, m2 , Ek1+k2 m1 + m2 Ek1 m1 + Ek2 m2 . 433, Springer, New York, NY, USA, 2003. (3) [6] P.-A. Fouque, G. Poupard, and J. Stern, “Sharing decryption in the context of voting or lotteries,” in Proceedings of the 4th This is the only example of a symmetric homomorphic en- International Conference on Financial Cryptography, vol. 1962 cryptionthathasnotbeencracked. of Lecture Notes in Computer Science, pp. 90–104, Anguilla, As per algebraic homomorphy, designing algebraically British West Indies, 2000. homomorphic encryption schemes is a real challenge today. [7] T. Sander and C. Tschudin, “Protecting mobile agents against There has been only a few ones proposed: by Fellows and malicious hosts,” in Mobile Agents and Security, vol. 1419 of Koblitz [69] (which cannot be considered as secure nor ef- Lecture Notes in Computer Science, pp. 44–60, Springer, New ficient [70]), by Domingo-Ferrer [63, 66](whichhasbeen York, NY, USA, 1998. broken [64, 65, 67]), and construction studies of Rappe et al. [8] P.Golle, M. Jakobsson, A. Juels, and P.Syverson, “Universal re- [3]. No satisfactory solution has been proposed so far, and, encryption for mixnets,” in Proceedings of the RSA Conference Cryptographers (Track ’04), vol. 2964 of Lecture Notes in Com- as Boneh and Lipton conjectured that any algebraically ho- puter Science, pp. 163–178, San Francisco, Calif, USA, 2004. momorphic encryption would prove to be insecure [45], the [9] I. Damgard˚ and M. Jurik, “A length-flexible threshold cryp- question of their existence and design is still open. tosystem with applications,” in Proceedings of the 8th Aus- tralian Conference on Information Security and Privacy (ACISP 4. CONCLUSION ’03), vol. 2727 of Lecture Notes in Computer Science, Wollon- gong, Australia, 2003. We presented in this paper a state of the art on homomor- [10] A. Adelsbach, S. Katzenbeisser, and A. Sadeghi, “Cryptology phic encryption schemes discussing their parameters, perfor- meets watermarking: detecting watermarks with minimal or mances and security issues. As we saw, these schemes are not zero-knowledge disclosures,” in Proceedings of the European well suited for every use, and their characteristics must be Signal Processing Conference (EUSIPCO ’02), Toulouse,France, taken into account. Nowadays, such schemes are studied in September 2002. wide application contexts, but the research is still challeng- [11] B. Pfitzmann and W. Waidner, “Anonymous fingerprinting,” in Advances in Cryptology (EUROCRYPT ’97), vol. 1233 of ing in the cryptographic community to design more power- Lecture Notes in Computer Science, pp. 88–102, Springer, New ful/secure schemes. Their use in the signal processing com- York, NY, USA, 1997. munity is quite new, and we hope this paper will serve as [12] N. Memon and P. Wong, “A buyer-seller watermarking proto- a guide for understanding their specificities, advantages and col,” IEEE Transactions on Image Processing, vol. 10, no. 4, pp. limits. 643–649, 2001. [13] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficient ACKNOWLEDGMENTS and anonymous buyer-seller watermarking protocol,” IEEE Transactions on Image Processing, vol. 13, no. 12, pp. 1618– The authors are indebted to the referees for their fruitful 1626, 2004. comments concerning this manuscript, and to Fabien Laguil- [14] M. Kuribayashi and H. Tanaka, “Fingerprinting protocol for laumie and Guilhem Castagnos for discussions about the re- images based on aditive homomorphic property,” IEEE Trans- cent improvements in the field. They also thank all the peo- actions on Image Processing, vol. 14, no. 12, pp. 2129–2139, 2005. ple who took the time to read this manuscript and share their [15] V. Shoup, A Computational Introduction to Number thoughts about it. Dr. C. Fontaine is supported (in part) by Theory and Algebra, Cambridge University Press, 2005, the European Commission through the IST Programme un- http://www.shoup.net/ntb/. der Contract IST-2002-507932 ECRYPT. [16] A. Menezes, P. Van Orschot, and S. Vanstone, Hand- book of applied cryptography, CRC Press, 1997, REFERENCES http://www.cacr.math.uwaterloo.ca/hac/. [17] H. Van Tilborg, Ed., Encyclopedia of Cryptography and Security, [1] R. Rivest, L. Adleman, and M. Dertouzos, “On data banks and Springer, New York, NY, USA, 2005. privacy homomorphisms,” in Foundations of Secure Computa- [18] A. Kerckhoffs, “La cryptographie militaire (part i),” Journal des tion, pp. 169–177, Academic Press, 1978. Sciences Militaires, vol. 9, no. 1, pp. 5–38, 1883. [2] E. Brickell and Y. Yacobi, “On privacy homomorphisms,” in [19] A. Kerckhoffs, “La cryptographie militaire (part ii),” Journal Advances in Cryptology (EUROCRYPT ’87), vol. 304 of Lecture des Sciences Militaires, vol. 9, no. 2, pp. 161–191, 1883. C. Fontaine and F. Galand 9

[20] J. Daemen and V. Rijmen, “The block cipher RIJNDAEL,” in [38] C. Rackoff and D. Simon, “Non-interactive zero-knowledge (CARDIS ’98), vol. 1820 of Lecture Notes in Computer Science, proof of knowledge and chosen ciphertext attack,” in Advances pp. 247–256, Springer, New York, NY, USA, 2000. in Cryptology (CRYPTO ’91), vol. 576 of Lecture Notes in Com- [21] J. Daemen and V. Rijmen, “The design of Rijndael,” in AES— puter Science, pp. 433–444, Springer, New York, NY, USA, the Advanced Encryption Standard, Informtion Security and 1991. Cryptography, Springer, New York, NY, USA, 2002. [39] D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptogra- [22] G. Vernam, “Cipher printing telegraph systems for secret wire phy,” in Proceedings of the 23rd ACM Annual Symposium on the and radio telegraphic communications,” Journal of the Ameri- Theory of Computing —(STOC ’91), pp. 542–552, 1991. can Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926. [40] D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptogra- [23] P. Ekdahl and T. Johansson, “A new version of the stream phy,” SIAM Journal of Computing, vol. 30, no. 2, pp. 391–437, cipher SNOW,” in Selected Areas in Cryptography (SAC ’02), 2000. vol. 2595 of Lecture Notes in Computer Science, pp. 47–61, [41] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Re- Springer, New York, NY, USA, 2002. lations among notions of security for public-key encryption [24] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining schemes,” in Advances in Cryptology (CRYPTO ’98), vol. 1462 digital signatures and public-key cryptosystems,” Communica- of Lecture Notes in Computer Science, pp. 26–45, Springer, New tions of the ACM, vol. 21, no. 2, pp. 120–126, 1978. York, NY, USA, 1998. [25] T. ElGamal, “A prublic key cryptosystem and a signature [42] M. Bellare and A. Sahai, “Non-malleable encryption: equiva- scheme based on discrete logarithms,” in Advances in Cryp- lence between two notions, and an indistinguishability-based tology (CRYPTO ’84), vol. 196 of Lecture Notes in Computer characterization,” in Advances in Cryptology (CRYPTO ’99), Science, pp. 10–18, Springer, New York, NY, USA, 1985. vol. 1666 of Lecture Notes in Computer Science, pp. 519–536, [26] C. Shannon, “Communication theory of secrecy systems,” Bell Springer, New York, NY, USA, 1999. System Technical Journal, vol. 28, pp. 656–715, 1949. [43] Y. Watanabe, J. Shikata, and H. Imai, “Equivalence between [27] M. Ajtai and C. Dwork, “A public key cryptosystem with semantic security and indistinguishability against chosen ci- worst-case/average-case equivalence,” in Proceedings of the phertext attacks,” in Public Key Cryptography (PKC ’03), 29th ACM Symposium on Theory of Computing (STOC ’97), vol. 2567 of Lecture Notes in Computer Science, pp. 71–84, pp. 284–293, 1997. Springer, New York, NY, USA, 2003. [28] P. Nguyen and J. Stern, “Cryptanalysis of the Ajtai-Dwork [44] N. Ahituv, Y. Lapid, and S. Neumann, “Processing encrypted cryptosystem,” in Advances in Cryptology (CRYPTO ’98), data,” Communications of the ACM, vol. 30, no. 9, pp. 777–780, vol. 1462 of Lecture Notes in Computer Science, pp. 223–242, 1987. Springer, New York, NY, USA, 1999. [45] D. Boneh and R. Lipton, “Algorithms for black box fields and [29] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle their application to cryptography,” in Advances in Cryptology model, revisited,” in Proceedings of the 30th ACM Symposium (CRYPTO ’96), vol. 1109 of Lecture Notes in Computer Science, on Theory of Computing (STOC ’98), pp. 209–218, Berkeley, pp. 283–297, Springer, New York, NY, USA, 1996. Calif, USA, 1998. [46] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour- [30] P.Paillier, “Impossibility proofs for RSA signatures in the stan- nal of Computer and System Sciences, vol. 28, no. 2, pp. 270– dard model,” in Proceedings of the RSA Conference 2007, Cryp- 299, 1984. tographers’ (Track), vol. 4377 of Lecture Notes in Computer Sci- ence, pp. 31–48, San Fancisco, Calif, USA, 2007. [47] P. Paillier, “Public-key cryptosystems based on composite de- [31] W. Diffie and M. Hellman, “New directions in cryptography,” gree residuosity classes,” in Advances in Cryptology (EURO- IEEE Transactions on Information Theory,vol.22,no.6,pp. CRYPT ’99), vol. 1592 of Lecture Notes in Computer Science, 644–654, 1976. pp. 223–238, Springer, New York, NY, USA, 1999. [32] D. Kahn, The Codebreakers: The Story of Secret Writing, [48] R. Cramer, R. Gennaro, and B. Schoenmakers, “A secure and ffi Macmillan, New York, NY, USA, 1967. optimally e cient multiauthority election scheme,” in Ad- [33] M. Bellare and P. Rogaway, “Optimal asymmetric vances in Cryptology (EUROCRYPT ’97), vol. 1233 of Lecture encryption—how to encrypt with RSA,” in Advances in Notes in Computer Science, pp. 103–118, Springer, New York, Cryptology (EUROCRYPT ’94), vol. 950 of Lecture Notes in NY, USA, 1997. Computer Science, pp. 92–111, Springer, New York, NY, USA, [49] R. McEliece, “A public-key cryptosystem based on algebraic 1995. coding theory,” Dsn progress report, Jet Propulsion Labora- [34] S. Goldwasser and S. Micali, “Probabilistic encryption & how tory, 1978. to play mental poker keeping secret all partial information,” in [50] J. Benaloh, Verifiable secret-ballot elections, Ph.D. thesis, Yale Proceedings of the 14th ACM Symposium on the Theory of Com- University, Department of Computer Science, New Haven, puting (STOC ’82), pp. 365–377, New York, NY, USA, 1982. Conn, USA, 1988. [35] M. Blum and S. Goldwasser, “An efficient probabilistic public- [51]D.NaccacheandJ.Stern,“Anewpublic-keycryptosystem key encryption scheme which hides all partial information,” in based on higher residues,” in Proceedings of the 5th ACM Con- Advances in Cryptology (EUROCRYPT ’84), vol. 196 of Lecture ference on Computer and Communications Security, pp. 59–66, Notes in Computer Science, pp. 289–299, Springer, New York, San Francisco, Calif, USA, November 1998. NY, USA, 1985. [52] T. Okamoto and S. Uchiyama, “A new public-key cryptosys- [36] O. Goldreich, “A uniform complexity treatment of encryption tem as secure as factoring,” in Advances in Cryptology (EURO- and zero-knowledge,” Journal of Cryptology,vol.6,no.1,pp. CRYPT ’98), vol. 1403 of Lecture Notes in Computer Science, 21–53, 1993. pp. 308–318, Springer, New York, NY, USA, 1998. [37] M. Naor and M. Yung, “Public-key cryptosystems provably se- [53] T. Okamoto, S. Uchiyama, and E. Fujisaki, “Epoc: efficient cure against chosen ciphertext attacks,” in Proceedings of the probabilistic publickey encryption,” Tech. Rep., 2000, Proposal 22nd ACM Annual Symposium on the Theory of Computing to IEEE P1363a, http://grouper.ieee.org/groups/1363/P1363a/ (STOC ’90), pp. 427–437, Baltimore, Md, USA, 1990. draft.html. 10 EURASIP Journal on Information Security

[54] M. Joye, J.-J. Quisquater, and M. Yung, “On the power of [69] M. Fellows and N. Koblitz, “Combinatorial cryptosystems ga- misbehaving adversaries and security analysis of the original lore!,” in Contemporary Mathematics, vol. 168 of Finite Fields: EPOC,” in Topics in Cryptology CT-RSA 2001, vol. 2020 of Lec- Theory, Applications, and Algorithms, FQ2, pp. 51–61, 1993. ture Notes in Computer Science, Springer, New York, NY, USA, [70] L. Ly, A public-key cryptosystem based on Polly Cracker,Ph.D. 2001. thesis, Ruhr-Universitat¨ Bochum, Bochum, Germany, 2002. [55] R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in Advances in Cryptology (EUROCRYPT ’02), vol. 2332 of Lecture Notes in Computer Science, pp. 45–64, Springer, New York, NY, USA, 2002. [56] E. Bresson, D. Catalano, and D. Pointcheval, “A simple public- key cryptosystem with a double trapdoor decryption mechanism and its applications,” in Advances in Cryptology (ASI- ACRYPT ’03), vol. 2894 of Lecture Notes in Computer Science, pp. 37–54, Springer, New York, NY, USA, 2003. [57] I. Damgard˚ and M. Jurik, “A generalisation, a simplification and some applications of Pailliers probabilistic public-key system,” in 4th International Workshop on Practice and Theory in Public-Key Cryptography, vol. 1992 of Lecture Notes in Com- puter Science, pp. 119–136, Springer, New York, NY, USA, 2001. [58] S. Galbraith, “Elliptic curve paillier schemes,” Journal of Cryp- tology, vol. 15, no. 2, pp. 129–138, 2002. [59] G. Castagnos, “An efficient probabilistic public-key cryptosystem over quadratic fields quotients,” 2007, Finite Fields and Their Applications, paper version in press, http://www.unilim.fr/pages perso/guilhem.castagnos/. [60] G. Castagnos, Quelques schémas de cryptographie asymétrique probabiliste, Ph.D. thesis, Universite´ de Limoges, 2006, http://www.unilim.fr/pages perso/guilhem.castagnos/. [61] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Advances in Cryptology (CRYPTO ’01), vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, Springer, New York, NY, USA, 2001. [62] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in Advances in Cryptology (EUROCRYPT ’05), vol. 3494 of Lecture Notes in Computer Science, pp. 440–456, Springer, New York, NY, USA, 2005. [63] J. Domingo-Ferrer, “A provably secure additive and multiplicative privacy homomorphism,” in Proceedings of the 5th International Conference on Information Security (ISC ’02), vol. 2433 of Lecture Notes in Computer Science, pp. 471–483, Sao Paulo, Brazil, 2002. [64] D. Wagner, “Cryptanalysis of an algebraic privacy homomorphism,” in Proceedings of the 6th International Conference on Information Security (ISC ’03), vol. 2851 of Lecture Notes in Computer Science, Bristol, UK, 2003. [65] F. Bao, “Cryptanalysis of a provable secure additive and multiplicative privacy homomorphism,” in International Workshop on Coding and Cryptograhy (WCC ’03), pp. 43–49, Versailles, France, 2003. [66] J. Domingo-Ferrer, “A new privacy homomorphism and applications,” Information Processing Letters,vol.60,no.5,pp. 277–282, 1996. [67] J. Cheon, W.-H. Kim, and H. Nam, “Known-plaintext cryptanalysis of the domingo-ferrer algebraic privacy homomorphism scheme,” Information Processing Letters, vol. 97, no. 3, pp. 118–123, 2006. [68] C. Castelluccia, E. Mykletun, and G. Tsudik, “Efficient ag- gregation of encrypted data in wireless sensor networks,” in ACM/IEEE Mobile and Ubiquitous Systems: Networking and Services (Mobiquitous ’05), pp. 109–117, 2005. Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 51368, 10 pages doi:10.1155/2007/51368

Research Article Secure Multiparty Computation between Distrusted Networks Terminals

S.-C. S. Cheung1 and Thinh Nguyen2

1 Center for Visualization and Virtual Environments, Department of Electrical and Computer Engineering, University of Kentucky, Lexington, KY 40507, USA 2 School of Electrical Engineering and Computer Science, Oregon State University, 1148 Kelley Engineering Center Corvallis, Oregon, OR 97331-5501, USA

Correspondence should be addressed to S.-C. S. Cheung, [email protected]

Received 7 May 2007; Accepted 12 October 2007

Recommended by Stefan Katzenbeisser

One of the most important problems facing any distributed application over a heterogeneous network is the protection of private sensitive information in local terminals. A subﬁeld of cryptography called secure multiparty computation (SMC) is the study of such distributed computation protocols that allow distrusted parties to perform joint computation without disclosing private data. SMC is increasingly used in diverse ﬁelds from data mining to computer vision. This paper provides a tutorial on SMC for nonexperts in cryptography and surveys some of the latest advances in this exciting area including various schemes for reducing communication and computation complexity of SMC protocols, doubly homomorphic encryption and private information retrieval.

Copyright © 2007 S.-C. S. Cheung and T. Nguyen. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION the criminal biometric database from law enforcement, the surveillance tape from company A, and the proprietary soft- Theproliferationofcapturingandstoragedevicesaswellas ware from company B. the ubiquitous presence of computer networks make shar- Encryption alone cannot provide adequate protection ing of data easier than ever. Such pervasive exchange of data, when performing the aforementioned applications. The en- however, has increasingly raised questions on how sensitive crypted data needs to be decrypted at the receiver for pro- and private information can be protected. For example, it is cessing and the raw data will then become vulnerable. Al- now commonplace to send private photographs or videos to ternatively, the client can download the software and pro- the hundreds of online photoprocessing stores for storage, cess her private data in a secure environment. This, however, development, and enhancement like sharpening and red-eye runs the risk of having the proprietary technology of the soft- removal. Few companies provide any protection of the per- ware company pirated or reverse-engineered by hackers. The sonal pictures they receive. Hackers or employees of the store Trusted Computing (TC) Platform may solve this problem by may steal the data for personal use or distribute them for per- executing the software in a secure memory space of the client sonal gain without consent from the owner. machine equipped with a cryptographic coprocessor [1]. Be- There are also security applications in which multiple sides the high cost of overhauling the existing PC platform, parties need to collaborate with each other but do not want the TC concept remains highly controversial due to its un- any of their own private data disclosed. Consider the fol- balanced protection of the software companies over the con- lowing example: a law-enforcement agency wants to search sumers [2]. for possible suspects in a surveillance video owned by pri- The technical challenge to this problem lies in develop- vate company A, using a proprietary software developed by ing a joint computation and communication protocol to be another private company B. The three parties involved all executed among multiple distrusted network terminals with- have information they do not want to share with each other: out disclosing any private information. Such a protocol is 2 EURASIP Journal on Information Security called a secure multiparty computation (SMC) protocol and One of the basic tools used in PSMC is secret sharing. hasbeenanactiveresearchareaincryptographyformore A t-out-of-m secret-sharing scheme breaks a secret num- than twenty years [3]. Recently, researchers in other disci- ber x into mshares r1, r2, ..., rm such that x cannot be recon- plines such as signal processing and data mining have begun structed unless an adversary obtains more than t − 1 shares touseSMCtosolvevariouspracticalproblems.Thegoalof with t ≤ m. The importance of a secret-sharing scheme in this paper is to provide a tutorial on the basic theory of SMC PSMC is illustrated by the following example: in a 2-party and to survey recent advances in this area. secure computation of f (x1, x2), party Pi will use a 2-out- of-2 secret-sharing scheme to break xi into ri1 and ri2,and 2. PROBLEM FORMULATION share rij with party Pj . Each party then computes the function using the shares received, resulting in y1 f (r11, r21) The basic framework of SMC is as follows: there are n par- at P1 and y2 f (r12, r22)atP2. If the secret-sharing scheme ties P , P , ..., P on a network who want to compute a joint 1 2 n is homomorphic under the function f (·), that is, y1 and y2 function f (x , x , ..., x ) based on private data x owned by 1 2 n i are themselves secret shares of the desired function f (x1, x2), party P for i = 1, 2, ..., n. The goal of the SMC is that P i i f (x1, x2) can then be easily computed by exchanging y1 and will not learn anything about x for j=i beyond what can be j y2 between the two parties. Under our computational model, inferred from her private data xi and the result of the com- all SMC problems can be solved if the secret-sharing scheme putation f (x1, x2, ..., xn). SMC can be trivially accomplished is doubly homomorphic—it preserves both addition and mul- if there is a special server, trusted by every party with its pri- tiplication. One such scheme was invented by Adi Shamir vate data, to carry out the computation. This is not a practical which we will explain next [4]. solution as it is too costly to protect such a server. The objec- In Shamir’s secret-sharing scheme, a party hides her se- tive of any SMC protocol is to emulate this ideal model as cret number x as the constant term of a secret polynomial much as possible by using clever transformations to conceal g(z)ofdegreet − 1, the private data. Almost all SMC protocols are classified based on their t−1 t−2 models of security and adversarial behaviors. The most com- g(z) at−1z + at−2z + ··· + a1z + x. (1) monly used security models are perfect security and computational security, which will be covered in Sections 3 and 4, respectively. Adversarial behaviors are broadly classified into The coefficients a1 to at−1 are random coefficients distributed two types: semihonest and malicious. A dishonest party is uniformly over the entire field. Given the polynomial g(z), called semihonest if she follows the SMC protocol faithfully the secret number x can be recovered by evaluating it at but attempts to find out about other’s private data through z = 0. The secret shares are computed by evaluating g(z)at the communication. A malicious party, on the other hand, z = 1, 2, ..., m and are distributed to m other parties. It is as- will modify the protocol to gain extra information. We will sumed that each party knows the degree of g(z) and the value focus primarily on semihonest adversaries but briefly de- z at which her share is evaluated. We follow the convention scribe how the protocols can be fortified to handle malicious that the share received by party Pi is evaluated at z = i. adversaries. If an adversary obtains any t shares g(z1), g(z2), ..., g(zt) We also assume that private data are elements from a fi- with zi ∈{1, 2, ..., m}, the adversary can then formulate the nite field F and the target function f (·) can be implemented following polynomial g(z): as a combination of the field’s addition and multiplication. This is a reasonably general computational model for two t t − reasons: first, at the lowest level, any digital computing device j=1,j=i z zj g(z) g z . (2) can be modeled by setting F as the binary field with the XOR i t − i=1 j=1,j=i zi zj as addition and AND as multiplication. Second, while most signal processing and scientific computation are described using real numbers, we can approximate the real numbers We claim that g(z) is identical to the secret polynomial g(z): with a reasonably large finite field and estimate any analytical first, the degree g(z)ist − 1, same as that of g(z). Second, function using a truncated version of its power series expan- g(z) = g(z)forz = z1, z2, ..., zt because, when evaluating sion, which consists of only additions and multiplications. g(z) at a particular z = zi, every term inside the summation in (2) will go to zero except for the one that contains 3. SMC WITH PERFECT SECURITY g(zi) it simply becomes g(zi) as the multiplier becomes one. Consequently, the (t − 1)th-degree polynomial g(z) − g(z) In this section, we discuss perfectly secure multiparty com- will have t roots. As the number of roots is higher than the putation (PSMC) in which an adversary will learn nothing degree, g(z) − g(z) must be identically zero or g(z) ≡ g(z). about the secret numbers of the honest parties no matter As a result, the adversary can reconstruct the secret number how computationally powerful the adversary is. The idea is x = g(0). that while the adversary may control a number of parties who On the other hand, the adversary will have no knowledge receive messages from other honest senders, these messages about x even if it possesses as many as t − 1 shares. This is provide no useful information about the secret numbers of because, for any arbitrary secret number x, there exists a the senders. polynomial h(z) such that h(0) = x and h(zi) = g(zi)for S.-C. S. Cheung and T. Nguyen 3 i = 1, 2, ..., t − 1. h(z) is given as follows and its properties is Party 1 Party 2 Party 3 similar to those of (2): g(1)h(1) g(2)h(2) g(3)h(3) h(z) t−1 − t−1 t−1 − j=1 z zj z j=1,j=i z zj (3) x − + g z − . t 1 i t 1 q1(z)with q2(z)with q3(z)with = − z = z = = z − z j 1 j i 1 i j 1,j i i j = = q1(0) g(1)h(1) q2(0) g(2)h(2) q3(0) = g(3)h(3) q (1) Shamir’s secret-sharing scheme is obviously homomor- q1(3) q2(1) q2(3) 3 q3(3) q2(2) q (2) phic under addition: given two secret (t − 1)th-degree poly- q1(1) q1(2) 3 nomials g(z)andh(z), the secret shares of g(z)+h(z)are = = = simply the summation of their respective secret shares g(1) + q(1) γ1q1(1)+ q(2) γ1q1(2)+ q(3) γ1q1(3)+ γ q (2) + γ q (2) γ q (3) + γ q (3) h(1), g(2)+h(2), ..., g(m)+h(m). Secrecy is also maintained γ2q2(1) + γ3q3(1) 2 2 3 3 2 2 3 3 as the coefficients of g(z)+h(z), except for the constant term which is the sum of all the secret numbers, are uniformly distributed and no party can gain additional knowledge about q(0) = γ1q(1) + γ2q(2) + γ3q(3) = g(0)h(0) others’ secret shares. On the other hand, the degree of the product polynomial g(z)h(z) increases to 2(t−1). The locally Figure 1: This diagram shows how three parties can share computed shares g(1)h(1), g(2)h(2), ..., g(m)h(m) cannot the secret g(0)h(0) based on the locally computed products completely specify g(z)h(z) unless the number of shares m g(1)h(1), g(2)h(2), and g(3)h(3). is strictly larger than 2(t − 1) or equivalently, t ≤m/2. Even if this condition is satisfied, a series of product can easily result in a polynomial with degree higher than m.Fur- ffi The second last equality is because g(j)h(j) is the secret thermore, the coe cients of the product polynomial is not number hidden by the polynomial q (z). The last equality entirely random, for example, they are related in such a way j is based on (5). This implies that di for i = 1, 2, ..., m are that the polynomial can be factored by the original polyno- secret shares of the scalar g(0)h(0). An example of the above mials. These problems can be solved by first assuming that protocol in a three-party situation is shown in Figure 1. ≤ t m/2 and then replacing the product polynomial by a To address how each party can solve (5), we note that, − new (t 1)th-degree polynomial as follows. based on our assumption t ≤m/2 the degree of the prod- Pi first computes g(i)h(i) and then generates a random uct polynomial g(z)h(z) is strictly smaller than the number (t − 1)th-degree polynomial qi(z)withqi(0) = g(i)h(i). m−1 of shares m.Letg(z)h(z) = am−1z + ··· + a0. The coef- Again, using the secret-sharing scheme, Pi sends share qi(j) ficients ’s are completely determined by the values ( ) ( ) = ai g z h z to party Pj for j 1, 2, ..., m. This step leaks no information at z = 1, 2, ..., m. In other words, the following matrix equa- about the local product g(i)h(i). In the final step, Pi computes tion has a unique solution: di based on all the received shares qj (i)forj = 1, 2, ..., m, ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ m−1 m−2 0 m 1 1 ··· 1 am−1 g(1)h(1) ⎜ m−1 m−2 0 ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ 2 2 ··· 2 ⎟ ⎜ − ⎟ ⎜ (2) (2) ⎟ di γ j qj (i), (4) ⎜ ⎟ ⎜am 2⎟ ⎜ g h ⎟ j=1 Va ⎜ . . . ⎟ ⎜ . ⎟ = ⎜ . ⎟ . ⎝ . . . ⎠ ⎝ . ⎠ ⎝ . ⎠ = m−1 m−2 ··· 0 where γ j for j 1, 2, ..., m solve the following equation: m m m a0 g(m)h(m) (8) m = g(0)h(0) γ j g(j)h(j). (5) × j=1 The m m invertible matrix V is called the Vandermonde matrix and it is a constant matrix. Taking its inverse W = −1 = Before explaining how Pi can solve (5) without knowing V and considering the last row entries Wmi for i g(0)h(0) and g(j)h(j)forj=i, we first note that di for i = 1, 2, ..., m,wehave 1, 2, ..., m are shares of a (t − 1)th-degree polynomial q(z) defined below: m Wmig(i)h(i) = a0 = g(0)h(0). (9) m = i 1 q(z) γ j qj (z). (6) j=1 = = Comparing (9)with(5), we have Wmi γi for i 1, 2, ..., m, ffi which are constants. The coe cients of q(z)areuniformlyrandomastheyare ≤ linear combinations of uniformly distributed coefficients of The condition t m/2 on using Shamir’s scheme in PSMC posts a restriction on the number of dishonest parties q (z)’s. Furthermore, its constant term is our target secret j tolerated—it implies that the number of honest parties must number g(0)h(0): be a strict majority. In particular, we cannot use this scheme m m for a two-party SMC in which one party has to assume that = = = q(0) γ j qj (0) γ j g(j)h(j) g(0)h(0). (7) the other party is dishonest. A surprising result in [5] shows j=1 j=1 that the condition t ≤m/2 is not a weakness of Shamir’s 4 EURASIP Journal on Information Security

1 scheme—in fact, except for certain trivial functions, it is im- Table 1: OT table at P1. possible to compute any f (x , x , ..., x ) with perfect security 1 2 m Key Values if the number of dishonest parties equals to or exceeds m/2. − To conclude this section, we briefly describe how PSMC 0 u − protocols can be modified to handle malicious parties. There 11r11 u − are two types of disruption: first, a malicious party can out- 22r11 u put erroneous results and second, she may perform an incon- . . . . sistent secret-sharing scheme such as evaluating the polyno- r22 r22r11 − u mial at random points. Provided the number of malicious . . parties is less than one third of the total number of par- . . ties, the first problem can be solved by replacing (2)witha N − 2(N − 2)r11 − u robust extrapolation scheme based on Reed-Solomon codes N − 1(N − 1)r11 − u [5]. This bound on the number of malicious parties can be raised to one half by combining interactive zero-knowledge proof with a broadcast channel [6]. The second problem can sider the protocols for addition and multiplication in finite be solved by using a verifiable secret-sharing (VSS) scheme fields. We will concentrate on the canonical two-party case in which the sender needs to provide auxiliary information but our construction can be easily extended to more than so that the receivers can verify the consistency of their shares two parties. Our starting point of building general CSMC is without gaining knowledge of the secret number [5]. a straightforward secret-sharing scheme: each secret number is simply broken down as a sum of two uniformly distributed random numbers: x1 = r11 + r12 and x2 = r21 + r22. Pi then 4. SMC WITH COMPUTATIONAL SECURITY sends rij to Pj for j=i. This scheme is clearly homomorphic under addition It is unsatisfactory that PSMC introduced in Section 3 can- = not even provide secure two-party computation. Instead of x1 + x2 r11 + r21 + r12 + r22 . (10) relying on perfect security, modern cryptographical tech- Multiplication, on the other hand, introduces cross-term niques primarily use the so-called computational security r r which breaks the homomorphism the homomorphism model. Under this model, secrets are protected by encoding 11 22 them based on a mathematical function whose inverse is dif- x1x2 = r11r21 + r12x2 + r11r22. (11) ficult to compute without the knowledge of a secret key. Such a function is called one-way trapdoor function and the con- While the first two terms can be locally computed by P1 and cept is used in many public-key cipher: a sender who wants P2, respectively, it is impossible to compute the third term to send a message m to party P will first compute a cipher- r11r22 without having one party revealed the actual secret text c = E(m, k) based on the publicly known encryption number to the other. In order to accomplish this under the algorithm E(·)’s and P’s advertised public key k. The encryp- computational security model, we will make use of a general tion algorithm acts as a one-way trapdoor function because cryptographic protocol called the oblivious transfer (OT). a computationally bounded eavesdropper will not be able to A 1-out-of-N OT protocol allows one party (the chooser) recover m given only c and k. On the other hand, P can re- to read one entry from a table with N entries hosted by an- cover m by applying a decoding algorithm D(E(m, k), s) = m other party (the sender). Provided that both parties are com- using her secret key s. Unlike perfectly secure protocols in putationally bounded, the OT protocol prevents the chooser which the adversary simply does not have any information from reading more than one entry and the sender from about the secret, the adversary in the computationally secure knowing the chooser’s choice. We first show how the OT model is unable to decrypt the secret due to the computa- protocol can be used to break r11r22 in (11) into random tional burden in solving the inverse problem. Even though shares u and v such that r11r22 = u + v. Assume our fi- it is still a conjecture that true one-way trapdoor functions nite field has N elements. The sender P1 generates a ran- exist and future computation platforms like quantum com- dom u and then creates a table T with N entries shown in 3 puter may drastically change the landscape of these func- Table 1. Using the OT protocol, the chooser P2 selects the tions, many one-way function candidates exist and are rou- entry v T(r ) = r r − u without letting P know her 2 22 22 11 1 tinely used in practical security systems. selection or inspecting any other entries in the table. The most fundamental result in SMC is that it is possible It remains to show how OT provides the security guaran- to design general computationally secure multiparty compu- tee. A 1-out-of-N OT protocol consists of the following five tation (CSMC) protocols to handle arbitrary number of dis- steps. honest parties [3]. In this section, we will discuss the basic construction of these protocols. Similar to Section 3,wecon- (1) P1 sends N randomly generated public keys k0, k1, ..., kN−1 to P2.

1 The exceptions are those functions that are separable or f (x1, x2, ..., 3 xm) = f1(x1) f2(x2) ··· fm(xm). The role of P1 and P2 can be interchanged with proper adjustment to 2 A list of one-way function candidates can be found in [7, Chapter 1]. Table 1 entries. S.-C. S. Cheung and T. Nguyen 5

(2) P2 selects kr22 basedonhersecretnumberr22,encrypts ing the communication requirement of OT and other CSMC ff her public key k using kr22 , and sends E(k , kr22 )back protocols thus become the focus of intensive research e ort. to P1. In [9], Naor and Pinkas showed that the 1-out-of-N OT (3) As P1 does not know P2’s key selection, P1 decodes protocol can be reduced to applying a 1-out-of-2 OT proto- = col log N times. The idea is that the two parties repeatedly the incoming message using all possible keys or ki 2 = use the 1-out-of-2 OT on individual bits of the binary repre- D(E(k , kr22 ), si)withprivatekeyssi for i 0, 1, ..., − sentation of the chooser’s secret number x2: in the ith round, N 1. Only one of ki ’s (kr ) matches the real key k 22 the sender will present two keys Ki0 and Ki1 to the chooser but P1 has no knowledge of it. who will choose Kix2[i] based on x2[i], the ith bit of x2.The (4) P encrypts each table entry T(i) using k and sends = 1 i keys Ki0 and Ki1 for i 1, 2, ...,log2N are used by the sender = − E(T(i), ki )fori 0, 1, ..., N 1toP2. to encrypt the table entries T(k) using the binary representa- (5) P2 decrypts the r22th message using her private key s : tion of k as follows: = = D(E(T(r22), kr ), s ) T(r22)askr k is the public log2N 22 22 key corresponding to the secret key s . P2 then obtains E T(k) = T(k) ⊕ f Kik[i] , (12) her random share of v = T(r22) = r22r11 − u.Note i=1 that P2 will not be able to decrypt any other message = where k is a log N-bit number, f (s) is a random number gen- E(T(i), ki )fori r22 as it requires the knowledge of P1’s erated by seed s,and⊕ denotes XOR. The entire encrypted secret key si. table is sent to the chooser. Since the chooser already knows = It is clear from the above procedure that OT can accomplish a Kix2[i] for i 1, 2, ...,log2N, she can use them to decrypt tablelookupsecuretobothP1 and P2. As the definition of the E(T(x2)) as follows: table is arbitrary, OT can support secure two-party computa- log N tion of any finite field function. Following similar procedures 2 T x = E T x ⊕ f K . (13) as in Section 3, the above construction can be extended using 2 2 ix2[i] i=1 standard zero-knowledge proof and verifiable secret-sharing scheme to handle malicious parties that do not follow the The same authors further improved the computation prescribed protocols [8, Chapter 7]. complexity of the 1-out-of-2 OT protocol in [10]. They showed that it is possible to use one exponentiation, the most complex operation in a public-key cipher, for any number of 5. RECENT ADVANCES simultaneous invocations of the 1-out-of-2 OT at the cost of increasing the communication overhead. Their public-key In Sections 3 and 4, we present the construction of general cipher is based on the assumed difficulty of the Decisional SMC protocols under the perfect security model and the Diffie-Hellman problem whose encryption process enables computational security model. While most of these results the sender to prepare all her encrypted messages with one are established in 1980s, SMC continues to be a very active re- exponentiation without any loss of secrecy. search area in cryptography and its applications begin to ap- An aspect that the above algorithms do not address is pear in many other disciplines. Recent advances focus on bet- the communication requirement of general CSMC protocols. ter understanding of the security strength of individual pro- There are three different facets to the communication prob- tocols and their composition, improving CSMC protocols in lem. First, our basic version of the 1-out-of-N OT protocol terms of their computation complexity [9, 10]andcommu- requires the sender to send N random keys and N encrypted nication cost [11–14], relating SMC to error-correcting cod- messages to the chooser. The random keys can be considered ing [15, 16], and introducing SMC to a variety of applica- as setup cost, provided that the sender changes her random tions [17–22]. The rigorous study of protocol security is be- share u and the chooser changes her key k in every invoca- yond the scope of this paper, and thus we will focus on the tion of the protocol. However, it seems necessary to send the remaining three topics. N encrypted messages every time as the messages depend on u. A closer examination reveals that all the chooser needs is 5.1. Reduction of computation complexity and one particular message that corresponds to her secret num- communication cost ber. The entire set of N messages is sent simply to obfuscate her choice from the sender. This subproblem of obfuscating a Both the computation complexity and communication cost selection from a public data collection is called private infor- of the 1-out-of-N OT protocol depend linearly on the size mation retrieval (PIR). PIR attracts much research interest N of the sender’s table that defines the function—it requires lately and is treated in Section 5.2.Itsuffices to know that O(N) invocations of a public-key cipher and O(N) messages there are techniques that can reduce the communication cost exchanged between the sender and the chooser. In many from O(N)toO(log N)[23]. practical applications, the value of N could be very large. The second facet involves the communication cost of the For example, computing a general function on 32-bit com- original unsecured implementation of the target function. puters requires a table of N= 232 or more than four billion The CSMC protocols in Section 4 provide a systematic pro- entries! This renders our basic version of OT hopelessly im- cedure to secure each addition and multiplication operation practical. Improving the computation efficiency and reduc- in the original implementation. However, not all operations 6 EURASIP Journal on Information Security need to be secured—local operations can be performed with- These two groups are related by a special bilinear map e : out any modification. As such, it is important to minimize G×G→G such that e(uα, vβ) = e(u, v)αβ for arbitrary u, v ∈ G the number of cross-party operations that need to be forti- and integers α, β.5 Furthermore, e(g, g)isageneratorforG fied with the OT protocol. Consider the following example: if g is a generator for G. The public keys for the cipher de- P1 and P2,eachwithn/2secretnumbers,wanttofindthe fined on G are a generator g and a random h = gαq2 for median of the entire set of n numbers. The best known unse- some α. The public keys for the cipher on G are g = e(g, g) cured algorithm to find the median requires O(n)compari- = = αq2 son operations. Tomake this algorithm secure, we can use the and h e(g, h) g . Given a message m, the sender 1-out-of- OT protocol to implement each comparison,4 re- generates a random integer r and computes the ciphertext N = m r ∈ sulting in communication requirement of O(n log N). This, C g h G. To decrypt this ciphertext, the receiver first however, is not the optimal solution—a distributed median- removes the random factor by raising C to the power of the finding algorithm requires much less communication [13]. private key q1: The idea is to have P1 and P2 first compared with their re- q m m q1 = m r 1 = q1 αq2rq1 = q1 spective local medians. The party with the the larger me- C g h g g g , (14) dian can then discard the half of the local data larger than the local median—the global median cannot be in this por- where we use the basic fact gq1q2 = gn = 1 from group theory. tion of the local data as the global median must be smaller Provided that the message space is small enough, the receiver than the larger of the two local medians. Following the same can then retrieve m by computing the discrete logarithm of logic, the other party can discard the smaller half of her lo- Cq1 base gq1 . The security of the cipher is based on the as- cal data. The two parties again compare their local medi- sumed hardness of the so-called subgroup decision problem ans of the remaining data until exhaustion. Notice that all of which we refer the readers to the original paper [14]. We the local computation can be done without invocations of now focus on the homomorphic properties of this scheme. = m1 r1 = m2 r2 OT. As a result, this algorithm only requires O(log n) cross- Given two ciphertext messages C1 g h and C2 g h , = m1+m2 r1+r2 party secure comparison and this results in a communi- it is easy to see that C1C2 g h which is the cipher- cation cost of O(log n log N), a significant reduction from text of message m1 + m2. For multiplication, we apply the · · the naive implementation. In fact, it has been shown that if bilinear map e( , )onC1 and C2: a communication-efficient unsecured implementation exists for a general function, we can always convert it into a secure e C , C = e gm1 hr1 , gm2 hr2 1 2 one without much increase in communication [12]. = e gm1+αq2r1 , gm2+αq2r2 The final facet of communication requirements has to do = m1m2+αq2(m1r2+m2r1+αq2r1r2) with the interactivity of the CSMC protocols. All the pro- e(g, g) (15) tocols introduced thus far require multiple rounds of com- = e(g, g)m1m2 e(g, h)m1r2+m2r1+αq2r1r2 munications between the parties. Such frequent interaction = m1m2 r is undesirable in many applications such as batch processing g h . in which one party needs to reuse many times the same secret information from another party, and asymmetric com- The last expression is clearly a ciphertext for m1m2.Unfortu- putation in which a low-complexity client wants to leverage nately, e(C1, C2)belongstoG,notinG. This means that one a sophisticated server to privately perform a complex com- cannot further combine this with other ciphertexts in G and putation. Earlier work in this area showed that one round of as such this scheme falls short of being a completely homo- message exchange is indeed possible for secure computation morphic encryption scheme. of any function [11]. However, the length of the replied message depends on the complexity of the implementation of the 5.2. Private information retrieval function. As a result, this requires the end receiver to devote much time in decoding the message even though the output Private information retrieval (PIR) protocols allow a party (a can be as small as a binary decision. This problem can be re- user) to select a record from a database owned by another solved using a doubly homomorphic public-key encryption party (a server) without the server knowing the selection of scheme in which arbitrary computation can be done on the the user. PIR is a step in OT as explained in Section 5.1.Un- encrypted data without size expansion. It is an open problem like OT, PIR does not prevent the sender from obtaining in- in cryptography on whether a doubly homomorphic encryp- formation about the collection beyond her choice. Due to its tion scheme exists. The closest scheme, which we will explain asymmetric protection, the paradigm of PIR is useful for pri- next, can support arbitrary numbers of additions and one vacy protection of ordinary citizens in using search engine, multiplication on encrypted data [14]. shopping at online stores, participating in public survey and The construction is based on two public-key ciphers de- electronic voting. As we have seen in Section 5.1, the sim- fined on two different finite cyclic groups G and G of the plest form of PIR is to send the entire database to the user. same size n = q1q2,whereq1 and q2 are large private primes. This imposes a communication cost in the order of the size

4 Secure comparison is also called the Secure Millionaire Problem, one of 5 An example of such construction is based on the modified Weil paring on the earliest problems studied in SMC literature [3]. the elliptic curve y2 = x3 + 1 defined over a finite field [14]. S.-C. S. Cheung and T. Nguyen 7 of the database. Recent advances in PIR protocols, however, user to inspect only a small fraction of C(x), say k n bits, show that the goal can be accomplished with a much smaller in order to fully recover a specific bit x[i]inx. Furthermore, communication overhead. each bit in C(x)canbeusedinak-bit subset to recover x[i]. The problem of PIR was first proposed in the seminal pa- As such, the knowledge of a particular bit in C(x) being used per by Chor et al. as follows [24]: the server has an n-bit bi- provides no information about which x[i] is being recovered. nary string x, and a user wants to know x[i], the ith bit of x, To see how LDC is used in PIR, we assume that each of the without the server knowing about i. The first important re- k servers has the same m-bit C(x) generated using an LDC sult shown in [24] is that, under the perfect security model, encoding function on the n-bit database x. In order to re- it is impossible to send less data than the trivial solution of trieve x[i], the user sends q1, q2, ..., qk ∈{1, 2, ..., m}, the sending the entire x to the user. On the other hand, if iden- locations of bits in C(x) needed to recover x[i], to each of tical databases are available at k ≥ 2 noncolluding servers, the k servers, respectively. Note that these locations depend then perfect security can be achieved with the communica- only on i and the particular LDC used. Upon receiving qj, 1/k tion cost of O(n ). Their results are based on the following the jth server simply replies with C(x)[qj]forj = 1, 2, ..., k. basic two-server scheme that allows a user to privately obtain After gathering all the k replies, the user can then run the de- x[i] by receiving a single bit from each of the two servers. Let coding algorithm to recover x[i]. Using this framework, the us denote communication cost of the PIR system is k(l +logm)with ⎧ klog m and kl corresponded to the user’s and server’s com- ⎨⎪S ∪{a},ifa ∈ S, munication costs, respectively. ⊗ = (16) In fact, the two-server basic scheme introduced earlier S a ⎩⎪ S \{a},ifa ∈ S. can be viewed as using the Hadamard code in the LDC framework. The Hadamard code H(x)ofann-bit message n n The user first randomly selects the indexes j ∈{1, 2, ...n} x has 2 bits. The kth bit of H(x)fork ∈{0, 1, ...,2 − 1} is with probability of 1/2 for each value of j, to form a set S. defined as follows: Next, the user computes S⊗i,wherei is the desired index. The n user then sends S to server one and S ⊗ i to server two. Upon H(x)[k] = x[j]k[j]. (17) receiving S, server one replies to the user with a single bit j=1 which is the result of XORing of all the bits in the positions specified by S. Similarly, server two replies to the user with To retrieve x[i] from the servers, the user first randomly picks ⊕ a single bit which is the result of XORing of all the bits in an n-bit number k, and then sends k to server one and k ei the positions specified by S ⊗ i. The user then computes x[i] to server two, where ei is an n-bit number with a single one ⊕ by XORing the two bits received from the two servers. This in the ith position. Upon receiving k and k ei,serversone ⊕ scheme works because every position j=i will appear twice— and two reply with H(x)[k]andH(x)[k ei], respectively. one in S and one in S⊗i, therefore the result from XORing of The user can then decode x[i] by computing all x[j]’s together will be 0. On the other hand, i appears only ( )[ ] ⊕ ( ) ⊕ once in either S or S ⊗ i, therefore the result of XORing of all H x k H x k ei n n x[j]’s and x[i]willbex[i]. Provided the two servers do not = ⊕ ⊕ ⊕ ∼ collude, every bit is equally likely to be selected by the user. In x[j]k[j] x[i]k[i] x[j]k[j] x[i] k[i] j=1,j=i j=1,j=i this scheme, each server sends one bit to the user but the user has to send an n-bit message6 to each server. Thus, the overall = x[i] k[i] ⊕∼k[i] = x[i]. communication cost is still O(n). With minor modification, (18) this basic scheme can be extended to reduce the number of bits sent by the user to O(n1/k)[24]. The symbol ∼ denotes negation. This scheme is almost Recently, an interesting connection is made between PIR equivalent to the scheme by Chor et al., except that the XOR and a special type of forward-error-correcting codes (FEC) of all possible selections of bits in x are already contained in called locally decodable codes (LDC) and it has created a the Hadamard code H(x). We mention again that the com- flurry of interest in the information theory community [16]. munication cost of this scheme is O(n) due to the exponen- FEC is used to combat transmission errors by adding redun- tial code length of the Hadamard code. Nevertheless, the pos- dancy to the transmitted data. Formally, the sender uses an sibility of using better error-correcting codes in the place of encoding function C(·) to map an n-bit message x to an m- the Hadamard code opens many opportunities for new PIR bit message C(x)withm>n, and then sends C(x)overa schemes. PIR schemes based on Reed-Solomon codes and noisy channel. Upon receiving a string y possibly different Reed-Muller codes can be found in [16]. The best published from C(x), a receiver attempts to recover x using a decoding result on PIR uses LDC to achieve a communication com- 10−7 algorithm D(C(x)). In the conventional FEC, it will takes at plexity of O(n ) with three noncolluding servers [25]. least O(n) complexity to recover an n-bit x since O(n)isre- All of the above constructions provide PIR under the per- quired just to record x. LDC, on the other hand, allows the fect security model. By making certain computational assumptions, PIR can also achieve sublinear communication complexity with only one database [23, 26]. We briefly re- 6 The message is simply an n-bit number with ones indicating the desired view the scheme in [26] as follows: it is based on the assumed bit. hardness of determining whether a number in a finite field 8 EURASIP Journal on Information Security

F is a quadratic residue, that is, without knowing the prime 250 factorization of the field size N,itisdifficult to compute the following predicate: 200 1ifu = v2 for some v ∈ F, 150 QR(u) = (19) 0 otherwise. 100 It is easy to see that QR(·) is homomorphic under multipli- = cation, that is, QR(xy) QR(x)QR(y). The basic principle 50 of using QR to retrieve x[i] is straightforward: the user sends the server n numbers y1, ..., yn ∈ F, all of them quadratic 0 residues except yi, that is, QF(yj ) = 1forj=i and QF(yi) = 0. The server then replies with m ∈ F computed as follows: −50 y if x[j] = 0, n = j −100 m Πj=1wj ,wherewj 2 = (20) yj if x[j] 1. −150 Since all yj ’s are quadratic residues except for yi,wehave 0 102030405060 QR(wj ) = 1forj=i and QR(wi) = x[i]. Combining the homomorphic property, we get the desired result QR(m) = Original signal QR(wi) = x[i]. This scheme, however, is very wasteful as the P1’s estimate user needs to send n log N bits. We can improve this by rear- P2’s astimate ranging x as an s × t matrix M with s = n(L−1)/L and t = n1/L for some integer L. Assume that x[i] is the entry at the ath Figure 2: Original signal and least-square estimates in secure inner row and the bth column of M. The user then sends the server product. yj ,forj = 1, 2, ..., t,allquadraticresiduesexceptforyb.The communication for this step is O(n1/L). Using these t numbers, the server carries a similar computation as (20)foreach While an algorithm in a typical data mining applica- row of M, resulting in mk for k = 1, 2, ..., s. Of all the mk’s, tion may need to handle millions of records on a daily ba- all the user needs is ma from the ath row because it is suffi- sis, a real-time signal processing algorithm needs to handle ffi cient to retrieve x[i]asQR(ma) = x[i]. Since each of the mk millions of samples within milliseconds. Very e cient algo- is a log N-bit number, this is equivalent to carrying out the rithms have recently been developed at the expense of pri- PIR procedure log N times—but this time the database size vacy. The pioneering work by Avidan and Moshe showed shrinks from n to s = n(L−1)/L. This observation allows the the feasibility of building a secure distributed face detector same procedure to be applied recursively with exponentially [20]. While keeping OT as the core, they provide an efficient decreasing communication cost. As a result, the communi- implementation based on the assumption that certain visual cation is dominated by the first step which is O(n1/L)andwe features used in the detector are noninvertible and for this can make L asbigaswewant.SubsequentworkbyCachin they do not leak important information about the images. et al. showed that the communication cost can be further re- Another noteworthy scheme is a collection of statistical duced to logarithmic complexity [23]. routines, developed in [18], that use linear subspace projection for privacy projection. We illustrate the idea with a sim- 5.3. Practical applications of SMC ple inner product computation. Assume that two parties, P1 and P2,haven-dimensional vectors x1 and x2,respectively. While the theoretical studies of SMC have advanced signif- They both know an invertible matrix M and its inverse M−1. icantly in recent years, developing practical applications us- M is broken down into top and bottom halves T ∈ Rn/2×n ing SMC has been slow. The data mining community is the and B ∈ R(n−n/2)×n, while M−1 into left and right halves ∈ Rn×n/2 ∈ Rn×(n−n/2) T first to introduce SMC into practical usage. The goal is to L and R . The inner product x1 x2 compute aggregate statistics over private data stored in dis- can then be decomposed as follows: tributed databases. Using the OT protocol as the core, dif- T = T −1 = T T ferent SMC protocols have been developed to construct lin- x1 x2 x1 M Mx2 x1 LTx2 + x1 RBx2. (21) ear algebra routines [27], median computation [13], deci- T T sion trees [17], neural network [19], and others. Even though P1 then sends x1 R to P2 who computes x1 RBx2 while P2 T these algorithms provide innovative implementations for sends P1Tx2 so that she can compute x1 LTx2. P2 can then many data mining schemes, their security relies on modular send his scalar to P1 or vice versa to obtain the final answer. arithmetic operations on very large integers which are com- They cannot recover each other’s data as the transmitted data T putationally intensive. In a recent study on PIR, the authors x1 R and Tx2 are all n/2-dimensional vectors. Using a ran- of [28] showed that even with the most advanced CPUs, the domly generated M and x1 = x2, Figure 2 shows the least modular arithmetic in the SMC protocol requires more time square estimates by both parties based on the received data. than simply sending the entire database through a typical Following a similar approach, we have also developed secure broadband connection. two-party routines for linear filtering [21] and thresholding S.-C. S. Cheung and T. Nguyen 9

[22]. Even though all of the above algorithms are computa- tomata, Languages and Programming, pp. 512–523, Geneva, tionally very efficient, they all leak private information to a Switzerland, July 2000. certain degree and thus may not be suitable for applications [12] M. Naor and K. Nissim, “Communication complexity and se- that demand the utmost privacy and security. cure function evaluation,” Electronic Colloquium on Computa- tional Complexity, vol. 8, no. 62, 2001. [13] G. Aggarwal, N. Mishra, and B. Pinkas, “Secure computation 6. CONCLUSIONS of the kth-ranked element,” in Proceedings of Advances in Cryp- tology International Conference on the Theory and Applications In this article, we have briefly reviewed the foundation of of Cryptographic Techniques (EUROCRYPT ’04), vol. 3027 of SMC protocols and some of the latest developments. As we Lecture Notes in Computer Science, pp. 40–55, 2004. do not assume any background in cryptography, we focus on [14] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF for- the intuition rather than the rigorous treatment of the sub- mulas on ciphertexts,” in Proceedings of Theory of Cryptogra- ject. Serious readers should consult the comprehensive text phy Conference 2005, vol. 3378 of Lecture Notes in Computer of [8] and the collection of papers at specialized bibliogra- Science, pp. 325–341, Cambridge, Mass, USA, February 2005. phy sites [29, 30]. As the demand for secure and privacy- [15] W. Gasarch, “A survey on private information retrieval,” The enhancing applications is rapidly growing, we believe that it Bulletin of the EATCS, vol. 82, pp. 72–107, 2004. is a great opportunity for researchers in diverse areas outside [16] L. Trevisan, “Some applications of coding theory in computa- of cryptography to understand the concepts of SMC and to tional complexity,” Quaderni di Matematica, vol. 13, pp. 347– develop practical SMC protocols for their respective applica- 424, 2004. tions. [17] Y. Lindell and B. Pinkas, “Privacy preserving data mining,” Journal of Cryptology, vol. 15, no. 3, pp. 177–206, 2003. [18]W.Du,Y.S.Han,andS.Chen,“Privacy-preservingmultivari- ACKNOWLEDGMENT ate statistical analysis: linear regression and classification,” in Proceedings of the 4th SIAM International Conference on Data The authors would like to thank the constructive comments Mining, pp. 222–233, Lake Buena Vista, Fla, USA, April 2004. from the anonymous reviewers. [19] Y.-C. Chang and C.-J. Lu, “Oblivious polynomial evaluation and oblivious neural learning,” Theoretical Computer Science, REFERENCES vol. 341, no. 1–3, pp. 39–54, 2005. [20] S. Avidan and M. Butman, “Blind vision,” in Proceedings of the [1] Trusted Computing Group, “TCG Specification Architecture 9th European Conference on Computer Vision, vol. 3953 LNCS Overview,” April 2004, https://www.trustedcomputinggroup of Lecture Notes in Computer Science, pp. 1–13, Graz, Austria, .org. May 2006. [2] R. Anderson, “Trusted Computing Frequently Asked Ques- [21] N. Hu and S.-C. Cheung, “Secure image filtering,” in Pro- tions,” August 2003, http://www.cl.cam.ac.uk/∼rja14/tcpa-faq ceedings of IEEE International Conference on Image Processing .html. (ICIP ’06), Atlanta, Ga, USA, October 2006. [3] A. C. Yao, “Protocols for secure computations,” in Proceedings [22] N. Hu and S.-C. Cheung, “A new security model for secure of the 23rd Annual IEEE Symposium on Foundations of Com- thresholding,” in Proceedings of IEEE International Conference puter Science, pp. 160–164, Chicago, Ill, USA, November 1982. on Acoustic, Speech and Signal Processing (ICASSP ’07),Hon- [4] Shamir, “How to share a secret,” Communications of the ACM, olulu, Hawaii, USA, April 2007. vol. 22, no. 11, pp. 612–613, 1979. [23] C. Cachin, S. Micali, and M. Stadler, “Computationally private [5]M.Ben-Or,S.Goldwasser,andA.Wigderson,“Complete- information retrieval with polylogarithmic communication,” ness thorems for non-cryptographic fault tolerant distributed in Proceedings of Advances in Cryptology: International Con- computation,” in Proceedings of the 20th ACM Symposium on ference on the Theory and Applications of Cryptographic Tech- the Theory of Computing, pp. 1–10, Chicago, Ill, USA, May niques (EUROCRYPT ’99), vol. 1592, pp. 402–414, 1999. 1988. [24] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private [6] T. Rabin and M. Ben-Or, “Verifiable secret sharing and multi- information retrieval,” in Proceedings of the Annual Symposium party protocols with honest majority,” in Proceedings of the 21st on Foundations of Computer Science, pp. 41–50, October 1995. Annual ACM Symposium on Theory of Computing, pp. 73–85, [25] S. Yekhanin, “New locally decodable codes and private infor- Seattle, Wash, USA, May 1989. mation retrieval schemes,” Tech. Rep. 127, Electronic Collo- [7] S. Goldwasser and M. Bellare, Lecture Notes on Cryptography, quium on Computational Complexity, 2006. Massachusetts Institue of Technology, Cambridge, Mass, USA, [26] E. Kushilevitz and R. Ostrovsky, “Replication is not needed: 2001. single database, computationally-private information re- [8] O. Goldreich, Foundations of Cryptography: Volume II Basic trieval,” in Proceedings of the Annual Symposium on Founda- Applications, Cambridge University Press, Cambridge, Mass, tions of Computer Science, pp. 364–373, Miami Beach, Fla, USA, 2004. USA, 1997. [9] M. Naor and B. Pinkas, “Oblivious transfer and polynomial [27] R. Cramer and I. Damgaard, “Secure distributed linear algebra evaluation,” in Proceedings of the Annual ACM Symposium on in constant number of rounds,” in Proceedings of the 21st An- Theory of Computing, pp. 245–254, Atlanta, Ga, USA, 1999. nual IACR (CRYPTO ’01), vol. 2139 of Lecture Notes in Com- [10] M. Naor and B. Pinkas, “Efficient oblivious transfer proto- puter Science, pp. 119–136, Santa Barbara, Calif, USA, August cols,” in Proceedings of the SIAM Symposium on Discrete Algo- 2001. rithms (SODA ’01), pp. 448–457, Washington, DC, USA, 2001. [28] R. Sion and B. Carbunar, “On the computational practical- [11] C. Cachin, J. Camenisch, J. Kilian, and J. Muller, “One-round ity of prive information retrieval,” in Proceedings of the 14th secure computation and secure autonomous mobile agents,” ISOC Network and Distributed Systems Security Symposium, in Proceedings of the 27th International Colloquium on Au- San Diego, Calif, USA, February-March 2007. 10 EURASIP Journal on Information Security

[29] H. Lipmaa, “Oblivious Transfer or Private Information Re- trieval,” University College London, http://www.adastral.ucl .ac.uk/∼helger/crypto/link/protocols/oblivious.php. [30] K. Liu, “Privacy Preserving Data Mining Bibliography,” University of Maryland, Baltimore County, http://www.csee .umbc.edu/∼kunliu1/research/privacy review.html. Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 78943, 20 pages doi:10.1155/2007/78943

Review Article Protection and Retrieval of Encrypted Multimedia Content: When Cryptography Meets Signal Processing

Zekeriya Erkin,1 Alessandro Piva,2 Stefan Katzenbeisser,3 R. L. Lagendijk,1 Jamshid Shokrollahi,4 Gregory Neven,5 and Mauro Barni6

1 Electrical Engineering, Mathematics, and Computer Science Faculty, Delft University of Technology, 2628 CD, Delft, The Netherlands 2 Department of Electronics and Telecommunication, University of Florence, 50139 Florence, Italy 3 Information and System Security Group, Philips Research Europe, 5656 AE, Eindhoven, The Netherlands 4 Department of Electrical Engineering and Information Sciences, Ruhr-University Bochum, 44780 Bochum, Germany 5 Department of Electrical Engineering, Katholieke Universiteit Leuven, 3001 Leuven, Belgium 6 Department of Information Engineering, University of Siena, 53100 Siena, Italy

Correspondence should be addressed to Zekeriya Erkin, [email protected]

Received 3 October 2007; Revised 19 December 2007; Accepted 30 December 2007

Recommended by Fernando Perez-Gonz´ alez´

The processing and encryption of multimedia content are generally considered sequential and independent operations. In certain multimedia content processing scenarios, it is, however, desirable to carry out processing directly on encrypted signals. The field of secure signal processing poses significant challenges for both signal processing and cryptography research; only few ready-to-go fully integrated solutions are available. This study first concisely summarizes cryptographic primitives used in existing solutions to processing of encrypted signals, and discusses implications of the security requirements on these solutions. The study then continues to describe two domains in which secure signal processing has been taken up as a challenge, namely, analysis and retrieval of multimedia content, as well as multimedia content protection. In each domain, state-of-the-art algorithms are described. Finally, the study discusses the challenges and open issues in the field of secure signal processing.

Copyright © 2007 Zekeriya Erkin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION In several application scenarios, however, it is desirable to carry out signal processing operations directly on encrypted In the past few years,the processing of encrypted signals has signals. Such an approach is called secure signal processing, en- emerged as a new and challenging research ﬁeld. The combi- crypted signal processing,orsignal processing in the encrypted nation of cryptographic techniques and signal processing is domain. For instance, given an encrypted image, can we cal- not new. So far, encryption was always considered as an add- culate the mean value of the encrypted image pixels? On the on after signal manipulations had taken place (see Figure 1). one hand, the relevance of carrying out such signal manipu- For instance, when encrypting compressed multimedia sig- lations, that is, the algorithm, directly on encrypted signals is nals such as audio, images, and video, ﬁrst the multimedia signals were compressed using state-of-the-art compres- entirely dependent on the security requirements of the appli- sion techniques, and next encryption of the compressed bit cation scenario under consideration. On the other hand, the stream using a symmetric cryptosystem took place. Conse- particular implementation of the signal processing algorithm quently, the bit stream must be decrypted before the multi- will be determined strongly by the possibilities and impossi- media signal can be decompressed. An example of this ap- bilities of the cryptosystem employed. Finally, it is very likely proach is JPSEC, the extension of the JPEG2000 image com- that new requirements for cryptosystems will emerge from pression standard. This standard adds selective encryption secure signal processing operations and applications. Hence, to JPEG2000 bit streams in order to provide secure scalable secure signal processing poses a joint challenge for both the streaming and secure transcoding [1]. signal processing and the cryptographic community. 2 EURASIP Journal on Information Security

Process Process x(n) Encrypt Channel Decrypt x(n) (compress) (decompress)

Figure 1: Separate processing and encryption of signals.

The security requirements of signal processing in en- encryption is carried out independently on individual signal crypted domains depends strongly on the considered appli- samples. As a consequence, individual signal samples can be cation. In this survey paper, we take an application-oriented identified in the encrypted version of the signal, allowing for view on secure signal processing and give an overview of pub- processing of encrypted signals on a sample-by-sample basis. lished applications in which the secure processing of signal If we represent a one-dimensional (e.g., audio) signal X that amplitudes plays an important role. In each application, we consists of M samples as show how signal processing algorithms and cryptosystems T are brought together. It is not the purpose of the paper to X = x1, x2, x3, ..., xM−1, xM ,(1) describe either the signal processing algorithms or the cryptosystems in great detail, but rather focus on possibilities, im- where xi is the amplitude of the ith signal sample, then the possibilities, and open issues in combining the two. The pa- encrypted version of X using key k is given as per includes many references to literature that contains more T elaborate signal processing algorithms and cryptosystem so- Ek(X) = Ek x1 , Ek x2 , Ek x3 , ..., Ek xM−1 , Ek xM . lutions for the given application scenario. It is also crucial (2) to state that the scenarios in this survey can be implemented more efficiently by using trusted third entities. However, it is Here the superscript “T” refers to vector transposition. Note not always easy to find trusted entities with high computa- that no explicit measures are taken to hide the temporal or tional power, and even if one is found, it is not certain that spatial structure of the signal, however, the use of sophisti- it can be applicable in these scenarios. Therefore, the trusted cated encryption schemes that are semantically secure (as the entities either do not exist or have little role in discussed sce- one in [2]) achieves this property automatically. narios in this paper. Secondly, only public key cryptosystems are used that In this paper, we will survey applications that directly ma- have particular homomorphic properties. The homomorphic nipulate encrypted signals. When scanning the literature on property that these public key cryptographic system provide secure signal processing, it becomes immediately clear that will be concisely discussed in Section 2.2.1. In simple terms, there are currently two categories under which the secure sig- the homomorphic property allows for carrying out additions nal processing applications and research can be roughly clas- or multiplications on signal amplitudes in the encrypted do- sified, namely, content retrieval and content protection. Al- main. Public key systems are based on the intractability of though the security objectives of these application categories some computationally complex problems, such as differ quite strongly, similar signal processing considerations (i) the discrete logarithm in finite field with a large and cryptographic approaches show up. The common cryp- (prime) number of elements (e.g., ElGamal cryptosys- tographic primitives are addressed in Section 2.Thissection tem [3]); also discusses the need for clearly identifying the security re- (ii) factoring large composite numbers (e.g., RSA cryp- quirements of the signal processing operations in a given sce- tosystem [4]); nario. As we will see, many of the approaches for secure sig- (iii) deciding if a number is an nth power in ZN for large nal processing are based on homomorphic encryption, zero- enough composite N (e.g., Paillier cryptosystem [2]). knowledge proof protocols, commitment schemes, and multiparty computation. We will also show that there is ample It is important to realize that public key cryptographic sys- room for alternative approaches to secure signal processing tems operate on very large algebraic structures. This means towards the end of Section 2. Section 3 surveys secure sig- that signal amplitudes xi that were originally represented in nal processing approaches that can be classified as “content 8-to-16 bits will require at least 512 or 1024 bits per signal retrieval,” among them secure clustering and recommenda- sample in their encrypted form Ek(xi). This data expansion tion problems. Section 4 discusses problems of content pro- is usually not emphasized in literature but this may be an tection, such as secure watermark embedding and detection. important hurdle for practical applicability of secure signal Finally, Section 5 concludes this survey paper on secure pro- processing solutions. In some cases, however, several signal tection and retrieval of encrypted multimedia content. samples can be packed into one encrypted value in order to reduce the size of the whole encrypted signal by a linear factor [5]. 2. ENCRYPTION MEETS SIGNAL PROCESSING A characteristic of signal amplitudes xi is that they are 2.1. Introduction usually within a limited range of values, due to the 8-to-16 bits amplitude representation format of sampled signals. If The capability to manipulate signals in their encrypted form a deterministic encryption scheme would be used, each sig- is largely thanks to two assumptions on the encryption nal amplitude would always give rise to the same encrypted strategies used in all applications discussed. In the first place, value, making it easy for an adversary to infer information Zekeriya Erkin et al. 3

Table 1: Some (probabilistic) encryption systems and their homomorphisms.

Encryption system f1(·, ·) f2(·, ·) Multiplicatively Homomorphic El-Gamal [3] Multiplication Multiplication Additively Homomorphic El-Gamal [13] Addition Multiplication Goldwasser-Micali [14] XOR Multiplication Benaloh [15] Addition Multiplication Naccache-Stern [16] Addition Multiplication Okamoto-Uchiyama [17] Addition Multiplication Paillier [2] Addition Multiplication Damgard-Jurik˚ [18] Addition Multiplication

about the signal. Consequently, probabilistic encryption has tion scenarios are built on the four cryptographic primitives to be used, where each encryption uses a randomization or discussed in Section 2.2, there is ample room for entirely dif- blinding factor such that even if two signal samples xi and xj ferent approaches to secure signal processing. have the same amplitude, their encrypted values Epk[xi]and ff Epk[xj ]willbedi erent. Here, pk refers to the public key used 2.2. Cryptographic primitives upon encrypting the signal amplitudes. Public key cryptosystems are constructed such that the decryption uses only the 2.2.1. Homomorphic cryptosystems private key sk, and that decryption does not need the value of the randomization factor used in the encryption phase. All Many signal processing operations are linear in nature. Lin- encryption schemes that achieve the desired strong notion of earity implies that multiplying and adding signal amplitudes semantic security are necessarily probabilistic. are important operations. At the heart of many signal pro- Cryptosystems operate on (positive) integer values on cessing operations, such as linear filters and correlation eval- finite algebraic structures. Although sampled signal ampli- uations, is the calculation of the inner product between two tudes are normally represented in 8-to-16 bits (integer) val- signals X and Y. If both signals (or segments of the signals) ues when they are stored, played, or displayed, intermediate contain M samples, then the inner product is defined as signal processing operations often involve noninteger signal ⎡ ⎤ y1 amplitudes. Work-arounds for noninteger signal amplitudes ⎢ ⎥ ⎢ y2 ⎥ M T ⎢ ⎥ may involve scaling signal amplitudes with constant factors X, Y=X Y = x1, x2, ..., x · ⎢ . ⎥ = x y . (3) M ⎣ . ⎦ i i (say factors of 10 to 1000), but the unavoidable successive . i=1 operations of rounding (quantization) and normalization by yM division pose significant challenges for being carried out on encrypted signal amplitudes. This operation can be carried out directly on an encrypted In Section 2.2, we first discuss four important cryp- signal X and plain text signal Y if the encryption system used tographic primitives that are used in many secure signal has the additive homomorphic property, as we will discuss processing applications, namely, homomorphic encryption, next. · zero-knowledge proof protocols, commitment schemes, and Formally, a “public key” encryption system Epk( ) and its · secure multiparty computation. In Section 2.3, we then con- decryption Dsk( ) are homomorphic if those two functions · sider the importance of scrutinizing the security require- are maps between the message group with an operation f1( ) · ments of the signal processing application. It is meaningless and the encrypted group with an operation f2( ), such that to speak about secure signal processing in a particular ap- if x and y are taken from the message space of the encryption plication if the security requirements are not specified. The scheme, we have security requirements as such will also determine the possi- f1(x, y) = Dsk f2 Epk(x), Epk(y) . (4) bility or impossibility of applying the cryptographic primitives. As we will illustrate by examples—and also in more For secure signal processing, multiplicative and additive ho- detail in the following sections—some application scenarios momorphisms are important. Table 1 gives an overview of simply cannot be made secure because of the inherent infor- encryption systems with additive or multiplicative homo- mation leakage by the signal processing operation because of morphism. Note that those homomorphic operations are ap- the limitations of the cryptographic primitives to be used, plied to a modular domain (i.e., either in a finite field or in a or because of constraints on the number of interactions be- ring ZN )—thus, both addition and multiplication are taken tween parties involved. Finally, in Section 2.4, we briefly dis- modulo some fixed value. For signal processing applications, cuss the combination of signal encryption and compression which usually require integer addition and multiplication, it using an approach quite different from the ones discussed in is thus essential to choose the message space of the encryp- Sections 3 and 4, namely, by exploiting the concept of coding tion scheme large enough so that overflows due to modular with side information. We discuss this approach here to em- arithmetic are avoided when operations on encrypted data phasize that although many of the currently existing applica- are performed. 4 EURASIP Journal on Information Security

Another important consideration is the representation of two vectors is encrypted. One takes the encrypted samples the individual signal samples. As encryption schemes usually Epk(xi), raises them to the power of yi, and multiplies all ob- operate in finite modular domains (and all messages to be tained values. Obviously, the resulting number itself is also in encrypted must be represented in this domain), a mapping is encrypted form. To carry out further useful signal processing required which quantizes real-valued signal amplitudes and operations on the encrypted result, for instance, to compare translates the signal samples of X into a vector of modular it to a threshold, another cryptographic primitive is needed, numbers. In addition to the requirement that the computa- namely, zero knowledge proof protocols, which is discussed tions must not overflow, special care must be taken to repre- in the next section. sent negative samples in a way which is compatible with the In this paper, we focus mainly on public-key encryption homomorphic operation offered by the cryptosystem. For schemes, as almost all homomorphic encryption schemes be- the latter problem, depending on the algebraic structure of long to this family. The notable exception is the one-time pad the cipher, one may either encode the negative value −x by (and derived stream ciphers), where messages taken from a the modular inverse x−1 in the underlying algebra of the mes- finite group are blinded by a sequence of uniformly random sage space or by avoiding negative numbers entirely by using group elements. Despite its computationally efficient encryp- a constant additive shift. tion and decryption processes, the application of a one-time In the context of the above inner product example, we pad usually raises serious problems with regard to key dis- require an additively homomorphic scheme (see Table 1). tribution and management. Nevertheless, it may be used to Hence, f1 is the addition, and f2 is a multiplication: temporarily blind intermediate values in larger communication protocols. Finally, it should be noted that some recent = · x + y Dsk Epk(x) Epk(y) ,(5)work in cryptography (like searchable encryption [6]and order-preserving encryption [7]) may also yield alternative or, equivalently, ways for the encryption of signal samples. However, these approaches have not yet been studied in the context of media E (x + y) = E (x) · E (y). (6) pk pk pk encryption. Note that the latter equation also implies that To conclude this section, we observe that directly computing the inner product of two encrypted signals is not pos- c Epk(c · x) = Epk(x) (7) sible since this would require a cryptographic system that has both multiplicative and additive (i.e., algebraic) homomor- for every integer constant c. Thus, every additively homo- phism. Recent proposals in that direction like [8, 9] were later morphic cryptosystem also allows to multiply an encrypted proven to be insecure [10, 11]. Therefore, no provably secure value with a constant available or known as clear text. cryptographic system with these properties is known to date. The Paillier cryptosystem [2] provides the required ho- The construction of an algebraic privacy homomorphism re- momorphism if both addition and multiplication are con- mains an open problem. Readers can refer to [12]formore sidered as modular. The encryption of a message m under a details on homomorphic cryptosystems. Paillier cryptosystem is defined as

m N 2 2.2.2. Zero-knowledge proof protocols Epk(m) = g r mod N ,(8) Zero-knowledge protocols are used to prove a certain state- = ∈ Z∗ where N pq, p and q are large prime number, g N2 is ment or condition to a verifier, without revealing any ∈ Z∗ a generator whose order is a multiple of N,andr N is a “knowledge” to the verifier except the fact that the assertion random number (blinding factor). We then easily see that is valid [19]. As a simple example, consider the case where the prover Peggy claims to have a way of factorizing large E (x)E (y) = gxrN g yrN mod N2 pk pk x y numbers. The verifier Victor will send her a large number = gx+y r r N mod N2 (9) and Peggy will send back the factors. Successful factorization x y of several large integers will decrease Victor’s doubt in the = Epk(x + y). truth of Peggy’s claim. At the same time Victor will learn “no knowledge of the actual factorization method.” Applying the additive homomorphic property of the Paillier Although simple, the example shows an important prop- encryption system, we can evaluate (3) under the assumption erty of zero-knowledge protocol proofs, namely, that they are that X is an encrypted signal and Y is a plain text signal: interactive in nature. The interaction should be such that with increasing number of “rounds,” the probability of an M M M yi adversary to successfully prove an invalid claim decreases EpkX, Y=Epk xi yi = Epk xi yi = Epk xi . i=1 i=1 i=1 significantly. On the other hand, noninteractive protocols (10) (based on the random oracle model) also do exist. A formal definition of interactive and noninteractive proof systems, Here, we implicitly assume that xi, yi are represented as inte- such as zero-knowledge protocols, falls outside the scope of gers in the message space of the Paillier cryptosystem, that is, this paper, but can be found, for instance, in [19]. xi, yi ∈ ZN .However,(10) essentially shows that it is possi- As an example for a commonly used zero-knowledge ble to compute an inner product directly in case one of the proof, consider the proof of knowing the discrete logarithm Zekeriya Erkin et al. 5 x of an element y to the base g in a finite field [20]. Hav- hiding due to the random blinding factor r; furthermore, it ing knowledge of discrete logarithm x is of interest in some is binding unless Alice is able to compute discrete logarithms. applications since if For use in signal processing applications, commitment schemes that are additively homomorphic are of specific x y = g mod p, (11) importance. As with homomorphic public key encryption schemes, knowledge of two commitments allows one to then given p (a large prime number), g,andy (the calcu- compute—without opening—a commitment of the sum lation of the logarithm x) are computationally infeasible. If of the two committed values. For example, the above- Peggy (the prover) claims she knows the answer (i.e., the mentioned Pedersen commitment satisfies this property: value of x), she can convince Victor (the verifier) of this given two commitments c = gm1 hr1 mod p and c = gm2 hr2 knowledge without revealing the value of x by the follow- 1 2 mod p of the numbers m and m , a commitment c = ing zero-knowledge protocol. Peggy picks a random number 1 2 gm1+m2 hr1+r2 mod p of m +m can be computed by multiply- r ∈ Z and computes t = gr mod p. She then sends t to Vic- 1 2 p ing the commitments: c = c c mod p. Note that the com- tor. He picks a random challenge c ∈ Z and sends this to 1 2 p mitment c can be opened by providing the values m + m Peggy. She computes s = r − cx mod p and sends this to Vic- 1 2 and r + r . Again, the homomorphic property only supports tor. He accepts Peggy’s knowledge of x if gs yc = t, since if 1 2 additions. However, there are situations where it is not possi- Peggy indeed used the correct logarithm x in calculating the ble to prove the relation by mere additive homomorphism value of s,wehave as in proving that a committed value is the square of the gs yc mod p = gr−cx gx c mod p = gr = t mod p. (12) value of another commitment. In such circumstances, zero- knowledge proofs can be used. In this case, the party which In literature, many different zero-knowledge proofs exist. possesses the opening information of the commitments com- We mention a number of them that are frequently used in putes a commitment of the desired result, hands it to the secure signal processing: other party, and proves in zero-knowledge that the commitment was actually computed in the correct manner. Among (i) proof that an encrypted number is nonnegative [21]; others, such zero-knowledge proofs exist for all polynomial (ii) proof that shows that an encrypted number lies in a relations between committed values [24]. certain interval [22]; (iii) proof that the prover knows the plaintext x corresponds to the encryption E(x)[23]; 2.2.4. Secure multiparty computation (iv) proofs that committed values (see Section 2.2.3)satisfy certain algebraic relations [24]. The goal of secure multiparty computation is to evaluate a public function f (x(1), x(2), ..., x(m)) based on the secret in- In zero-knowledge protocols, it is sometimes necessary for puts x(i), i = 1, 2, ..., m of m users, such that the users learn the prover to commit to a particular integer or bit value. nothing except their own input and the final result. A sim- Commitment schemes are discussed in the next section. ple example, called Yao’s Millionaire’s Problem, is the comparison of two (secret) numbers in order to determine if 2.2.3. Commitment schemes x(1) >x(2). In this case, the parties involved will only learn if their number is the largest, but nothing more than that. An integer or bit commitment scheme is a method that al- Thereisalargebodyofliteratureonsecuremultiparty lows Alice to commit to a value while keeping it hidden from computation; for example, it is known [26] that any (com- Bob, and while also preserving Alice’s ability to reveal the putable) function can be evaluated securely in the multi- committed value later to Bob. A useful way to visualize a party setting by using a general circuit-based construction. commitment scheme is to think of Alice as putting the value However, the general constructions usually require a large in a locked box, and giving the box to Bob. The value in the number of interactive rounds and a huge communication box is hidden from Bob, who cannot open the lock (without complexity. For practical applications in the field of dis- the help of Alice), but since Bob has the box, the value in- tributed voting, private bidding and auctions, and private inside cannot be changed by Alice; hence, Alice is “committed” formation retrieval, dedicated lightweight multiparty proto- to this value. At a later stage, Alice can “open” the box and cols have been developed. An example relevant to signal pro- reveal its content to Bob. cessing application is the multiparty computation known as Commitment schemes can be built in a variety of ways. Bitrep which finds the encryption of each bit in the binary As an example, we review a well-known commitment scheme representation of a number whose encryption under an ad- due to Pedersen [25]. We fix two large primes p and q such ditive homomorphic cryptosystem is given [27]. We refer the that q | (p − 1) and a generator g of the subgroup of order q reader to [28] for an extensive summary of secure multiparty of Z∗. Furthermore, we set h = ga mod p for some random p computations and to [29] for a brief introduction. secret a.Thevaluesp, q, g,andh are the public parameters of the commitment scheme. To commit to a value m,Alice chooses a random value r ∈ Zq and computes the commit- 2.3. Importance of security requirements ment c = gmhr mod p. To open the commitment, Alice sends m and r to Bob, who verifies that the commitment c received Although the cryptographic primitives that we discussed in previously indeed satisfies c = gmhr mod p. The scheme is the previous section are useful for building secure signal 6 EURASIP Journal on Information Security

processing solutions, it is important to realize that in each r E y = E h x − application the security requirements have to be made ex- pkB i pkB k i k k=0 plicit right from the start. Without wishing to turn to formal definition, we choose to motivate the importance of what to r = E h x − expect from secure signal processing with three simple yet il- pkB k i k (15) = lustrative two-party computation examples. k 0 The first simple example is the encryption of a (say au- r = xi−k dio) signal X that contains M samples. Due to the sample- EpkB hk . by-sample encryption strategy as shown in (2), the encrypted k=0 signal Epk(X) will also contain M encrypted values. Hence, Alice then sends the result to Bob, who decrypts to ob- the size M of the plain text signal cannot be hidden by the tain the output signal Y. In this solution, Bob learns approaches followed in secure signal processing surveyed in the output signal Y. this paper. (3) Alice and Bob engage in a formal multiparty proto- In the second example, we consider the linear filtering of col, where the function f (x1, x2, ..., xM, h0, h1, ..., hr ) the signal X. In an (FIR) linear filter, the relation between the is the convolution equation, Alice holds the signal val- input signal amplitudes X and output signal amplitudes Y is ues xi and Bob the impulse response hi as secret inputs. entirely determined by the impulse response (h0, h1, ..., hr ) Both parties will learn the resulting output signal Y. through the following convolution equation: Unfortunately, none of the above three solutions really pro- r vides a solution to the secure computation of a convolution due to inherent algorithm properties. For instance, in the first yi = h0xi + h1xi−1 + ···+ hr xi−r = hkxi−k. (13) k=0 setup, Alice could send Bob a signal that consists of all-zero values and a single “one” value (a so-called “impulse sig-

Let us assume that we wish to compute this convolution in nal”). After decrypting the result EpkA (yi) that she obtains a secure way. The first party, Alice, has the signal X and the from Bob, it is easy to see that Y is equal to (h0, h1, ..., hr ), second party, Bob, has the impulse response (h0, h1, ..., hr ). hence Bob’s impulse response is subsequently known to Al- Alice wishes to carry out the convolution (13) using Bob’s ice. Similar attacks can be formulated for the other two cases. linear filter. However, both Bob and Alice wish to keep secret In fact, even for an arbitrary input, both parties can learn the their data, that is, the impulse response and the input signal, other’s input by a well-known signal processing procedure respectively. Three different setups can now be envisioned. known as “deconvolution.” In conclusion, although in some cases there may be a need for the secure evaluation of convo- (1) Alice encrypts the signal X under an additive homo- lutions, the inherent properties of the algorithm make secure morphic cryptosystem and sends the encrypted signal computing in a two-party scenario meaningless. (Neverthe- to Bob. Bob then evaluates the convolution (13) on the less, the protocols have value if used as building blocks in a encrypted signal as follows: large application where the output signal Y is not revealed to the attacker.) r = The third and final example is to threshold a signal’s EpkA yi EpkA hkxi−k k=0 (weighted) mean value in a secure way. The (secure) mean value computation is equivalent to the (secure) computation r of the inner product of (3), with X the input signal and Y the = Epk h x − (14) A k i k weights that define how the mean value is calculated. In the k=0 most simple case, we have yi = 1foralli, but other defini- r hk tions are quite common. Let us assume that Alice wishes Bob = E x − . pkA i k to determine if the signal’s mean value is “critical,” for in- k=0 stance, above a certain threshold value Tc, without revealing X to Bob. Bob, on the other hand, does not want to reveal his Notice that the additive homomorphic property is expert knowledge, namely, the weights Y and the threshold used in the above equation and that, indeed, individ- . Two possible solutions to this secure decision problem ually encrypted signal samples should be available to Tc are the following. Bob. Also notice that the above evaluation is only possible if both X and (h0, h1, ..., hr ) are integer-valued, (i) Use secure multiparty computation, where the func- which is actually quite unlikely in practice. After com- tion f (x1, x2, ..., xM, y1, y2, ..., yM, Tc) is a combina- puting (14), Bob sends the result back to Alice who tion of the inner product and threshold comparison. decrypts the signal using her private key to obtain the Both parties will only learn if the mean value is critical result Y. In this setup, Bob does not learn the output or not. signal Y. (ii) Alice sends Bob the signal X under additively homo- (2) Bob encrypts his impulse response (h0, h1, ..., hr )un- morphic encryption. Bob securely evaluates the in- der a homomorphic cryptosystem and sends the result ner product using (10). After encrypting Tc using Al- to Alice. Alice then evaluates the convolution (13)us- ice’s public key, Bob computes the (encrypted version ing the encrypted impulse response as follows: of the) difference between the computed mean and Zekeriya Erkin et al. 7

Eavesdropper

Reconstructed Message source Joint decompression source Encryption Compression Public channel and decryption

Secure channel

Key

Figure 2: Compression of an encrypted signal from [30].

threshold Tc. Bob sends the result to Alice, who de- The concept of swapping the order of compression and encrypts the result using her secret key and checks if the cryption is illustrated in Figure 2. A signal from the message valueislargerorsmallerthanzero. source is first encrypted and then compressed. The compres- sor does not have access to the secret key used in the encryp- Although the operations performed are similar to the section. At the decoder, decompression and decryption are per- ond example, in this example the processing is secure since formed jointly. From classical information theory, it would Bob learns little about Alice’s signal and Alice will learn lit- seem that only minimal gain could be obtained as the en- tle about the Bob’s expert knowledge. In fact, in the first crypted signal has maximal entropy, that is, no redundancy implementation, the entire signal processing operation is is left after encryption. However, the decoder can use the ultimately condensed into a single bit of information; the cryptographic key to decode and decrypt the compressed and second implementation leaks more information, namely, the encrypted bit stream. This brings opportunities for efficient distance between the correlation value from the threshold. compression of encrypted signals based on principle of cod- In both cases, the result represents a high information ab- ing with side information. In [30], it was shown that neither straction level, which is insufficient for launching successful compression performance nor security need to be negatively signal processing-based attacks. In contrast, in the example impacted under some reasonable conditions. based on (13), the signal processing operation led to an enor- In source coding with side information, the signal X is mous amount of information—the entire output signal—to coded under the assumption that the decoder—but not the be available to either parties, making signal processing-based encoder—has statistically dependent information Y,called attacks quite easy. the side information, available. In conventional coding sce- As we will see in Sections 3 and 4, many of the two-party narios, the encoder would code the difference signal X − Y in secure signal processing problems eventually include an in- some efficient way, but in source coding with side informa- formation condensation step, such as (in the most extreme tion, this is impossible since we assume that Y is only known case) a binary decision. We postulate that for two-party lin- at the decoder. In the Slepian-Wolf coding theory [31], the ear signal processing operations in which the amount of plain crucial observation is that the side information Y is regarded text information after processing is in the same order of mag- as a degraded version of X. The degradations are modeled as nitude as before processing, no secure solutions exist purely “noise” on the “virtual channel” between X and Y. The signal based on the cryptographic primitives discussed in the previ- X can then be recovered from Y by the decoder if sufficient ous section, due to inherent properties of the signal process- error-correcting information is transmitted over the chan- ing problems and the related application scenario. For that nel. The required bit rate and amount of entropy are related reason, entirely other approaches to secure signal processing as R ≥ H(X | Y). This shows that, at least theoretically, there are also of interest. Although few results can be found in lit- is no loss in compression efficiency since the lower bound erature on approaches not using homomorphic encryption, H(X | Y) is identical to the scenario in which Y is available zero-knowledge proofs, and multiparty computation proto- at the encoder. Extension of the Slepian-Wolf theory exists cols, the approach discussed in the next section may well for lossy source coding [32]. In all practical cases of interests, show a possible direction for future developments. the information bits that are transmitted over the channel are parity bits or syndromes of channel coding methods such as 2.4. Compression of encrypted signals Hamming, Turbo or LDPC codes. In the scheme depicted in Figure 2, we have a similar sce- When transmitting signals that contain redundancy over an nario as in the above source coding with side information insecure and bandwidth-constrained channel, it is custom- case. If we consider the encrypted signal Ek(X) at the input of ary to first compress and then encrypt the signal. Using the the encoder, then we see that the decoder has the key k avail- principles of coding with side information, it is, however, also able, representing the “statistically dependent side informa- possible to interchange the order of (lossless) compression tion.” Hence, according to the Slepian-Wolf viewpoint, the and encryption, that is, to compress encrypted signals [30]. encrypted signal Ek(X) can be compressed to a rate that is 8 EURASIP Journal on Information Security the same as if the key k would be available during the source purposes ranging from medical researches to online person- encoding process, that is, R ≥ H(Ek(X) | k) = H(X). This alized applications. Sometimes, providers of these services clearly says that the (lossless) coding of the encrypted sig- may want to combine their data for research purposes. A nal Ek(X) should be possible with the same efficiency as the classical example is the one where two medical institutions (lossless) coding of X. Hence, using the side information key wish to perform joint research on the union of their pa- k, the decoder can recover first Ek(X) from the compressed tients data. Privacy issues are important in this scenario be- channel bit stream and subsequently decode Ek(X) into X. cause the institutions need to preserve their private data dur- A simple implementation of the above concept for a bi- ing their cooperation. Lindell and Pinkas [33]andAgrawal nary signal X uses a pseudorandomly generated key. The key and Srikant [34] proposed the notion of privacy preserving k is in this case a binary signal K of the same dimension M as data mining, meaning the possibility to perform data analysis the signal X. The encrypted signal is computed as follows: from distributed database, under some privacy constraints.

Ek(X) = X ⊕ K, Privacy preserving data mining [35–38] deals with mutual (16) untrusted parties that on the one hand wish to cooperate to = ⊕ = Ek xi xi ki, i 1, 2, ..., M. achieve a common goal but, on the other hand, are not willing to disclose their knowledge to each other. The encrypted signal Ek(X) is now input to a channel coding strategy, for instance, a Hamming coding. The strength There are several solutions that cope with exact matching of the Hamming code is dependent on the dependency be- of data in a secure way. However, it is more common in signal tween Ek(X) and the side information K at the decoder. processing to perform inexact matching, that is, learning the This strength obviously depends solely on the properties of distance between two signal values, rather than exact match- the original signal X. This does, however, require the mes- ing. Consider two signal values x1 and x2. Computing the sage source to inform the source encoder about the entropy distance between them or checking if the distance is within a H(X), which represents a small leak of information. The en- threshold is important: coder calculates parity check bits over binary vectors of some length L created by concatenating L bits of the encrypted x1 − x2 < . (18) signal Ek(X), and sends only these parity check bits to the receiver. The decoder recovers the encrypted signal by first ap- This comparison or fuzzy matching can be used in a vari- pending to K the parity check bits, and then error correcting ety of ways in signal processing. One example is quantizing the resulting bit pattern. The success of this error correction data which is of crucial importance for multimedia compres- step depends on the strength of the Hamming code, but as sion schemes. However, considering that these signal values mentioned, this strength has been chosen sufficiently with are encrypted—thus the ordering between them is totally de- ffi regards to the “errors” in K on the decoding side. Notice that stroyed, there is not any e cient way known to fuzzy com- in this particular setup the “errors” represent the bits of the pare two values. original signal X. If the error correction step is successful, In the following sections, we give a summary of tech- the decoder obtains Ek(X), from which the decryption can niques that focus on extracting some information from pro- straightforwardly take place: tected datasets. Selected studies mostly use homomorphic encryption, zero-knowledge proofs, and, sometimes, multi- = ⊕ X Ek(X) K, party computations. As we will see, most solutions still re- (17) quire substantial improvements in communication and com- xi = Ek xi ⊕ ki, i = 1, 2, ..., M. putation efficiency in order to make them applicable in prac- The above example is too simple for any practical sce- tice. Therefore, the last section addresses a different approach nario for a number of reasons. In the first place, it uses only that uses other means of preserving privacy to show that fur- ffi binary data, for instance, bit planes. More e cient coding ther research on combining signal processing and cryptogra- can be obtained if the dependencies between bit planes are phy may result in new approaches rather than using encryp- ff considered. This e ectively requires an extension of the bit tion schemes and protocols. plane coding and encryption approach to coding and encryption of symbol values. Secondly, the decoder lacks a model of the dependencies in X.SoftdecodersforTurboor 3.1. Clustering LDPC codes can exploit such message source models, yielding improved performance. Finally, the coding strategy is Clustering is a well-studied combinatorial problem in data lossless. For most continuous or multilevel message sources, mining [39]. It deals with finding a structure in a collection such as audio, images, and video, lossy compression is desir- of unlabeled data. One of the basic algorithms of cluster- able. ing is the K-means algorithm that partitions a dataset into K clusters with a minimum error. We review the K-means 3. ANALYSIS AND RETRIEVAL OF CONTENT algorithm and its necessary computations such as distance computation and finding the cluster centroid, and show that In the today’s society, huge quantities of personal data are cryptographic protocols can be used to provide user’s privacy gathered from people and stored in databases for various in clustering for certain scenarios. Zekeriya Erkin et al. 9

X Attribute names Cluster centers Data owned by Alice Objects Data owned by Bob Figure 3: Clustered dataset. Each object is a point in the 2- dimensional space. K-means clustering algorithm assigns each ob- Figure 4: Shared dataset on which K-means algorithm is run. ject to the cluster with the smallest distance.

In the following section, we describe a secure protocol that (1) select K random objects representing the K carries out secure K-means algorithm on protected data ob- initial centroid of the clusters. jects. (2) assign each object to the cluster with the nearest centroid. (3) recalculate the centroids for each cluster. 3.1.2. Secure K-means clustering algorithm (4) repeat step 2 and 3 until centroids do not change or a certain threshold achieved. Consider the scenario in which Alice and Bob want to apply the K-means algorithm on their joint datasets as shown in Figure 4, but at the same time they want to keep their own Algorithm 1: The K-means clustering algorithm dataset private. Jagannathan and Wright proposed a solution for this scenario in [40]. In the proposed method, both Alice and Bob get the fi- 3.1.1. K-means clustering algorithm nal output but the values computed in the intermediate steps are unknown to the both parties. Therefore, the intermediate The K-means clustering algorithm partitions a dataset D of values such as cluster centroids are uniformly shared between “objects” such as signal values or features thereof into K dis- Alice and Bob in such a way that for a value x, Alice gets a joint subsets, called clusters. Each cluster is represented by its random share a and Bob gets another random share b,where center which is the centroid of all objects in that subset. (a + b)modN = x and N is the size of the field in which all As shown in Algorithm 1, the K-means algorithm is an operations take place. Alice and Bob keep their private shares iterative procedure that refines the cluster centroids until a of the dataset secret. predefined condition is reached. The algorithm first chooses The secure K-means clustering algorithm is separated K random points as the cluster centroids in the dataset D into subprotocols where Alice and Bob computes the follow- and assigns the objects to the closest cluster centroid. Then, ings (Algorithm 2). the cluster centroid is recomputed with recently assigned objects. When the iterative procedure reaches the termination (i) Distance measurement and finding the closest cluster: the condition, each data object is assigned to the closest cluster distance between each object and cluster centroid is computed by running a secure scalar product proto- (Figure 3). Thus to carry out the K-means algorithm, the following quantities needs to be computed: col by Goethals et al. [41]. The closest cluster centroid is determined by running Yao’s circuit evaluation pro- (i) the cluster centroid, or the mean of the data objects in tocol [42] with the shared data of Alice and Bob. that cluster, (ii) New cluster centroid: the new cluster centroid requires (ii) the distance between an object and the cluster cen- to determine an average computation over shared val- troid, ues of Alice and Bob. This function of the form (a + (iii) the termination condition which is a distance mea- b)/(m+n) can be computed by applying Yao’s protocol surement compared to a threshold. where Alice knows a and m and Bob knows b and n. 10 EURASIP Journal on Information Security

of the encryption scheme as follows: Randomly select K objects from the dataset D as initial cluster centroids B B B A μj = A μj,1 A μj,M Randomly share the cluster centroid between Alice EpkA μj EpkA μj,1 , ..., EpkA μj,M . (22) and Bob repeat Then, multiplying the encrypted components gives the en- for all object dk in dataset D do crypted scalar product of Alice’s and Bob’s data Run the secure closest cluster protocol Assign to dk to the closest cluster M M B end for A B = A μj,k EpkA μj,kμj,k EpkA μj,k . (23) Alice and Bob computes the random shares for the new k=1 k=1 centroids of the clusters. until cluster centroids are close to each other with an error The computed distances between the objects and the cluster of . centroids can later be the input to the Yao’s circuit evaluation protocol [42] in which the closest cluster centroid is deter- Algorithm 2: Privacy preserving K-means clustering algorithm. mined. We refer readers to [41, 42] for further details on this part. Once the distances and the closest clusters to the objects are determined, each object is labeled with the nearest cluster (iii) Termination condition: the termination condition of index. At the end of each iteration, it is necessary to compute the algorithm is computed by running the Yao’s circuit the new cluster centroids. Alice computes the sum of the cor- evaluation protocol [42]. responding coordinates of all object sj and the number of = The squared distance between an object Xi (xi,1, ..., xi,M) objects nj within each of the K clusters for j,1≤ j ≤ M. and a cluster centroid μj is given by the following equation: As shown in Figure 4, Alice has only some of the attributes of the objects, thus she treats these missing values as zero. Bob 2 dist Xi, μj also applies the same procedure and determines the sum of 2 2 2 coordinates tj and the number of objects mj in the clusters. = xi,1 − μj,1 + xi,2 − μj,2 + ···+ xi,M − μj,M . Given sj , tj , nj ,andmj , the jth component of the ith cluster (19) is

Considering that the clusters centroids are shared between sj + tj μi,j = . (24) Alice and Bob, (19)canbewrittenas nj + mj 2 dist Xi, μj Since there are only four values, this equation can be computed efficiently by using Yao’s circuit evaluation protocol = − A B 2 ··· − A B 2 xi,1 μ ,1 + μ ,1 + + xi,M μ , + μ , , j j j M j M [42] with Alice’s shares sj and nj and Bob’s shares tj and mj . (20) In the last step of the K-means algorithm, the iteration is terminated if there is no further improvement between the A B where μj is Alice’s share and μj is Bob’s share such that the previous and current cluster centroids. In order to do that, a = A B jth-cluster centroid is μj μj +μj . Then, (20)canbewritten distance is computed between the previous and current clus- as ter centroids. This is done in the same way as computing distances between an object and a cluster centroid but in addi- M M M M 2 = 2 A 2 B 2 A B tion, this distance is compared to a threshold value .Con- dist Xi, μj xi,k + μj,k + μj,k +2 μj,kμj,k k=1 k=1 k=1 k=1 sidering that the cluster centroids are shared between Alice and Bob, the result of the computation of the squared dis- M M tance of cluster centroids for the kth and (k +1)thiterations − 2 μA x − 2 x μB . j,k i,k i,k j,k is again random shares for Alice and Bob: k=1 k=1 (21) 2 A,k+1 B,k+1 A,k B,k = dist μj + μj , μj + μj αj + βj , (25) Equation (21) can be computed by Alice and Bob jointly. As the first term of the equation is shared between them, Al- where α and β are the shares of Alice and Bob. Alice and ice computes the sum of components of her share while Bob Bob then apply Yao’s protocol on their K-length vectors computes the rest of the components. The second term and (α1, ..., αK )and(β1, ..., βK )tocheckifαj + βj < for third term can be computed by Alice and Bob individually, 1 ≤ j ≤ K. and the rest of the terms are computed by running a secure scalar product protocol between Alice and Bob, much similar 3.2. Recommender systems to the evaluation of (3) via the secure form of (10). Alice first A = A A encrypts her data EpkA (μj ) (EpkA (μj,1), ..., EpkA (μj,M)) and Recommender services play an important role in applica- sends it to Bob who computes the scalar product of this data tions like e-commerce and direct recommendations for mul- with his own by using the additive homomorphic property timedia contents. These services attempt to predict items that Zekeriya Erkin et al. 11 a user may be interested in by implementing a signal process- erence matrix P singular value decomposition (SVD) is an ing algorithm known as collaborative filtering on user prefer- option. The SVD allows P to be written as ences to find similar users that share the same taste (likes or dislikes). Once similar users are found, this information can P = UDVT , (26) be used in variety ways such as recommending restaurants, hotels, books, audio, and video. where the columns of U are the left singular vectors, D is a Recommender systems store user data, also known as diagonal matrix containing the singular values, and VT has preferences, in servers, and the collaborative filtering algo- rows that are the right singular vectors. rithms work on these stored preferences to generate recom- Once the SVD of the preference matrix P is computed, mendations. The amount of data collected from each user an approximation matrix in a lower-dimension subspace can directly affects the accuracy of the predictions. There are two be computed easily. Computing the SVD on P that contains concerns in collecting information from the users in such encrypted user preferences is, however, more complicated. systems. First, in an ordinary system they are in the order of Computing the decomposition of the users’ preference thousands items, so that it is not realistic for the users to rate matrix requires sums of products of vectors. If the preference all of them. Second, users would not like to reveal too much vector of each user is encrypted, there is no efficient way of privacy sensitive information that can be used to track them. computing sums of products of vectors since this would re- The first problem, also known as the sparseness problem quire an algebraic homomorphic cryptosystem. Using secure in datasets, is addressed for collaborative filtering algorithms multiparty computation protocols on this complex function in [43–45]. The second problem on user privacy is of interest is costly considering the size of the circuit necessary for the to this survey paper since users tend to not give more infor- complex operation. mation about themselves for privacy concerns and yet they Instead of straightforward computation of SVD, Canny expect more accurate recommendations that fit their taste. [46] proposed to use an iterative approximation algorithm This tradeoff between privacy and accuracy leads us to an to obtain a partial decomposition of the user preference ma- entirely new perspective on recommender systems. Namely, trix. The conjugate gradient algorithm is an iterative pro- how can privacy of the users be protected in recommender cedure consisting merely of additions of vectors which can systems without loosing too much accuracy? be done under homomorphically encrypted user preference We describe two solutions that address the problem of vectors. Each iteration in the protocol has two steps, that is, preserving privacy of users in recommender systems. In the users compute (1) their contribution to the current gradient first approach, user privacy is protected by means of encryp- and (2) scalar quantities for the optimization of the gradi- tion and the recommendations are still generated by pro- ent. Both steps require only additions of vectors thus we only cessing these encrypted preference values. In the second ap- explain the first step. proach, protecting the privacy of the users is possible without For the first step of the iterations, each user computes his encryption but by means of perturbation of user preference contribution Gk to the current gradient G by the following data. equation: = T − T Gk AXk Xk I A A , (27) 3.2.1. Recommendations by partial SVD on encrypted preferences where matrix A is the approximation of the preference matrix P and it is initialized as a random matrix before the pro- Canny [46] addresses the user privacy problem in recom- tocol starts. Each user encrypts his own gradient vector Gk mender systems and proposes to encrypt user preferences. with the public key of the user group by following the Peder- Assume that the recommender system applies a collaborative sen’s threshold scheme [47] that uses El Gamal cryptosystem filtering algorithm on a matrix P of users versus item ratings. which is modified to be additively homomorphic. All con- Each row of this matrix represents the corresponding user’s tributions from the users are then added up to form the en- taste for the corresponding items. Canny proposes to use a crypted gradient Epk(G) by using the additive homomorphic collaborative filtering algorithm based on dimension reduc- property of the cryptosystem: tion of P. In this way, an approximation matrix of the original preference matrix is obtained in a lower dimension that Epk(G) = Epk Gk = Epk Gk . (28) best represents the user taste for the overall system. When a k∈users k∈users new user enters the system, the recommendations are generated by simply reprojecting the user preference vector, which This resulting vector Epk(G) is then jointly decrypted and has many unrated items, over the approximation matrix. As a used to update the approximated matrix A which is publicly result, a new vector will be obtained which contains approx- known and used to compute the new gradient for the next imated values for the unrated items [43, 46]. iteration. The ratings in recommender systems are usually integer Although the protocol is based on addition of vectors, numbers within a small range and items that are not rated are zero-knowledge proof protocols play an important role. The usually assigned to zero. To protect the privacy of the users, validity of the user inputs, that is, the encrypted preference the user preferences vector X = [x1, x2, ..., xM]isencrypted vector elements lie in a certain range, are verified by zero- individually as Epk(X). To reduce the dimension of the pref- knowledge proofs. Moreover, the partial encryption results 12 EURASIP Journal on Information Security

Collaborative filtering Since R andS are independent and independent of X and M ≈ M ≈ M ≈ Y,wehave k=1xksk 0, k=1rk yk 0, and k=1rksk 0. Similarly, the sum of the elements of any vector A can be esti- Central database mated from its randomized form A . Polat and Du used these two approximations to develop a privacy-preserving collaborative filtering method [49, 50]. This method works if the number of users in the system is Data disguising significantly large. Only then the computations based on ag- ffi User1 User2 UserN gregated data can still be computed with su cient accuracy. Moreover, it is also pointed out in [51, 52] that the idea of Disguised data preserving privacy by adding random noise might not pre- Original data serve privacy as much as it had been believed originally. The user data can be reconstructed from the randomly perturbed Figure 5: Privacy preserving collaborative filtering with user pref- user data matrix. The main limitation in the original work of erence perturbation. Polat and Du is shown to be the item-invariant perturbation [53]. Therefore, Zhang et al. [53] propose a two-way communication perturbation scheme for collaborative filtering from the users are also proved valid by running a zero- in which the server and the user communicates to determine knowledge proof protocol. Both group of zero-knowledge perturbation guidance that is used to blind user data before proofs are checked by a subgroup of users of whose major- sending to the server. Notwithstanding these approaches, the ity is necessary for the validation. security of such schemes based on perturbation of data is not ff Canny [48] also applies this approach to a di erent well understood. collaborative filtering method, namely, expectation maxi- mization- (EM-) based factor analysis. Again this algorithm involves simple iterative operations that can be implemented 4. CONTENT PROTECTION by vector additions. In both recommender system solutions, 4.1. Watermarking of content multiple iterations are necessary for the algorithm to con- verge and in each iteration, users need to participate in the In the past decade, content protection measures have been cryptographic computations as in joint decryption and zero- proposed based on digital watermarking technology. Digi- knowledge proofs for input validation. These computations tal watermarking [54, 55] allows hiding into a digital con- are interactive and thus, it is imperative for the users to be tent information that can be detected or extracted at a later online and synchronized. moment in time by means of signal processing operations such as correlation. In this way, digital watermarking pro- 3.2.2. Randomized perturbation to protect preferences vides a communication channel multiplexed into original content through which it is possible to transmit informa- Previous section showed that homomorphic cryptosystems, tion. The type of information transmitted from sender to re- zero-knowledge proof protocols, and secure multiparty com- ceiver depends on the application at hand. As an example, in putations play an important role in providing solutions for a forensic tracing application, a watermark is used to embed processing encrypted data. However, there are other ways to a unique code into each copy of the content to be distributed, preserve privacy. In the following, we discuss preserving pri- where the code links a copy either to a particular user or to vacy in recommender systems by perturbation of user data. a specific device. When unauthorized published content is Randomized perturbation technique was first intro- found, the watermark allows to trace the user who has redis- duced in privacy-preserved data-mining by Agrawal and tributed the content. Srikant [34]. Polat and Du [49, 50] proposed to use this Secure signal processing needs to be performed in case randomization-based technique in collaborative filtering. watermark detection or embedding is done in untrusted de- The user privacy is protected by simply randomizing user vices; watermarking schemes usually rely on a symmetric key data while certain computations on aggregate data can still for both embedding and detection, which is critical to both be done. Then, the server generates recommendations based the robustness and security of the watermark and thus needs on the blinded data but can not derive the user’s private in- to be protected. formation (Figure 5). For the application of secure signal processing in con- Consider the scalar product of two vectors X and Y. tent protection, three categories can be identified, namely, = = ThesevectorsareblindedbyR [r1, ..., rM]andS [s1, distribution models, customer rights protection, and secure = = ..., sM] such that X X + R and Y Y + S.Hereri’s and watermark detection. The first two categories are relevant to si’s are uniformly distributed random values with zero mean. forensic tracing (fingerprinting) applications. In classical dis- The scalar product of X and Y can be estimated from X and tribution models, the watermark embedding process is car- Y : ried out by a trusted server before releasing the content to the M M user. However this approach is not scalable, and in large-scale

X · Y = xk yk + xksk + rk yk + rksk ≈ xk yk. (29) distribution systems, the server may become overloaded. In k=1 k=1 addition, since point-to-point communication channels are Zekeriya Erkin et al. 13

X b Embedder Xw Channel X Detector/decoder b Yes/no

sk Attacks X sk manipulations

Figure 6: A digital watermarking model.

required, bandwidth requirements become prohibitive. A bution and use. As a result, the watermarked content Xw is proposed solution is to use client-side watermark embed- modified into the “received” version X .BasedonX , either ding. Since the client is untrusted, the watermark needs to a detector verifies the presence of a specific message given to be embedded without the client having access to the original it as input, thus only answering yes or no, or a decoder reads content and watermark. the (binary) information conveyed by the watermark. Detec- The customer’s rights problem relates to the intrinsic tors and decoders may need to know the original content X problem of ambiguity when watermarks are embedded at the in order to retrieve the hidden information (non-blind de- distribution server: a customer whose watermark has been tector/decoder), or they do not require the original content foundonunauthorizedcopiescanclaimthathehasbeen (blind or oblivious detector/decoder). framed by a malicious seller who inserted his identity as watermark in an arbitrary object. The mere existence of this 4.1.2. Watermarking algorithm problem may discredit the accuracy of the forensic tracing architecture. Buyer-seller protocols have been designed to Watermark information is embedded into host signals by embed a watermark based on the encrypted identity of the making imperceptual modifications to the host signal. The buyer, making sure that the watermarked copy is available modifications are such that they convey the to-be-hidden in- only to the buyer and not to the seller. formation B. The hidden information can be retrieved after- In the watermark detection process, a system has to prove wards from the modified content by detecting the presence to a verifier that a watermark is present in certain content. of these modifications. Embedding is achieved by modifying Proving the presence of such a watermark is usually done the set of features X = [x1, x2, ..., xM]. In the most simple by revealing the required detection information to the ver- case, the features are simple signal amplitudes. In more com- ifying party. All current applications assume that the verifier plicated scenarios, the features can be DCT or wavelet coeffi- is a trusted party. However, this is not always true, for in- cients. Several watermarking schemes make use of a spread- stance, if the prover is a consumer device. A cheating veri- spectrum approach to code the to-be-hidden information B fier could exploit the knowledge acquired during watermark into W = [w1, w2, ..., wM]. Typically, W is a realization of a detection to break the security of the watermarking system. normally distributed random signal with zero mean and unit Cryptographic protocols, utilizing zero-knowledge proofs, variance. have been constructed in order to mitigate this problem. The most well-known spread-spectrum techniques was We will first introduce a general digital watermarking proposed by Cox et al. [56]. The host signal is first trans- model to define the notation that will be useful in the formed into a discrete cosine transform (DCT) representa- remainder of the section. An example of a watermarking tion. Next the largest magnitude DCT coefficients are se- scheme is proposed, namely, the one proposed by Cox et al. lected, obtaining the set of features X. The multiplicative wa- [56] since this scheme is adopted in many of the content pro- termark embedding rule is defined as follows: tection applications. xw,i = xi + γwixi = xi 1+γwi , (30) 4.1.1. Watermarking model where xw,i is the ith component of the watermarked feature vector and γ is a scaling factor controlling the watermark Figure 6 shows a common model for a digital watermark- strength. Finally, an inverse DCT transform yields the wa- ing system [57]. The inputs of the system are the original termarked signal X . host signal X and some application dependent to-be-hidden w To determine if a given signal Y contains the watermark information, here represented as a binary string B = [b , 1 W, the decoder computes the DCT of Y, extracts the set X of b , ..., b ], with b taking values in {0, 1}. The embedder in- 2 L i largest DCT coefficients, and then computes the correlation serts the watermark code B into the host signal to produce ρ between the features X and the watermark W. If the a watermarked signal X , usually making use of a secret key X W w correlation is larger than a threshold T, that is, sk to control some parameters of the embedding process and allow the recovery of the watermark only to authorized users. X , W ρ = ≥ T, (31) The watermark channel takes into account all processing X W X , X operations and (intentional or non-intentional) manipulations the watermarked content may undergo during distri- the watermark is considered present in Y. 14 EURASIP Journal on Information Security

4.2. Client-side watermark embedding sk sk Client-side watermark embedding systems transmit the same encrypted version of the original content to all the clients but a client-specific decryption key allows to decrypt the content W Enc LUT k Dec LUT and at the same time implicitly embed a watermark. When the client uses his key to decrypt the content, he obtains a uniquely watermarked version of the content. The security X Encryption X Decryption XW properties of the embedding scheme usually guarantees that obtaining either the watermark or the original content in the Server Clientk clear is of comparable hardness as removing the watermark Figure 7: Encryption and following joint decryption and water- from the personalized copy. marking procedure proposed in [65]. In literature, several approaches for secure embedding can be found. In [58], a pseudorandom mask is blended over each frame of a video. Each client is given a different mask, Chameleon, suitable for embedding robust spread-spectrum which, when subtracted from the masked broadcast video, watermarks. The schemes operate on LUTs composed of in- leaves an additive watermark in the content. The scheme is tegers from Z and replace the XOR operation by a (modu- not very secure because since the same mask is used for all p lar) addition. frames of a video, it can be estimated by averaging attacks. In more detail, the secure embedding solution works as In broadcast environments, stream switching [59, 60] follows. The distribution server generates a long-term mas- can be performed. Two differently watermarked signals are ter encryption LUT E of size L, whose entries properlygener- chopped up into small chunks. Each chunk is encrypted by ated random samples; E will be used to encrypt the content adifferent key. Clients are given a different set of decryp- to be distributed to the clients. Next, for the kth client, the tion keys that allow them to selectively decrypt chunks of the server generates a personalized watermark LUT Wk accord- two broadcast streams such that each client obtains the full ing to a desired probability distribution, and builds a person- stream decrypted. The way the full stream is composed out alized decryption LUT Dk by combining the master LUT and of the two broadcast versions encodes the watermark. This the watermark LUT: solution consumes considerable bandwidth, since the data to be broadcast to the clients is twice as large as the content it- Dk[i] =−E[i]+Wk[i]. (32) self. A second solution involves partial encryption, for in- The personalized LUTs are then transmitted once to each ffi stance, encrypting the signs of DCT coe cients of a signal client over a secure channel. Let us note that the generation ffi [61]. Since the sign bits of DCT coe cients are perceptu- of the LUTs is carried out just once at the setup of the ap- ally significant, the partially encrypted version of the signal plication. A content X is encrypted by adding to it a pseu- is heavily distorted. During decryption, each user has a dif- dorandom sequence obtained by selecting some entries of ffi ferent key that decrypts only a subset of these coe cients, so the LUT with a secure pseudorandom sequence generator that some signs are left unchanged. This leaves a detectable driven by a session key sk. Each client receives the encrypted fingerprint in the signal. A similar approach was used in [62] content X along with the session key sk and decrypts it us- to obtain partial encryption-based secure embedding solu- ing some entries of his/her personalized decryption LUT Dk tions for audiovisual content. (again chosen according to sk), with the final effect that a A third approach is represented by methods using a spread-spectrum watermark sequence is embedded into the stream-cipher that allows the use of multiple decryption decrypted content. This process is summarized in Figure 7. keys, which decrypt the same cipher text to slightly differ- In detail, driven by the session key sk, a set of indices tij is ent plain-texts. Again, the difference between the original generated, where 0 ≤ i ≤ M−1, 0 ≤ j ≤ S−1, 0 ≤ tij ≤ L−1. and the decrypted content represents the embedded water- Each feature of the content xi is encrypted by adding S entries mark. The first scheme following this approach was proof the encryption LUT, obtaining the encrypted feature xi as posed by Anderson and Manifavans [63] who designed a follows: special stream cipher, called Chameleon, which allows to decrypt Chameleon-encrypted content in slightly different S−1 = ways. During encryption, a key and a secure index generator xi xi + E tij . (33) are used to generate a sequence of indices, which are used to j=0 select four entries from a look-up-table (LUT). These entries Joint decryption and watermarking is accomplished by re- are XORed with the plaintext to form a word of the cipher constructing with the session key sk the same set of indices text. The decryption process is identical to encryption except tij and by adding S entries of the decryption LUT to each en- for the use of a decryption LUT, which is obtained by prop- crypted feature x : erly inserting bit errors in some entries of the encryption i LUT. Decryption superimposes these errors onto the con- S−1 S−1 tent, thus leaving a unique watermark. Recently, Adelsbach = = = xw,i xi + D tij xi + W tij xi + wi. (34) et al. [64] and Celik et al. [65] proposed generalizations of j=0 j=0 Zekeriya Erkin et al. 15

4.3. Buyer seller protocols σ(W) are embedded. Note that Bob cannot read the watermark σ(W), since he does not know the permutation σ.The Forensic tracing architectures which perform watermark em- scheme is represented in Figure 8. bedding at the distribution server are vulnerable against a In order to recover the identity of potential copyright dishonest seller. The mere fact that a seller may fool a buyer violators, Alice first looks for the presence of V.Uponde- may have an impact on the credibility of the whole tracing tectionofanunauthorizedcopyofX,sayY, she can use system. (Note that a seller may in fact have an incentive to the second watermark to effectively prove that the copy is fool a buyer: a seller who acts as an authorized reselling agent originated from Bob. To do so, Alice must reveal to judge may be interested in distributing many copies of a work con- the permutation σ, the encrypted watermark Epk (W)and taining the fingerprint of a single buyer to avoid paying the B SWCA (Epk (W)). After verifying SWCA (Epk (W)), the judge royalties to the author by claiming that such copies were ille- B B asks Bob to use his private key skB to compute and reveal gally distributed or sold by the buyer.) W. Now it is possible to check Y for the presence of σ(W): A possible solution consists in resorting to a trusted third if such a presence is verified, then Bob is judged guilty, oth- party, responsible for both embedding and detection of wa- erwise, Bob’s innocence has been proven. Note that if σ(W) termarks; however, such an approach is not feasible in prac- is found in Y, Bob cannot state that Y originated from Alice tical applications because the TTP could easily become a bot- since to do so Alice should have known either W to insert it tleneck for the whole system. The Buyer-Seller Protocol relies within the plain asset X,orskB to decrypt EpkB (X ) after the on cryptographic primitives to perform watermark embed- watermark was embedded in the encrypted domain. ding [66]; the protocol assures that the seller does not have As a particular implementation of the protocol, [66]pro- access to the watermarked copy carrying the identity of the posed to use Cox’s watermarking scheme and a multiplica- buyer, hence he cannot distribute or sell these copies. In spite tively homomorphic cipher (despite its deterministic nature, of this, the seller can identify the buyer from whom unau- authors use RSA). More secure and less complex implemen- thorized copies originated, and prove it by using a proper tations of the Buyer Seller Protocol have been proposed in dispute resolution protocol. [67–70]. We describe the protocol by Memon and Wong [66]in more detail. Let Alice be the seller, Bob the buyer, and WCA a 4.4. Secure watermark detection trusted watermark certification authority in charge of generating legal watermarks and sending them to any buyer upon To tackle the problem of watermark detection in the pres- request. The protocol uses a public key cryptosystem which ence of an untrusted verifier (to whom the watermark se- is homomorphic with respect to the operation used in the crets cannot be disclosed), two approaches have been pro- watermark embedding equation (i.e., the cryptosystem will posed: one approach called asymmetric watermarking [71, be multiplicatively homomorphic if watermark embedding 72] uses different keys for watermark embedding and detec- is multiplicative, like in Cox’s scheme); moreover, Alice and tion. Whereas a watermark is embedded using a private key, Bob possess a pair of public/private keys denoted by pkA,pkB its presence can be detected by a public key. In such schemes, (public keys) and skA,skB (private keys). the knowledge of the public detection key must not enable In the first part of the protocol, on request of Bob, the an adversary to remove the embedded watermark; unfortu- WCA generates a valid watermark signal W and sends it back nately, none of the proposed schemes is sufficiently robust to Bob, encrypted with Bob’s public key EpkB (W), along with against malicious attacks [73]. Another approach is repre- its digital signature SWCA (EpkB (W)), to prove that the water- sented by zero-knowledge watermark detection. mark is valid. Zero-knowledge watermark detection (ZKWD) uses a Next, Bob sends to Alice EpkB (W)andSWCA (EpkB (W)), cryptographic protocol to wrap a standard symmetric wa- so that Alice can verify that the encrypted watermark has termark detection process. In general, a zero-knowledge wa- been generated by the WCA. Alice performs two watermark termark detection algorithm is an interactive proof system embedding operations. First, she embeds (with any water- where a prover tries to convince a verifier that a digital con- marking scheme) into the original content X awatermark tent X is watermarked with a given watermark B without V, which just conveys a distinct ID univocally identifying the disclosing B. In contrast to the standard watermark detector, transaction, obtaining the watermarked content X . Next, a in ZKWD the verifier is given only properly encoded (or en- second watermark is built by using EpkB (W): Alice permutes crypted) versions of security-critical watermark parameters. the watermark components through a secret permutation σ: Depending on the particular protocol, the watermark code, the watermarked object, a watermark key, or even the origi- σ Epk (W) = Epk σ(W) , (35) B B nal unmarked object is available in an encrypted form to the and inserts EpkB (σ(W)) in X directly in the encrypted do- verifier. The prover runs the zero-knowledge watermark de- main, obtaining the final watermarked content X in en- tector to demonstrate to the verifier that the encoded water- crypted form; X is thus unknown to her. This is possible mark is present in the object in question, without removing due to the homomorphic property of the cipher: the encoding. A protocol run will not leak any information E (X ) = E (X ) · E σ(W) . (36) except for the unencoded inputs and the watermark presence pkB pkB pkB detection result.

When Bob receives EpkB (X ), he decrypts it by using his pri- Early approaches for zero-knowledge watermark detec- vate key skB, thus obtaining X , where the watermarks V and tion used permutations to conceal both the watermark and 16 EURASIP Journal on Information Security

WCA

Epk (W) X B Embedding σ

X skB

Epk (X ) X · · B Decryption EpkB (X ) σ EpkB (W) Seller Buyer

Figure 8: The scheme of the Buyer Seller Protocol proposed in [66]. the object in which the watermark is to be detected [74]; the com(W), T be the common inputs of prover and verifier and protocol assures that the permuted watermark is detected in let psec be the private input of the prover. First, both prover the permuted content and that both the watermark and the and verifier select the watermarked features X and compute object are permuted in the same manner. Craver [75]pro- the value B of (37); the prover sends a commitment com(B) posed to use ambiguity attacks as a central tool to construct to the verifier and opens it immediately, allowing him to ver- zero-knowledge detectors; such attacks allow to compute a ify that the opened commitment contains the same value B watermark that is detectable in a content but never has been he computed himself. Now both compute the commitment embedded there. To use ambiguity attacks in a secure detector, the real watermark is concealed within a number of fake M xi marks. The prover has to show that there is a valid watermark com(A) = com wi (38) in this list without revealing its position. Now, the adversary i=1 (equipped solely with a watermark detector) cannot decide which of the watermarks is not counterfeit. Removal of the by taking advantage of the homomorphic property of the watermark is thus sufficiently more difficult. commitment scheme. Subsequently, the prover proves in Another proposal is to compute the watermark detec- zero-knowledge that A ≥ 0. Next, the prover computes the tion statistic in the encrypted domain (e.g., by using additive value A2, sends a commitment com(A2) to the verifier, and homomorphic public-key encryption schemes or commit- gives him a zero-knowledge proof to prove that com(A2)re- ments) and then use zero-knowledge proofs to convince the ally contains the square of the value contained in com(A). verifier that the detection statistic exceeds a fixed threshold. Being convinced that com(A2) really contains the correctly This approach was first proposed by Adelsbach and Sadeghi computed value A2, the two parties compute the commit- [76], who use a homomorphic commitment scheme to comment com(C):= com(A2)/com(B) on the value C.Fi- pute the detection statistic; the approach was later refined in nally, the prover proves to the verifier, with a proper zero- [77]. knowledge protocol, that com(C) ≥ 0. If this proof is ac- Adelsbach and Sadeghi [76]proposeazero-knowledge cepted, then the detection algorithm ends with true, other- protocol based on the Cox’s watermarking scheme. In con- wise, with false. trast to the original algorithm, it is assumed that the water- While early protocols addressed only correlation-based mark and DCT-coefficients are integers and not real numbers watermark detectors, the approach has recently be extended (this can be achieved by appropriate quantization). More- to Gaussian maximum likelihood detectors [79] and Dither over, for efficiency reasons, the correlation computation in modulation watermarks [80, 81]. (31) is replaced by the detection criterion:

2 5. CONCLUSION AND DISCUSSION C := X , W −X , X ·T2 (37) := (A)2 − B ≥ 0; The availability of signal processing algorithms that work directly on the encrypted data would be of great help for appli- the latter detection criterion is equivalent to the original one, cation scenarios where “valuable” signals must be produced, provided that the factor A is positive. processed, or exchanged in digital format. In this paper, we The following zero-knowledge detection protocol has have broadly referred to this new class of signal processing been designed to allow the prover to prove to a veriﬁer that techniques operating in the encrypted domain as signal pro- the watermark committed to in the commitment com(W)is cessing in the encrypted domain. We mainly review the state- present in the watermarked content X , without revealing any of-the-art, describing the necessary properties of the crypto- information about W. In the protocol, the authors employ an graphic primitives and highlighting the limits of current so- additively homomorphic commitment scheme (such as the lutions that have an impact on processing in the encrypted one proposed by Damgard˚ and Fujisaki [78]). Let ppub, X , domain. Zekeriya Erkin et al. 17

Concerning the use of cryptographic primitives for sig- given that, once again, it calls for the possibility of comparing nal processing in the encrypted domain, we can observe that encrypted numbers. If the signals are represented by means treating the digital content as a binary data is not realistic and of floating point arithmetic, working in the encrypted do- eliminates the possibility of further processing. Concerning main is a very difficult task due to the necessity of imple- the basic encryption primitives that make processing in the menting operations such as comparisons and right shifts in encrypted domain possible, for the particular case when it the encrypted domain, for which efficient (noninteractive) is necessary to compress an encrypted signal, a possibility is solutions are not known yet. to resort to the theory of coding with side information; this primitive, however, seems to be applicable only to this kind ACKNOWLEDGMENTS of problem. The general cryptographic tools that allow to process en- The work reported here has been funded in part by the Eu- crypted signals are homomorphic cryptosystems since they ropean Community’s Sixth Framework Programme under allow performing linear computations on the encrypted data. Grant no. 034238, SPEED project—Signal Processing in the In order to implement necessary signal processing opera- Encrypted Domain. The work reported reflects only the au- tions, it seems crucial to have an algebraic cryptosystem. thors’ views; the European Community is not liable for any However, such a system does not exist and despite the fact use that may be made of the information contained herein. that there is no formal proof, it is highly believed that such a system will be insecure due to preserving too much struc- REFERENCES ture. Yet, homomorphic cryptosystems are the key components in signal processing in the encrypted domain. Another [1] JPSEC, International standard, ISO/IEC 15444-8, 2007. property, important for signal processing in the encrypted [2] P. Paillier, “Public-key cryptosystems based on composite de- domain, is probabilistic encryption: since signal samples are gree residuosity classes,” in Proceedings of the International usually 8-bit or 16-bit in length, encrypting such values with Conference on the Theory and Application of Cryptographic a deterministic cryptosystem will result in reoccurring en- Techniques (EUROCRYPT ’99), vol. 1592 of Lecture Notes in crypted values which significantly reduces the search space Computer Science, pp. 223–238, Springer, Prague, Czech Re- for brute-force attacks. A probabilistic scheme, which does public, May 1999. not encrypt two equal plain texts into the same cipher text, [3] T. ElGamal, “A public key cryptosystem and a signature eliminates such an issue. However, once the data is en- scheme based on discrete logarithms,” in Proceedings of the 4th crypted, the probabilistic encryption makes it impossible to Annual International Cryptology Conference (CRYPTO ’84), check if the encrypted value represents a valid input for the vol. 196 of Lecture Notes in Computer Science, pp. 10–18, Springer, Santa Barbara, Calif, USA, August 1985. purposes of the subsequent processing. Similarly, the output of a function that is computed with encrypted data may [4] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commu- need to be compared with another value. In such situations, nications of the ACM, vol. 21, no. 2, pp. 120–126, 1978. cryptography provides a solution known as zero-knowledge [5] J. R. Troncoso-Pastoriza, S. Katzenbeisser, M. Celik, and A. proofs. Moreover, when nonlinear function needs to be com- Lemma, “A secure multidimensional point inclusion proto- puted, homomorphic encryption cannot help; in such a case, col,” in Proceedings of the 9th Workshop on Multimedia & Secu- it is possible to resort to interactive protocols (e.g., the secure rity (MM&Sec ’07), pp. 109–120, ACM Press, Dallas, Tex, USA, multiparty computation). The limit of these protocols is that September 2007. a general solution is infeasible for situations where the parties [6]D.Boneh,G.D.Crescenzo,R.Ostrovsky,andG.Persiano, own huge quantities of data or the functions to be evaluated “Public key encryption with keyword search,” in Proceedings are complex, as it happens in signal processing scenarios. of the International Conference on the Theory and Applications Though the possibility of processing encrypted data has of Cryptographic Techniques (EUROCRYPT ’04), vol. 3027 of been advanced several years ago, processing encrypted sig- Lecture Notes in Computer Science, pp. 506–522, Springer, In- nals poses some new problems due to the peculiarities of terlaken, Switzerland, May 2004. signals with respect to other classes of data more commonly [7] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order pre- encountered in the cryptographic literature, for example, al- serving encryption for numeric data,” in Proceedings of phanumeric strings or bit sequences. One property of sig- the ACM International Conference on Management of Data nals is that in many signal processing applications, there is (SIGMOD ’04), pp. 563–574, ACM Press, Paris, France, June 2004. interest on the way the signal varies with time rather than the single values it assumes. Moreover, the arithmetic used [8] J. Domingo-Ferrer, “A new privacy homomorphism and applications,” Information Processing Letters,vol.60,no.5,pp. to represent the signal samples has to be carefully taken into 277–282, 1996. account. If the signal samples are represented by means of [9] J. Domingo-Ferrer, “A provably secure additive and multi- fixed-point arithmetic, we need to ensure that no overflow plicative privacy homomorphism,” in Proceedings of the 5th occurs; for signal processing in the encrypted domain, it is International Conference on Information Security (ISC ’02), necessary that such a condition is ensured a priori by care- vol. 2433 of Lecture Notes in Computer Science, pp. 471–483, fully constraining the properties of the signals we operate on Springer, Sao Paulo, Brazil, September-October 2002. and the type and number of operations we want to perform [10] J. H. Cheon and H. S. Nam, “A cryptanalysis of the original on them. Moreover, keeping the distinction between the in- Domingo-Ferrer’s algebraic privacy homomophism,” Cryp- teger and the fractional part of a number is a difficult task, tology ePrint Archive, Report 2003/221, 2003. 18 EURASIP Journal on Information Security

[11] D. Wagner, “Cryptanalysis of an algebraic privacy homomor- of Lecture Notes in Computer Science, pp. 107–122, Springer, phism,” in Proceedings of the 6th International Conference on Prague, Czech Republic, May 1999. Information Security (ISC ’03), vol. 2851 of Lecture Notes in [25] T. Pedersen, “Non-interactive and information-theoretic se- Computer Science, pp. 234–239, Bristol, UK, October 2003. cure verifiable secret sharing,” in Proceedings of the 11th [12] C. Fontaine and F. Galand, “A survey of homomorphic en- Annual International Cryptology Conference (CRYPTO ’91), cryption for nonspecialists,” EURASIP Journal on Information vol. 576 of Lecture Notes in Computer Science, pp. 129–140, Security, vol. 2007, Article ID 13801, 10 pages, 2007. Springer, Santa Barbara, Calif, USA, August 1992. [13] B. Schoenmakers and P. Tuyls, “Practical two-party com- [26] A. C. Yao, “Protocols for secure computations,” in Proceedings putation based on the conditional gate,” in Proceedings of of 23rd IEEE Symposium on Foundations of Computer Science the 10th International Conference on the Theory and Applica- (FOCS ’82), pp. 160–164, Chicago, Ill, USA, November 1982. tion of Cryptology and Information Security (ASIACRYPT ’04), [27] B. Schoenmakers and P. Tuyls, “Efficient binary conversion for vol. 3329 of Lecture Notes in Computer Science, pp. 119–136, Paillier encrypted values,” in Proceedings of the 24th Annual In- Jeju Island, Korea, December 2004. ternational Conference on the Theory and Applications of Cryp- [14] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour- tographic Techniques (EUROCRYPT ’06) , vol. 4004 of Lecture nal of Computer and System Sciences, vol. 28, no. 2, pp. 270– Notes in Computer Science, pp. 522–537, Springer, St. Peters- 299, 1984. burg, Russia, May-June 2006. [15] J. Benaloh, Verifiable secret-ballot elections, Ph.D. thesis, De- [28] O. Goldreich, Foundations of Cryptography II, Cambridge Uni- partment of Computer Science, Yale University, New Haven, versity Press, Cambridge, UK, 2004. Conn, USA, 1988. [29] S.-C. S. Cheung and T. Nguyen, “Secure multiparty computa- [16] D. Naccache and J. Stern, “A new public key cryptosystem tion between distrusted networks terminals,” EURASIP Jour- based on higher residues,” in Proceedings of the 5th ACM Con- nal on Information Security, vol. 2007, Article ID 51368, 10 ference on Computer and Communications Security (CCS ’98), pages, 2007. pp. 59–66, San Francisco, Calif, USA, November 1998. [30] M. Johnson, P. Ishwar, V. Prabhakaran, D. Schonberg, and K. [17] T. Okamoto and S. Uchiyama, “A new public-key cryptosys- Ramchandran, “On compressing encrypted data,” IEEE Trans- tem as secure as factoring,” in Proceedings of the Interna- actions on Signal Processing, vol. 52, no. 10, pp. 2992–3006, tional Conference on the Theory and Application of Crypto- 2004. graphic Techniques (EUROCRYPT ’98), vol. 1403 of Lecture [31] D. Slepian and J. K. Wolf, “Noiseless coding of correlated in- Notes in Computer Science, pp. 308–318, Springer, Espoo, Fin- formation sources,” IEEE Transactions on Information Theory, land, May-June 1998. vol. 19, pp. 471–480, 1973. [32] S. Pradhan and K. Ramchandran, “Distributed source coding [18] I. Damgard˚ and M. Jurik, “A generalisation, a simplification using syndromes (DISCUS): design and construction,” IEEE and some applications of Paillier’s probabilistic public-key Transactions on Information Theory, vol. 49, no. 3, pp. 626– system,” in Proceedings of the 4th International Workshop on 643, 2003. Practice and Theory in Public Key Cryptosystems (PKC ’01), vol. 1992 of Lecture Notes In Computer Science, pp. 119–136, [33] Y. Lindell and B. Pinkas, “Privacy preserving data mining,” in Springer, Cheju Island, Korea, February 2001. Proceedings of the 20th Annual International Cryptology Con- ference (CRYPTO ’00), vol. 1880 of Lecture Notes in Computer [19] O. Goldreich, Foundations of Cryptography I, Cambridge Uni- Science, pp. 36–54, Santa Barbara, Calif, USA, August 2000. versity Press, Cambridge, UK, 2001. [34] R. Agrawal and R. Srikant, “Privacy-preserving data mining,” ffi [20] C. P.Schnorr, “E cient identification and signatures for smart ACM SIGMOD Record, vol. 29, no. 2, pp. 439–450, 2000. cards,” in Proceedings of the 9th Annual International Cryp- [35] C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M. Y. Zhu, tology Conference (CRYPTO ’89), vol. 435 of Lecture Notes in “Tools for privacy preserving distributed data mining,” ACM Computer Science, pp. 239–252, Springer, Santa Barbara, Calif, SIGKDD Explorations Newsletter, vol. 4, no. 2, pp. 28–34, 2002. USA, August 1990. [36] M. Kantarcioglu and J. Vaidya, “Privacy preserving naive [21] H. Lipmaa, “On diophantine complexity and statistical zero- Bayes classifier for horizontally partitioned data,” in Procced- knowledge arguments,” in Proceedings of the 9th International ings of the IEEE Workshop on Privacy Preserving Data Mining Conference on the Theory and Application of Cryptology and (ICDM ’03), pp. 3–9, Melbourne, Fla, USA, November 2003. Information Security (ASIACRYPT ’03), vol. 2894 of Lecture [37] B. Pinkas, “Cryptographic techniques for privacy-preserving Notes in Computer Science, pp. 398–415, Springer, Taipei, Tai- data mining,” ACM SIGKDD Explorations Newsletter, vol. 4, wan, November-December 2003. no. 2, pp. 12–19, 2002. [22] F. Boudot, “Efficient proofs that a committed number lies [38]V.S.Verykios,E.Bertino,I.N.Fovino,L.P.Provenza,Y.Say- in an interval,” in Proceedings of the International Conference gin, and Y. Theodoridis, “State-of-the-art in privacy preserv- on the Theory and Application of Cryptographic Techniques ing data mining,” ACM SIGMOD Record,vol.33,no.1,pp. (EUROCRYPT ’00), vol. 1807 of Lecture Notes in Computer 50–57, 2004. Science, pp. 431–444, Springer, Bruges, Belgium, May 2000. [39] A. K. Jain, M. N. Murty, and P. J. Flynn, “Data clustering: a [23] E. Fujisaki and T. Okamoto, “Statistical zero-knowledge pro- review,” ACM Computing Surveys, vol. 31, no. 3, pp. 264–323, tocols to prove modular polynomial relations,” in Proceed- 1999. ings of the 17th Annual International Cryptology Conference [40] G. Jagannathan and R. N. Wright, “Privacy-preserving dis- (CRYPTO ’97), vol. 1294 of Lecture Notes in Computer Science, tributed k-means clustering over arbitrarily partitioned data,” pp. 16–30, Springer, Santa Barbara, Calif, USA, August 1997. in Proceedings of the ACM SIGKDD International Conference [24] J. Camenisch and M. Michels, “Proving in zero-knowledge on Knowledge Discovery and Data Mining (KDD ’05), pp. 593– that a number is the product of two safe primes,” in Proceed- 599, ACM Press, Chicago, Ill, USA, August 2005. ings of the International Conference on the Theory and Applica- [41] B. Goethals, S. Laur, H. Lipmaa, and T. Mielikainen, “On se- tion of Cryptographic Techniques (EUROCRYPT ’99), vol. 1592 cure scalar product computation for privacy-preserving data Zekeriya Erkin et al. 19

mining,” in Proceedings of the 7th Annual International Con- [57] M. Barni and F. Bartolini, “Data hiding for fighting piracy,” ference in Information Security and Cryptology (ICISC ’04), IEEE Signal Processing Magazine, vol. 21, no. 2, pp. 28–39, vol. 3506 of Lecture Notes in Computer Science, pp. 104–120, 2004. Springer, Seoul, Korea, December 2004. [58] S. Emmanuel and M. Kankanhalli, “Copyright protection [42] A. C. Yao, “How to generate and exchange secrets,” in Proceed- for MPEG-2 compressed broadcast video,” in Proceedings of ings of the 27th Annual Symposium on Foundations of Com- the IEEE International Conference on Multimedia and Expo puter Science, pp. 162–167, Toronto, Ontario, Canada, October (ICME ’01), pp. 206–209, Tokyo, Japan, August 2001. 1986. [59] J. Crowcroft, C. Perkins, and I. Brown, “A method and appa- [43] K. Goldberg, T. Roeder, D. Gupta, and C. Perkins, “Eigentaste: ratus for generating multiple watermarked copies of an infor- a constant time collaborative filtering algorithm,” Information mation signal,” WO Patent No. 00/56059, 2000. Retrieval, vol. 4, no. 2, pp. 133–151, 2001. [60] R. Parviainen and P. Parnes, “Large scale distributed water- [44] J. D.M. Rennie and N. Srebro, “Fast maximum margin ma- marking of multicast media through encryption,” in Proceed- trix factorization for collaborative prediction,” in Proceed- ings of the IFIP TC6/TC11 International Conference on Com- ings of the 22nd International Conference on Machine Learning munications and Multimedia Security Issues of the New Cen- (ICML ’05), pp. 713–720, Bonn, Germany, August 2005. tury, vol. 192, pp. 149–158, Darmstadt, Germany, May 2001. [45] B. Sarwar, G. Karypis, J. Konstan, and J. Riedl, “Applica- [61] D. Kundur and K. Karthik, “Video fingerprinting and encryption of dimensionality reduction in recommender systems,” tion principles for digital rights management,” Proceedings of in Proceedings of the Web Mining for E-Commerce—Challenges the IEEE, vol. 92, no. 6, pp. 918–932, 2004. and Opportunities (WEBKDD ’00), Boston, Mass, USA, Au- [62]A.Lemma,S.Katzenbeisser,M.Celik,andM.vanderVeen, gust 2000. “Secure watermark embedding through partial encryption,” in [46] J. F. Canny, “Collaborative filtering with privacy,” in Proceed- Proceedings of the 5th International Workshop on Digital Water- ings of the IEEE Symposium on Security and Privacy, pp. 45–57, marking (IWDW ’06), vol. 4283 of Lecture Notes in Computer Berkeley, Calif, USA, May 2002. Science, pp. 433–445, Jeju Island, Korea, November 2006. [47] T. Pedersen, “A threshold cryptosystem without a trusted [63] R. J. Anderson and C. Manifavas, “Chameleon—a new kind of party,” in Proceedings of the Workshop on the Theory and stream cipher,” in Proceedings of the 4th International Workshop Application of Cryptographic Techniques (EUROCRYPT ’91), on Fast Software Encryption (FSE ’97), vol. 1267, pp. 107–113, vol. 547 of Lecture Notes in Computer Science, pp. 522–526, Springer, Haifa, Israel, January 1997. Brighton, UK, April 1991. [64] A. Adelsbach, U. Huber, and A.-R. Sadeghi, “Fingercasting— [48] J. F. Canny, “Collaborative filtering with privacy via factor joint fingerprinting and decryption of broadcast messages,” in analysis,” in Proceedings of the 25th Annual International ACM Proceedings of the 11th Australasian Conference on Information SIGIR Conference on Research and Development in Information Security and Privacy (ACISP ’06), vol. 4058 of Lecture Notes Retrieval (SIGIR ’02), pp. 238–245, ACM Press, Tampere, Fin- in Computer Science, pp. 136–147, Springer, Melbourne, Aus- land, August 2002. tralia, July 2006. [49] H. Polat and W. Du, “Privacy-preserving collaborative filter- [65]M.Celik,A.Lemma,S.Katzenbeisser,andM.vanderVeen, ing using randomized perturbation techniques,” in Proceed- “Secure embedding of spread spectrum watermarks using ings of the 3rd IEEE International Conference on Data Min- look-up tables,” in Proceedings of the International Conference ing (ICDM ’03), pp. 625–628, IEEE Computer Society, Mel- on Acoustics, Speech and Signal Processing (ICASSP ’07), vol. 2, bourne, Fla, USA, November 2003. pp. 153–156, IEEE Press, Honolulu, Hawaii, USA, April 2007. [50] H. Polat and W. Du, “SVD-based collaborative filtering with [66] N. Memon and P.W. Wong, “A buyer-seller watermarking pro- privacy,” in Proceedings of the 20th Annual ACM Symposium tocol,” IEEE Transactions on Image Processing,vol.10,no.4,pp. on Applied Computing (SAC ’05), vol. 1, pp. 791–795, Santa Fe, 643–649, 2001. NM, USA, March 2005. [67] F. Ahmed, F. Sattar, M. Y. Siyal, and D. Yu, “A secure wa- [51] Z. Huang, W. Du, and B. Chen, “Deriving private informa- termarking scheme for buyer-seller identification and copy- tion from randomized data,” in Proceedings of the ACM Inter- right protection,” EURASIP Journal on Applied Signal Process- national Conference on Management of Data (SIGMOD ’05), ing, vol. 2006, Article ID 56904, 15 pages, 2006. pp. 37–48, ACM Press, Baltimore, Md, USA, June 2005. [68] M. Kuribayashi and H. Tanaka, “Fingerprinting protocol [52] H. Kargupta, S. Datta, Q. Wang, and K. Sivakumar, “On the for images based on additive homomorphic property,” IEEE privacy preserving properties of random data perturbation Transactions on Image Processing, vol. 14, no. 12, pp. 2129– techniques,” in Proceedings of the 3rd IEEE International Con- 2139, 2005. ference on Data Mining (ICDM ’03), pp. 99–106, Melbourne, [69] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficient Fla, USA, November 2003. and anonymous buyer-seller watermarking protocol,” IEEE [53] S. Zhang, J. Ford, and F. Makedon, “A privacy-preserving col- Transactions on Image Processing, vol. 13, no. 12, pp. 1618– laborative filtering scheme with two-way communication,” in 1626, 2004. Proceedings of the 7th ACM Conference on Electronic Commerce [70] J. Zhang, W. Kou, and K. Fan, “Secure buyer-seller watermark- (EC ’06), pp. 316–323, Ann Arbor, Mich, USA, June 2006. ing protocol,” IEE Proceedings—Information Security, vol. 153, [54] M. Barni and F. Bartolini, Watermarking Systems Engineering: no. 1, pp. 15–18, 2006. Enabling Digital Assets Security and Other Applications,Marcel [71] J. J. Eggers, J. K. Su, and B. Girod, “Public key watermarking Dekker, New York, NY, USA, 2004. by eigenvectors of linear transforms,” in Proceedings of the Eu- [55] I. J. Cox, M. L. Miller, and J. A. Bloom, Digital Watermarking, ropean Signal Processing Conference (EUSIPCO ’00),Tampere, Morgan Kaufmann, San Francisco, Calif, USA, 2001. Finland, September 2000. [56]I.J.Cox,J.Kilian,F.T.Leighton,andT.Shamoon,“Secure [72] T. Furon and P. Duhamel, “An asymmetric public detection spread spectrum watermarking for multimedia,” IEEE Trans- watermarking technique,” in Proceedings of the 3rd Interna- actions on Image Processing, vol. 6, no. 12, pp. 1673–1687, 1997. tional Workshop on Information Hiding (IH ’99), vol. 1768 of 20 EURASIP Journal on Information Security

Lecture Notes in Computer Science, pp. 88–100, Springer, Dres- den, Germany, September-October 2000. [73]J.J.Eggers,J.K.Su,andB.Girod,“Asymmetricwatermark- ing schemes,” in Proceedings of the Sicherheit in Mediendaten, GMD Jahrestagung, Berlin, Germany, September 2000. [74] S. A. Craver and S. Katzenbeisser, “Security analysis of public- key watermarking schemes,” in Mathematics of Data/Image Coding, Compression, and Encryption IV, with Applications, vol. 4475 of Proceedings of SPIE, pp. 172–182, San Diego, Calif, USA, July 2001. [75] S. Craver, “Zero knowledge watermark detection,” in Proceed- ings of the 3rd International Workshop on Information Hiding (IH ’99), vol. 1768 of Lecture Notes in Computer Science,pp. 101–116, Springer, Dresden, Germany, September-October 1999. [76] A. Adelsbach and A.-R. Sadeghi, “Zero-knowledge watermark detection and proof of ownership,” in Proceedings of the 4th International Workshop on Information Hiding (IH ’01), vol. 2137 of Lecture Notes in Computer Science, pp. 273–288, Springer, Pittsburgh, Pa, USA, April 2001. [77] A. Adelsbach, M. Rohe, and A.-R. Sadeghi, “Non-interactive watermark detection for a correlation-based watermarking scheme,” in Proceedings of the 9th IFIP TC-6 TC-11Interna- tional Conference on Communications and Multimedia Security (CMS ’05), vol. 3677 of Lecture Notes in Computer Science,pp. 129–139, Springer, Salzburg, Austria, September 2005. [78] I. Damgard˚ and E. Fujisaki, “A statistically-hiding integer commitment scheme based on groups with hidden order,” in Proceedings of the 8th International Conference on the The- ory and Application of Cryptology and Information Security (ASIACRYPT ’02), Y. Zheng, Ed., vol. 2501 of Lecture Notes in Computer Science, pp. 125–142, Springer, Queenstown, New Zealand, December 2002. [79] J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez,´ “Eﬃcient non-interactive zero-knowledge watermark detector robust to sensitivity attacks,” in Security,Steganography, and Watermark- ing of Multimedia Contents IX,P.W.WongandE.J.Delp,Eds., vol. 6505 of Proceedings of SPIE, pp. 1–12, San Jose, CA, USA, January 2007. [80] M. Malkin and T. Kalker, “A cryptographic method for secure watermark detection,” in Proceedings of the 8th International Workshop on Information Hiding (IH ’06), vol. 4437 of Lecture Notes in Computer Science, pp. 26–41, Springer, Alexandria, Va, USA, July 2006. [81] A. Piva, V. Cappellini, D. Corazzi, A. De Rosa, C. Orlandi, and M. Barni, “Zero-knowledge ST-DM watermarking,” in Secu- rity, Steganography, and Watermarking of Multimedia Contents VIII, vol. 6072 of Proceedings of SPIE, pp. 291–301, San Jose, Calif, USA, January 2006. Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 37343, 11 pages doi:10.1155/2007/37343

Research Article Oblivious Neural Network Computing via Homomorphic Encryption

C. Orlandi,1 A. Piva,1 and M. Barni2

1 Department of Electronics and Telecommunications, University of Florence, Via S.Marta 3, 50139 Firenze, Italy 2 Department of Information Engineering, University of Siena, Via Roma 56, , 53100 Siena, Italy

Correspondence should be addressed to C. Orlandi, [email protected]ﬁ.it

Received 27 March 2007; Accepted 1 June 2007

Recommended by Stefan Katzenbeisser

The problem of secure data processing by means of a neural network (NN) is addressed. Secure processing refers to the possibility that the NN owner does not get any knowledge about the processed data since they are provided to him in encrypted format. At the same time, the NN itself is protected, given that its owner may not be willing to disclose the knowledge embedded within it. The considered level of protection ensures that the data provided to the network and the network weights and activation functions are kept secret. Particular attention is given to prevent any disclosure of information that could bring a malevolent user to get access to the NN secrets by properly inputting fake data to any point of the proposed protocol. With respect to previous works in this ﬁeld, the interaction between the user and the NN owner is kept to a minimum with no resort to multiparty computation protocols.

Copyright © 2007 C. Orlandi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION lined above, however, this is only rarely the case, since the data owner usually does not trust the processing devices, or Recent advances in signal and information processing to- those actors required to manipulate the data. It is clear that gether with the possibility of exchanging and transmitting the availability of signal processing algorithms that work di- data through flexible and ubiquitous transmission media rectly on the encrypted data, would represent a powerful so- such as Internet and wireless networks have opened the way lution to the security problems described above. towards a new kind of services whereby a provider sells its A fundamental brick of modern artificial intelligence the- ability to process and interpret data remotely, for example, ory is represented by neural networks (NNs), which thanks through a web service. Examples in this sense include in- to their approximation and generalization capabilities [1]are terpretation of medical data for remote diagnosis, access to a universal tool enabling a great variety of applications. For remote databases, processing of personal data, processing of this reason, in this paper we introduce a protocol whereby multimedia documents. In addition to technological devel- a user may ask a service provider to run a neural network opments in artificial intelligence, multimedia processing and on an input provided in encrypted format. The twofold goal data interpretation, and to an easy and cheap access to the is on one side to ensure that the data provided by the user, communication channel, the above services call for the adop- representing the input of the neural network, are adequately tion of security measures that ensure that the information protected, on the other side to protect the knowledge (ex- provided by the users and the knowledge made available by pertise) of the service provider embedded within the NN. the service providers are adequately protected. it is worth pointing out that the scope of our protocol is Most of the currently available solutions for secure ma- not to preserve user anonymity. Specifically, the latter goal nipulation of signals apply some cryptographic primitives is achieved by protecting the weights of the network arcs, on top of the signal processing modules, so to prevent the together with the parameters defining the neuron activa- leakage of critical information. In most cases, however, it tion functions. The proposed protocol relies on homomor- is assumed that the involved parties trust each other, and phic encryption principles (first introduced in [2]) whereby thus the cryptographic layer is used only to protect the data a few elementary operations can be performed directly in the against third parties. In the new application scenarios out- encrypted domain. For those tasks that cannot be handled 2 EURASIP Journal on Information Security by means of homomorphic encryption, a limited amount vacy constraints. Lindell and Pinkas [6]presentedawayto of interaction between the NN owner and the user is intro- securely and efficiently compute a decision tree using cryp- duced; however, in contrast to previous works in the general tographic protocols; at the same time, Agrawal and Srikant area of privacy preserving data mining [3], the interaction [7] presented another solution to the same problem using is kept to a minimum and no resort to sophisticated mul- data randomization, that is by adding noise to customer’s tiparty computation protocols [4, 5] is made. Great atten- data. tion is paid to avoid any unnecessary disclosure of informa- After the publication of these papers, the interest in pri- tion, so that at the end of the protocol the user only knows vacy preserving cooperative computation has grown up. In the final NN output, whereas all internal computations are particular several techniques from machine learning were kept secret. In this way, the possibility for a malevolent user converted to the multiparty scenario where several parties to provide a set of fake inputs properly selected to disclose contribute to some kind of computation while preserving the the network secrets is prevented. A solution is also sketched security of the data provided by each of them. Solutions for that permits to obfuscate the network topology, however, a the following algorithms were proposed: decision trees [6], deeper investigation in this direction is left for future re- neural networks [8], SVM [9], naive bayes classifiers [10], search. belief networks [11, 12], clustering [13]. In all these works, The rest of this paper is organized as follows. In Section 2, we can identify two major scenarios: in the first one Alice the prior art in the general field of privacy preserving and and Bob share a dataset and want to extract knowledge from oblivious computing is reviewed, and the peculiarities of our it without revealing their own data (privacy preserving data novel protocol are discussed. In Section 3 the cryptographic mining). In the other scenario, the one considered in this pa- primitives our scheme relies on are presented. The details of per, Alice owns her private data x, while Bob owns an evalu- the protocol we propose for oblivious NN computing are de- ation function C (in most cases C is a classifier); Alice would scribed in Section 4, where a single perceptron is studied, and like to have her data processed by Bob, but she does not want in Section 5, where the whole multilayer feedforward net- that Bob learns either her input or the output of the compu- work is analyzed. Section 6 is devoted to the discussion raised tation. At the same time Bob does not want to reveal the exact by the necessity of approximating real numbers by integer form of C, representing his knowledge, since, for instance, he values (given that the adopted cryptosystem works only with sells a classification service through the web (as in the remote integer values while NN computations are usually carried out medical diagnosis example). This second scenario is usually by considering real numbers). Section 7 is devoted to the ex- referred to as oblivious computing. perimental results obtained developing a distributed appli- Cooperative privacy preserving computing is closely re- cation that runs the protocol. Some concluding remarks are lated to secure multiparty computation (SMC), that is a sce- given in Section 8. nario where Alice owns x,Bobownsy, and they want to compute a public function f (·) of their inputs without re- 2. PRIOR ART vealing them to each other. At the end of the protocol, Alice and Bob will learn nothing except f (x, y). The roots of SMC In modern society great amount of data are collected and lie in a work by Yao [14] proposing a solution to the mil- stored by different entities. Some of these entities may take lionaire problem, in which two millionaires want to find out an advantage cooperating with each other. For example, two which of them is richer without revealing the amount of their medical institutions may want to perform a joint research on wealth. Later on Yao [15] presented a constant-round pro- their data; another example is a patient that needs a diagno- tocol for privately computing any probabilistic polynomial- sis from a medical institute that has the knowledge needed time function. The main idea underling this protocol is to ex- to perform the diagnosis. Of course those entities want to get press the function f as a circuit of logical gates, and then per- the maximum advantage from the cooperation, but they can- form a secure computation for each gate. It is clear that this not (or do not want to) let the other party know the data they general solution is unfeasible for situations where the parties own. Usually they cannot disclose personal data due to pri- own huge quantities of data or the functions to be evaluated vacy related law, and at the same time they like to keep their are complex. knowledge for business reasons. After these early papers extensively relying on SMC, A trivial solution to protect the data owned by the partic- more efficient primitives for privacy preserving computing ipants to the computation consists in resorting to a trusted were developed, based on homomorphic encryption schemes third party (TTP) that actually carries out the computation [16], which permit to carry out a limited set of elementary on the inputs received by the two parties, and sends to them operations like additions or multiplications in the encrypted the corresponding output. A privacy preserving protocol al- domain. In this way, a typical scheme for privacy preserv- lows to achieve the same goal without the participation of a ing computing consists in a first phase where each party per- TTP, in such a way that each player can only learn from the forms the part of the computation that he can do by himself protocol execution the same information he/she could get by (possibly by relying on a suitable homomorphic cryptosys- his/her own inputs and the output received by the TTP. tem). Then the interactive part of the protocol starts, with In 2000 two different papers proposed the notions of pri- protocol designers trying to perform as much as they can in vacy preserving data mining, meaning the possibility to per- an efficient way. At the end, the operations for which an effi- form data analysis on a distributed database, under some pri- cient protocol is not known (like division, maximum finding, C. Orlandi et al. 3

etc.) are carried out by resorting to the general solution by m1 and m2 and a constant value a, the following equalities Yao. are satisfied: Previous works on privacy preserving NN computing are Dsk Epk m1 · Epk m2 = m1 + m2, limited to the systems presented in [8, 17]. However, first a (1) study resort extensively to SMC for the computation of the Dsk Epk m1 = am1. nonlinear activation functions implemented in the neurons, and hence is rather cumbersome. On the other hand, the pro- Another feature that we need is that the encryption tocol proposed in [17] may leak some information at the scheme does not encrypt two equal plain texts into the same intermediate states of the computation, in fact the output cipher text, since we have to encrypt a lot of 0s and 1s, of all the intermediate neurons is made available to the data given that the output of the thresholding and sigmoid acti- owner, hence making it rather easy for a malevolent user to vation functions is likely to be zero or one in most of the disclose the NN weights by feeding each neuron with prop- cases. For this purpose, we can define a scheme where the erly chosen inputs. This is not the case with our new protocol encryption function Epk is a function of both the secret mes- which conceals all the intermediate NN computations and sage x and a random parameter r such that if r1 = r2 we does not resort to SMC for the evaluation of the activation have Epk(x, r1) = Epk(x, r2) for every secret message x.Let functions. In a nutshell, the owner of the NN (say Bob) per- c1 = Epk(x, r1)andc2 = Epk(x, r2), for a correct behavior we forms all the linear computations in the encrypted domain also need that Dsk(c1) = Dsk(c2) = x, that is, the decryp- and delegates the user (say Alice) to compute the nonlinear tion phase does not depend on the random parameter r.We functions (threshold, sigmoid, etc.). Before doing so, how- will refer to a scheme that satisfies the above property as a ever, Bob obfuscates the input of the activation functions so probabilistic scheme. This idea was first introduced in [18]. that Alice does not learn anything about what she is comput- Luckily, homomorphic and probabilistic encryption schemes ing. do exist. Specifically, in our implementation we adopted the When designing an SMC protocol it is necessary to take homomorphic and probabilistic scheme presented by Paillier into account the possible behavior of the participants to the in [16], and later modified by Damgard˚ and Jurik in [19]. protocol. Cryptographic design usually considers two possible behaviors: a participant is defined semihonest or passive if 3.2. Paillier cryptosystem he follows the protocol correctly, but tries to learn additional information by analyzing the messages exchanged during the The cryptosystem described in [16], usually referred to as protocol execution; he is defined malicious or active if he arbi- Paillier cryptosystem, is based on the problem to decide trarily deviates from the protocol specifications. In this work, whether a number is an nth residue modulo n2.Thisprob- like most of the protocols mentioned above, the semi-honest lem is believed to be computationally hard in the cryptogra- model is adopted. Let us note, however, that a protocol secure phy community, and is related to the hardness to factorize n, for semi-honest users can always be transformed into a pro- if n is the product of two large primes. tocol secure against malicious participants by requiring each Let us now explain what an nth residue is and how it can party to use zero-knowledge protocols to grant that they are be used to encrypt data. The notation we use is the classic correctly following the specifications of the scheme. one, with n = pq indicating the product of two large primes, Z Z∗ n the set of the integer numbers modulo n,and n the set of invertible elements modulo n, that is, all the integer numbers 3. CRYPTOGRAPHIC PRIMITIVES that are relatively prime with n. As usual, the cardinality of |Z∗| the latter set is indicated by n and it is equal to the Euler’s In this section the cryptographic primitives used to build the totient function φ(n). proposed protocol are described. ∈ ∗ 2 Definition 1. z Zn2 is said to be a nth residue modulo n if ∈ ∗ = n 2 there exists a number y Zn2 such that z y mod n . 3.1. Homomorphic and probabilistic encryption Conjecture 1. The problem of deciding nth residuosity, that is, distinguishing th residues from non th residues is computa- ffi n n To implement our protocol we need an e cient homomor- tionally hard. phic and probabilistic, public key, encryption scheme. Given a set of possible plain texts M, a set of cipher texts Paillier cryptosystem works on the following facts from C,andasetofkeypairsK = PK × SK (public keys and secret number theory. keys), a public key encryption scheme is a couple of func- (1) The application tions Epk : M → C, Dsk : C → M such that Dsk(Epk(m)) = m (where m ∈ M) and such that, given a cipher text c ∈ C, Z × Z∗ −→ Z∗ it is computationally unfeasible to determine m such that εg : n n n2 , m n 2 (2) Epk(m) = c, without knowing the secret key sk. m, y −→ g y mod n To perform linear computation (i.e., scalar product), we ∈ Z∗ need an encryption scheme that satisfies the additive homo- with g n2 an element with order multiple of n is a morphic property according to which, given two plaintexts bijection. 4 EURASIP Journal on Information Security

∈ Z∗ ∈ Z (2) We deﬁne the class of c n2 as the unique m n for Decryption ∈ Z∗ = m n 2 which y n exists such that c g y mod n . Let c

x1 w1 Input:(c = Epk(x); y) Output:(z = Epk(x, y); ∅) x1w1 PSPP(c; y) N yi x (1) Bob computes w = = c 2 i 1 i w (2) Bob sends z to Alice 2 x2w2 y δ τ(y, δ) . Algorithm 1 . . xmwm

xm It is worth observing that though the above protocol is a wm secure one in a cryptographic sense, some knowledge about Bob’s secrets is implicitly leaked through the output of the Figure 1: A perceptron is a binary classifier that performs a protocol itself. If, for instance, Alice can interact N times weighted sum of the inputs x1, ..., xm by means of the weights with Bob (where N =|x|=|w| is the size of the input w1, ..., wm followed by an activation function usually implemented vectors), she can completely find out Bob’s vector, by sim- by a threshold operation. ply setting the input of the ith iteration as the vector with all 0s and a 1 in the ith position, for i = 1, ..., N.Thisob- servation does not contrast with the cryptographic notion of protocol for oblivious neural network computation. We start secure multiparty computation, since a protocol is defined by describing the instance of a single neuron, in order to clar- secure if what the parties learn during the protocol is only ify how the weighted sum followed by the activation function what they learn from the output of the computation. How- shaping the neuron can be securely computed. ever, if we use the scalar product protocol described above to A single neuron in a NN is usually referred to as percep- build more sophisticated protocols, we must be aware of this tron. A perceptron (see Figure 1) is a binary classifier that leakage of information. In the following we will refer to this performs a weighted sum of the input x1, ..., xm by means way of disclosing secret information as a sensitivity attack af- of the weights w1, ..., wm followed by an activation function = m ter the name of a similar kind of attack usually encountered (usually a threshold operation). So if y i=1 xiwi, the out- in watermarking applications [22, 23]. Note that the prob- put of the perceptron will be lems stemming from sensitivity attacks are often neglected in ⎧ ⎨ the privacy preserving computing literature. 1ify ≥ δ, τ(y, δ) = (6) ⎩0ify<δ. 3.5. Malleability We also address the case where the activation function is The homomorphic property that allows us to produce mean- a sigmoid function, in this case the output of the perceptron ingful transformation on the plaintext modifying the cipher- is text also allows an attacker to exploit it for a malicious pur- 1 pose. σ(y, α) = . (7) 1+e−αy In our application one can imagine a competitor of Bob that wants to discredit Bob’s ability to process data, and thus This function is widely used in feedforward multilayer NNs adds random noise to all data exchanged between Alice and because of the following relation: Bob, making the output of the computation meaningless. Al- dσ(x, α) ice and Bob have no way to discover that such an attack was = ασ(x, α) 1 − σ(x, α) (8) dx done, because if the attacker knows the public key of Alice, he can transform the ciphertext in the same way that Bob that is easily computable and simplifies the backpropagation can, so Alice cannot distinguish between honest homomor- training algorithm execution [25]. phic computation made by Bob and malicious manipulation In the proposed scenario the data are distributed as fol- of the ciphertext performed by the attacker. This is a well lows: Alice owns her private input x, Bob owns the weights known drawback of every protocol that uses homomorphic w, and at the end only Alice obtains the output. Alice will encryption to realize secure computation. Such a kind of at- provide her vector in encrypted format (c = Epk(x)) and will tacks is called a malleability attack [24]. To prevent attackers receive the output in an encrypted form. We already showed from maliciously manipulating the content of the messages how to compute an encrypted version of y, the scalar prod- exchanged between Alice and Bob, the protocol, such as any uct between x and w. Let us describe now how this compu- other protocol based on homomorphic encryption, should tation can be linked to the activation function in order to berunonasecurechannel. obtain a secure protocol (c; w, δ) → (Epk(τ(x, w, δ)); ∅) in the case of a threshold activation function, or (x; w, α) → ∅ 4. PERCEPTRON (Epk(σ( x, w , α)); ) in the case of the sigmoid activation function. In order to avoid any leakage of information, an ob- We are now ready to describe how to use the Paillier cryp- fuscation step is introduced to cover the scalar product and tosystem and the private scalar product protocol to build a the parameters of the activation function. 6 EURASIP Journal on Information Security

Input:(c; w, δ) Input:(c; w, α) Output:(Epk(τ(x, y, δ)); ∅) Output:(Epk(σ(x, y, α)); ∅) PerceptronThreshold(c; w, δ) PerceptronSigmoid(x; w, α) = N wi = N wi (1) Bob computes y i=1 ci (1) Bob computes y i=1 ci a α (2) Bob computes γ = (y · Epk(−δ)) with random a and (2) Bob computes η = y and a>0 (3) Bob sends η (3) Bob sends γ to Alice (4) Alice decrypts η and computes her output (4) Alice’s output is 1 if Dsk(γ) ≥ 0; else it is 0 σ(Dsk(η), 1)

Algorithm 2 Algorithm 3

4.1. Secure threshold evaluation 4.3. Security against sensitivity attacks

What we want here is that Alice discovers the output of the Before passing to the description of the protocol for the com- comparison without knowing the terms that are compared. putation of a whole NN, it is instructive to discuss the sensi- Moreover, Bob cannot perform such a kind of computation tivity attack at the perceptron level. Let us consider first the by himself, as thresholding is a highly non-linear function, case of a threshold activation function: in this case the per- thus homomorphic encryption cannot help here. The solu- ceptron is nothing but a classifier whose decision regions are ffi tion we propose is to obfuscate the terms of the comparison separated by a hyperplane with coe cients given by the vec- and give them to Alice in such a way that Alice can compute tor w. Even if Alice does not have access to the intermediate the correct output without knowing the real values of the in- value x, w , she can still infer some useful information about put. To be specific, let us note that τ(y, δ) = τ( f (y−δ), 0) for w by proceeding as follows. She feeds the perceptron with a every function such that sign( f (x)) = sign(x). So Bob needs set of random sequences until she finds two sequences ly- ff only to find a randomly chosen function that he can com- ing in di erent decision regions, that is, for one sequence the pute in the encrypted domain, that transforms y − δ into a output of the perceptron is one, while for the other is zero. value indistinguishable from purely random values and keeps Then Alice applies a bisection algorithm to obtain a vector the sign unaltered. In our protocol, the adopted function is that lies on the border of the decision regions. By iterating f (x) = ax with a>0. Due to the homomorphic property of the above procedure, Alice can easily find m points belong- the cryptosystem, Bob can efficiently compute ing to the hyperplane separating the two decision regions of the perceptron, hence she can infer the values of the m un- a knowns contained in w. In the case of a sigmoid activation E x, w−δ ∼ E a x, w−δ ,(9) pk pk function, the situation is even worse, since Alice only needs to observe m + 1 values of the product αy to determine the where ∼ means that they contain the same plaintext. Next, m + 1 unknowns (w1, w2 ···wm; α). Bob sends this encrypted value to Alice that can decrypt the Note that it is impossible to prevent the sensitivity attacks − message and check if a( x, w δ) > 0. Obviously, this gives described above by working at the perceptron level, since at no information to Alice on the true values of x, w and δ.In the end of the protocol the output of the perceptron is the summary, the protocol for the secure evaluation of the per- minimum amount of disclosed information. As it will be ceptron is shown in Algorithm 2. outlined in the next section, this is not the case when we are interested in using the perceptron as an intermediate step of 4.2. Secure sigmoid evaluation alargerneuralnetwork.

The main idea underlying the secure evaluation of the sig- 5. MULTILAYER FEEDFORWARD NETWORK moid function is similar to that used for thresholding. Even in this case we note that σ(y, α) depends only on the product A multilayer feedforward network is composed by n layers, = = = ··· of the two inputs, say if yα y α , then σ(y, α) σ(y , α ). each having mi neurons (i 1 n). The network is then = n So what Bob can do to prevent Alice to discover the output composed by N i=1 mi neurons. Every neuron is iden- of scalar product and the parameter of the sigmoid α is to tiﬁed by two indexes, the superscript refers to the layer the give Alice the product of those values, that Bob can compute neuron belongs to, the subscript refers to its position in the 2 in the encrypted domain and that contains the same infor- layer (e.g., w3 indicates the weights vector for the third neu- mation of the output of the sigmoid function. In fact, as the ron in the second layer, while its components will be referred 2 sigmoid function could be easily inverted, the amount of in- to as w3,j ). An example of such a network is given in Figure 2. formation provided by σ(y, α) is the same of αy. The solution The input of each neuron in the ith layer is the weighted sum we propose, then, is the following: by exploiting again the of the outputs of the neurons of the (i − 1)th layer. The input homomorphic property of the cryptosystem Bob computes of the ﬁrst layer of the NN is Alice’s vector, while the out- α Epk(y) ∼ Epk(αy). Alice can decrypt the received value and put of the last layer is the desired output of the computation. compute the output of the sigmoid function. The protocol Each neuron that is not an output neuron is called hidden for the sigmoid-shaped perceptron is shown in Algorithm 3. neuron. C. Orlandi et al. 7

1 2 x x x3 1 x1

1 2 3 z1 w1 w1 w1 y

x2 0

1 2 3 z2 0 w2 w2 w2 x x 3 (a)

Figure 2: This network has n = 3 layers. The network has three 1 inputs, and all layers are composed of two neurons (m1 = m2 = m3 = 2). The network is so composed of six neurons (N = 6). Let us note that the input neurons are not counted as they do not y perform computation. For the sake of simplicity, the weights vector of every neuron is represented into the neuron, and not on the edge. 0 0 x In addition to protecting the weights of the NN, as described in the previous section, the protocol is designed to (b) protect also the output of each of those neurons. In fact Figure 3: Both threshold and sigmoid functions are antisymmetric the simple composition of N privacy preserving perceptrons with respect to (0, 1/2) as shown, that is, τ(−y, −δ) = 1 − τ(y, δ) would disclose some side information (the output of the hid- and σ(−y, α) = 1 − σ(y, α). den neurons nodes) that could be used by Alice to run a sensitivity attack at each NN node. The solution adopted to solve this problem is that Bob inputs of the activation function or not. Note that Bob can does not delegate Alice to compute the real output of the hid- flip the sign of one or both the inputs of τ or σ in the en- den perceptrons, but an apparently random output, so that, crypted domain, and he can also retrieve the real output by as it will be clarified later, the input of each neuron of the still working in the encrypted domain since he can do this ith layer will not be directly the weighted sum of the outputs by means of a simple linear operation (multiplication by 1 or − of the neurons of the (i − 1)th layer, but an obfuscation of 1 and subtractions). them. To be specific, let us focus on the threshold activation function, in this case every neuron will output a 0 or a 1. The 5.1. Multilayer network with threshold threshold function is antisymmetric with respect to (0, 1/2) as shown in Figure 3. That is, we have that y ≥ δ ⇒−y ≤−δ We are now ready to describe the final protocol for a mul- or equivalently: tilayer feedforward neural network whose neurons use the threshold as activation function. The privacy preserving per- τ(−y, −δ) = 1 − τ(y, δ). (10) ceptron protocol presented before is extended adding an input for Bob using the following notation: given ξ ∈{+, −}, Then, if Bob changes the sign of the inputs of the thresh- we define → old with 0.5 probability, he changes the output of the com- PerceptronThreshold (c; w, δ, ξ) (Epk(τ(ξ x, w , putation with the same probability, and Alice computes an ξδ)); ∅). apparently random output according to her view. Then she The Alice’s encrypted input vector will be the input for encrypts this value, sends it to Bob that can flip it again in the first layer, that is c1 = c. With this new definition, we the encrypted domain, so that the input to the next layer will obtain the protocol shown in Algorithm 4. be correct. To understand the security of the protocol, let us note Also the sigmoid is antisymmetric with respect to that if Bob flips the sign of the input in the threshold with (0, 1/2), since we have that 1/(1 + e−αy) = 1 − 1/(1 + eαy) probability 1/2, Alice does not learn anything from the com- or equivalently: putation of the threshold function hence achieving perfect security according to Shannon’s definition. In fact, it is like σ(−y, α) = 1 − σ(y, α), (11) performing a one time pad on the neuron output bit. This is not true in the case of the sigmoid, for which an additional then if Bob flips the product inputs with 0.5 probability, the step must be added. sign of the value that Bob sends to Alice will be again apparently random. Alice will still be able to use this value to 5.2. Multilayer network with sigmoid compute the output of the activation function that will appear random to her. However, Bob can retrieve the correct Even in this case, we need to extend the perceptron protocol output, since he knows whether he changed the sign of the presented before by adding an input to allow Bob to flip the 8 EURASIP Journal on Information Security

i i = ··· = ··· Input:(c; wj , δj ) with i 1 n, j 1 mi Output:(Epk(z); ∅)wherez is the output of the last layer of the network i i PPNNThreshold(c; wj , δj ) (1) c1 = c (2) for i = 1 to n − 1 (3) for j = 1 to mi (4) Bob picks ξ ∈{+, −} at random i i i ∅ = i i i (5) (Epk(τ(ξ x , wj , ξδj )); ) PerceptronThreshold(c ; wj , δj , ξ) (6) Alice decrypts the encrypted output and computes the new input xi+1, sending i+1 = i+1 back to Bob cj Epk(xj ) (7) if ξ = “− i+1 = · i+1 −1 (8) Bob sets cj Epk(1) (cj ) (9) // last layer does not obfuscate the output (10) for j = 1 to mn ∅ = n n n (11) (zj ; ) PerceptronThreshold(x ; wj , δj ,+)

Algorithm 4 sigmoid input: teractions. To avoid this kind of attack, then, we can simply PerceptronSigmoid (c; w, α, ξ) → (Epk(σ(ξx, w, assume that Bob limits the number of queries that Alice can α)); ∅). ask, or require that Alice pays an amount of money for each At this point we must consider that, while the threshold query. function gives only one bit of information, and the flipping operation carried out by Bob completely obfuscates Alice’s 5.4. Protecting the network topology view, the case of the sigmoid is quite different: if Bob flips the inputs with probability 0.5, Alice will not learn if the input of As a last requirement Bob may desire that Alice does not the sigmoid was originally positive or negative, but she will learn anything about the NN topology. Though strictly learn the product ±αy. This was not a problem for the per- speaking this is a very ambitious goal, Bob may distort Alice’s ceptron case, as knowing z or this product is the same (due perception of the NN by randomly adding some fake neurons to the invertibility of sigmoid function). For the multilayer to the hidden layers of the network, as shown in Figure 4.As case, instead, it gives to Alice more information than what the weights are kept secret, Bob should randomly set the in- she needs, and this surplus of information could be used to bound weight of each neuron. At the same time Bob has to perform a sensitivity attack. reset the outbound weights, so that the fake neurons will not Our idea to cope with this attack at the node level is to change the final result of the computation. The algorithms randomly scramble the order of the neurons in the layer for that we obtain by considering this last modification are equal every execution of the protocol except for the last one. If to those described so far, the only difference being in the the layer i has mi neurons we can scramble them in mi! dif- topology of Bob’s NN. Note that for networks with sigmoid activation functions, adding fake neurons will also increase ferent ways. We will call πri the random permutation used for the layer i, depending on some random seed ri (where the number of random permutations that can be applied to i = 1, ..., n − 1) so that the protocol will have a further input avoid sensitivity attacks. r. Evidently, the presence of the scrambling operator prevents Alice from performing a successful sensitivity attack. In sum- 6. HANDLING NONINTEGER VALUES mary, the protocol for the evaluation of a multilayer network with sigmoid activation function, using the same notation of At the end of Section 3.3 we made the assumption that the the threshold case, is shown in Algorithm 5. Paillier encryption scheme, noticeably the Damgard-Jurik˚ extension, works properly on noninteger values and satisfies 5.3. Sensitivity attack the additive homomorphic properties on such kind of data to simplify the analysis reported in the subsequent sections. Before concluding this section, let us go back to the sen- Indeed, rigorously speaking, this is not true. We now analyze sitivity attack. Given that the intermediate values of the more formally every step of the proposed protocols showing computation are not revealed, a sensitivity attack is possible how the assumption we made in Section 3.3 is a reasonable only at the whole network level. In other words, Alice could one. consider the NN as a parametric function with the parame- To start with, let us remember that the Damgard-˚ ters corresponding to the NN weights, and apply a sensitiv- Jurik cryptosystem allows to work on integers in the range ity attack to it. Very often, however, a multilayer feedforward {0, ..., ns − 1}. First of all we map, in a classic way, the posi- NN implements a complicated, hard-to-invert function, so tive numbers in {0, ...,(ns − 1)/2}, and the negative ones in that discovering all the parameters of the network by con- {(ns − 1)/2+1, ..., ns−1},with−1 = ns−1. Then, given a real sidering it as a black box requires a very large number of in- value x ∈ R, we can quantize it with a quantization factor Q, C. Orlandi et al. 9

i i = ··· = ··· Input:(c; wj , αj , r) with i 1 n, j 1 mi Output:(Epk(z); ∅)wherez is the output of the last layer of the network i i PPNNSIGMOID(c; wj , αj , r) (1) for i = 1 to n − 1

(2) Bob permutes neurons position in layer i using random permutation πri (3) // now the network is scrambled, and the protocol follows as before (4) x1 = x (5) for i = 1 to n − 1 (6) for j = 1 to mi (7) Bob picks ξ ∈{+, −} at random i i i ∅ = i i i (8) (Epk(σ(ξ x , wj , αj )); ) PerceptronSigmoid(c ; wj , αj , ξ) (9) Alice decrypts the encrypted output and computes the new input xi+1, sending i+1 = i+1 back to Bob cj Epk(xj ) (10) if ξ = “− i+1 = · i+1 −1 (11) Bob sets cj Epk(1) (cj ) (12) // last layer does not obfuscate the output (13) for j = 1 to mn ∅ = n n n (14) (zj ; ) PerceptronSigmoid(c ; wj , αj ,+)

Algorithm 5

(2) Bob must disclose to Alice the number of multiplications, so that Alice can compensate for the presence of the Q2 factor. The first drawback is addressed with the availability of Damgard-Jurik˚ cryptosystem that allows us, by increasing s, to cipher bigger numbers. The second one imposes a limit on the kind of secure computation that we can perform using the techniques proposed here. We give here an upper bound for the bigger integer that can be encrypted, that forces us to select an appropriate parameter s for the Damgard-Jurik˚ cryptosystem. In the neural network protocol, the maximum number of multiplications done on a quantized number is equal to two: Figure 4: To obfuscate the number and position of the hidden neu- the first in the scalar product protocol and the second with rons Bob randomly adds fake neurons to the NN. Fake neurons do a random selected number in the secure thresholding evalu- not affect the output of the computation as their outbound weights ation or with the α parameter in the secure sigmoid evalua- are set to 0. Inbound weights are dotted as they are meaningless. tion. Assume that the random values and the α parameters are bounded by R. Let X be the upper bound for the norm of Alice’s input and approximate it as x = x/Qx/Q for a sufficiently thin vector, and W an upper bound for the weight vectors norm. quantization factor. Clearly the first homomorphic property We have that every scalar product computed in the proto- still stands, that is, col is bounded by |x|·|w| cos(xw ) ≤ XW.Givenamodulo n sufficiently high for security purposes, we have to select s x + x D E x · E x = x + x 1 2 . (12) such that sk pk 1 pk 2 1 2 Q This allows Bob to perform an arbitrarily number of ≥ 2XWR s logn 2 , (14) sums among cipher texts. Also the second property holds, Q but with a drawback. In fact: where the factor 2 is due to the presence of both positive and a · x a = · negative values. Dsk Epk(x) a x 2 . (13) Q Other solutions for working with noninteger values can be found in [8] where a protocol to evaluate a polynomial on The presence of the Q2 factor has two important conse- floating-point numbers is defined (but the exponent must quences: be chosen in advance), and [26], where a sophisticated cryp- (1) the size of the encrypted numbers grows exponentially tosystem based on lattice properties allowing computation with the number of multiplications; with rational values is presented (even in this case, however, 10 EURASIP Journal on Information Security a bound exists on the number of multiplications that can be 8. CONCLUSIONS carried out to allow a correct decryption). In artificial intelligence applications, the possibility that the owner of a specific expertise is asked to apply its knowledge 7. IMPLEMENTATION OF THE PROTOCOL to process some data without that the privacy of the data owner is violated is of crucial importance. In this frame- In this section a practical implementation of the proposed work, the possibility of processing data and signals directly in protocol is described, and a case study execution that will the encrypted domain is an invaluable tool, upon which se- give us some numerical results in terms of computational and cure and privacy preserving protocols can be built. Given the bandwidth resource needed is analyzed. central role that neural network computing plays in modern artificial intelligence applications, we devoted our at- 7.1. Client-server application tention to NN-based privacy-preserving computation, where the knowledge embedded in the NN as well as the data the We developed a client-server application based on the Java NN operates on are protected. The proposed protocol re- remote method invocation technology.1 The application, lies on homomorphic encryption; for those tasks that cannot based on the implementation of the Damgard-Jurik˚ cryp- be handled by means of homomorphic encryption, a lim- tosystem available on Jurik’s homepage,2 is composed of two ited amount of interaction between the NN owner and the methods, one for the initialization of the protocol (where user is introduced; however, in contrast to previous works, public key and public parameters are chosen) and one for the interaction is kept to a minimum, without resorting to the evaluation of every layer of neurons. multiparty computation protocols. Any unnecessary disclosure of information has been avoided, keeping all the internal computations secret such that at the end of the protocol the 7.2. Experimental data user only knows the final output of the NN. Future research will be focused on investigating the security of the network From the UCI machine learning repository,3 the data set cho- topology obfuscation proposed here, and on the design of sen by Gorman and Sejnowski in their study about the clas- more efficient obfuscation strategies. Moreover, the possibil- sification of sonar signals by means of a neural network [27] ity of training the network in its encrypted form will also be has been selected. The task is to obtain a network able to dis- studied. criminate between sonar signals bounced off a metal cylinder and those bounced off a roughly cylindrical rock. Following the author’s results, we have trained a NN with 12 hidden ACKNOWLEDGMENTS neurons and sigmoid activation function with the standard backpropagation algorithm, obtaining an accuracy of 99.8% The work described in this paper has been supported in part on the training set and 84.7% on the test set. by the European Commission through the IST Programme under Contract no 034238-SPEED. The information in this document reflects only the author’s views, is provided as is 7.3. Experimental setup and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the To protect our network we have embedded it in a network information at its sole risk and liability. made of 5 layers of 15 neurons each, obtaining a high level of security as the ratio of real neurons on fake one is really low, in fact it is 12/75 = 0.16. The public key n is 1024 bit REFERENCES long, and the s parameter has been set to 1, without any problem for a very thin quantization factor Q = 10−6.Wehave [1] K. Hornik, M. Stinchcombe, and H. White, “Multilayer feed- then initialized every fake neuron with connections from ev- forward networks are universal approximators,” Neural Net- ery input neuron in a way that they will look the same of works, vol. 2, no. 5, pp. 359–366, 1989. the real ones, setting the weights of the connection at ran- [2] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks dom. Then we have deployed the application on two mid- and privacy homomorphisms,” in Foundations of Secure Com- putation, pp. 169–178, Academic Press, New York, NY, USA, level notebooks, connected on a LAN network. 1978. The execution of the whole process took 11.7 seconds, of [3] B. Pinkas, “Cryptographic techniques for privacy-preserving which 9.3 on server side, with a communication overhead of data mining,” ACM SIGKDD Explorations Newsletter, vol. 4, 76 kb. Let us note that no attempt to optimize the execution no. 2, pp. 12–19, 2002, ACM special interest group on knowl- time was done, and as seen the client computation is negli- edge discovery and data mining. gible. These results confirm the practical possibility to run a [4] O. Goldreich, S. Micali, and A. Wigderson, “How to play any neural network on an input provided in encrypted format. mental game or a completeness theorem for protocols with honest majority,” in Proceedings of the 19th Annual ACM Sym- posium on Theory of Computing (STOC ’87), pp. 218–229, 1 http://java.sun.com/javase/technologies/core/basic/rmi ACM Press, New York, NY, USA, May 1987. 2 http://www.daimi.au.dk/∼jurik/research.html [5] D. Chaum, C. Crepeau,´ and I. Damgard,˚ “Multiparty uncon- 3 http://www.ics.uci.edu/∼mlearn/MLRepository.html ditionally secure protocols,” in Proceedings of the 20th Annual C. Orlandi et al. 11

ACM Symposium on Theory of Computing (STOC ’88), pp. 11– tice and Theory in Public Key Cryptography (PKC ’01), pp. 119– 19, ACM Press, Chicago, Ill, USA, May 1988. 136, Cheju Island, Korea, February 2001. [6] Y. Lindell and B. Pinkas, “Privacy preserving data mining,” in [20] D. Catalano, The bit security of Paillier’s encryption scheme and Proceedings of the 20th Annual International Cryptology Con- anew,efficient, public key cryptosystem, Ph.D. thesis, Universita` ference on Advances in Cryptology (CRYPTO ’00), vol. 1880 of di Catania, Catania, Italy, 2002. Lecture Notes in Computer Science, pp. 36–54, Santa Barbara, [21] B. Goethals, S. Laur, H. Lipmaa, and T. Mielikainen,¨ “On pri- Calif, USA, August 2000. vate scalar product computation for privacy-preserving data [7] R. Agrawal and R. Srikant, “Privacy-preserving data mining,” mining,” in Proceedings of the 7th Annual International Con- in Proceedings of the ACM SIGMOD International Conference ference in Information Security and Cryptology (ICISC ’04),pp. on Management of Data, pp. 439–450, ACM Press, Dallas, Tex, 104–120, Seoul, Korea, December 2004. USA, May 2000. [22] I. J. Cox and J.-P. M. G. Linnartz, “Public watermarks and re- [8] Y.-C. Chang and C.-J. Lu, “Oblivious polynomial evaluation sistance to tampering,” in Proceedings the 4th IEEE Interna- and oblivious neural learning,” Theoretical Computer Science, tional Conference on Image Processing (ICIP ’97), vol. 3, pp. vol. 341, no. 1–3, pp. 39–54, 2005. 3–6, Santa Barbara, Calif, USA, October 1997. [9] S. Laur, H. Lipmaa, and T. Mielikaihen,¨ “Cryptographically [23] T. Kalker, J.-P. M. G. Linnartz, and M. van Dijk, “Watermark private support vector machines,” in Proceedings of the 12th estimation through detector analysis,” in Proceedings of IEEE ACM SIGKDD International Conference on Knowledge Discov- International Conference on Image Processing (ICIP ’98), vol. 1, ery and Data Mining (KDD ’06), pp. 618–624, ACM Press, pp. 425–429, Chicago, Ill, USA, October 1998. Philadelphia, Pa, USA, August 2006. [24] D. Dolev, C. Dwork, and M. Naor, “Nonmalleable cryptogra- [10] M. Kantarcioglu and J. Vaidya, “Privacy preserving naive bayes phy,” SIAM Journal on Computing, vol. 30, no. 2, pp. 391–437, classifier for horizontally partitioned data,” in Proceedings of 2000. the Workshop on Privacy Preserving Data Mining, Melbourne, [25] T. M. Mitchell, Machine Learning, McGraw-Hill, New York, Fla, USA, November 2003. NY, USA, 1997. [11] Z. Yang and R. N. Wright, “Improved privacy-preserving [26] P.-A. Fouque, J. Stern, and J.-G. Wackers, “CryptoComputing Bayesian network parameter learning on vertically partitioned with rationals,” in Proceedings of the 6th International Con- data,” in Proceedings of the 21st International Conference on ference on Financial-Cryptography (FC ’02), vol. 2357 of Lec- Data Engineering Workshops (ICDEW ’05), p. 1196, IEEE ture Notes in Computer Science, pp. 136–146, Southampton, Computer Society, Tokyo, Japan, April 2005. Bermuda, March 2002. [12] R. Wright and Z. Yang, “Privacy-preserving Bayesian network [27] R. P. Gorman and T. J. Sejnowski, “Analysis of hidden units structure computation on distributed heterogeneous data,” in in a layered network trained to classify sonar targets,” Neural Proceedings of the 10th ACM SIGKDD International Conference Networks, vol. 1, no. 1, pp. 75–89, 1988. on Knowledge Discovery and Data Mining (KDD ’04), pp. 713– 718, ACM Press, Seattle, Wash, USA, August 2004. [13] G. Jagannathan and R. N. Wright, “Privacy-preserving distributed k-means clustering over arbitrarily partitioned data,” in Proceeding of the 11th ACM SIGKDD International Confer- ence on Knowledge Discovery in Data Mining (KDD ’05),pp. 593–599, ACM Press, Chicago, Ill, USA, August 2005. [14] A. C. Yao, “Protocols for secure computations,” in Proceedings of the 23rd Annual Symposium on Foundations of Computer Sci- ence, pp. 160–164, Chicago, Ill, USA, November 1982. [15] A. Yao, “How to generate and exchange secrets,” in Proceed- ings of the 27th Annual Symposium on Foundations of Computer Science (FOCS ’86), pp. 162–167, Toronto, Ontario, Canada, October 1986. [16] P. Pailler, “Public-key cryptosystems based on composite degree residuosity classes,” in Proceedings of International Con- ference on the Theory and Application of Cryptographic Tech- niques (EUROCRYPT ’99), vol. 1592 of Lecture Notes is Com- puter Science, pp. 223–238, Springer, Prague, Czech Republic, May 1999. [17] M. Barni, C. Orlandi, and A. Piva, “A privacy-preserving protocol for neural-network-based computation,” in Proceedings of the 8th Multimedia and Security Workshop (MM & Sec ’06), pp. 146–151, ACM Press, Geneva, Switzerland, September 2006. [18] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour- nal of Computer and System Sciences, vol. 28, no. 2, pp. 270– 299, 1984. [19] I. Damgard˚ and M. Jurik, “A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system,” in Proceedings of the 4th International Workshop on Prac- Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 45731, 14 pages doi:10.1155/2007/45731

Research Article Efﬁcient Zero-Knowledge Watermark Detection with Improved Robustness to Sensitivity Attacks

Juan Ramon´ Troncoso-Pastoriza and Fernando Perez-Gonz´ alez´

Signal Theory and Communications Department, University of Vigo, 36310 Vigo, Spain

Correspondence should be addressed to Juan Ramon´ Troncoso-Pastoriza, [email protected]

Received 28 February 2007; Revised 20 August 2007; Accepted 18 October 2007

Recommended by Stefan Katzenbeisser

Zero-knowledge watermark detectors presented to date are based on a linear correlation between the asset features and a given secret sequence. This detection function is susceptible of being attacked by sensitivity attacks, for which zero-knowledge does not provide protection. In this paper, an eﬃcient zero-knowledge version of the generalized Gaussian maximum likelihood (ML) detector is introduced. This detector has shown an improved resilience against sensitivity attacks, that is empirically corroborated in the present work. Two versions of the zero-knowledge detector are presented; the ﬁrst one makes use of two new zero-knowledge proofs for absolute value and square root calculation; the second is an improved version applicable when the spreading sequence is binary, and it has minimum communication complexity. Completeness, soundness, and zero-knowledge properties of the developed protocols are proved, and they are compared with previous zero-knowledge watermark detection protocols in terms of receiver operating characteristic, resistance to sensitivity attacks, and communication complexity.

Copyright © 2007 J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez.´ This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION aproverP tries to demonstrate to a verifier V the presence of a watermark in a given asset. Commitment schemes [3] Watermarking technology has emerged as a solution for au- are used to conceal the secret information, so that detection thorship proofs or dispute resolving. In these applications, is performed without providing to V any information addi- there are several requirements that watermarking schemes tional to the presence of the watermark. must fulfill, like imperceptibility, robustness to attacks that Nevertheless, such minimum disclosure of information try to erase a legally inserted watermark or to embed an ille- still allows for blind sensitivity attacks [4], that have arisen gal watermark in some asset, and they must also be secure to as very harmful attacks for methods that present simple de- the disclosure of information that could allow the breakage tection boundaries. The ZK detection protocols presented to of the whole system by unauthorized parties. date—Adelsbach and Sadeghi [2] and Piva et al. [5]—are The schemes that have been used up to now are symmet- based on correlation detectors, for which blind sensitivity at- ric, as they employ the same key for watermark embedding tacks are especially efficient. and watermark detection; thus, such key must be given to In this paper, a new zero-knowledge blind watermark de- the party that runs the detector, which in most cases is not tection protocol is presented; it is based on the spread spec- trusted. In order to satisfy the security requirements, two ap- trum detector by Hernandez´ et al. [6], which is optimal for proaches have been proposed: the first one, called asymmet- additive watermarking in generalized Gaussian distributed ric watermarking, follows the paradigm of asymmetric cryp- host features (e.g., AC DCT coefficients of images). The ro- tosystems, and employs different keys for embedding and de- bustness to sensitivity attacks comes from the complexity tection; the second approach, zero-knowledge watermarking, of the detection boundary for certain shape factors. Thus, makes use of zero-knowledge (ZK) protocols [1]inorderto when combined with zero-knowledge, it becomes secure and get a secure communication layer over a pre-existent sym- robust. This protocol will be compared in terms of perfor- metric protocol. In zero-knowledge watermark detection [2], mance and efficiency with the previous ZK protocols based 2 EURASIP Journal on Information Security on additive spread-spectrum and Spread-Transform Dither knows neither α nor the order of the subgroups. The com- Modulation (ST-DM), and rewritten in a form that greatly mit function of a message x ∈ [−T, T] with a random value B+k x r improves its communication and computation complexity. r ∈ [0, 2 ] takes the form Cx = g h mod n. The rest of the paper is organized as follows. In Section 2, Additionally, this commitment scheme presents an ad- some basics about zero-knowledge and watermark detec- ditive homomorphism that allows computing the addition tion are reviewed, and the three studied detectors are com- of two committed numbers (Cx+y = Cx·Cy mod n) and the pared, pointing out the improved robustness of the GG de- product of a committed number and a public integer (Cax = a tector against sensitivity attacks. In Section 3, the needed ZK Cx mod n). subprotocols are enumerated, along with their communication complexity and a detailed description of the devel- 2.1.2. Interactive proof systems oped proofs. Sections 4 and 5 detail the complete detection protocol and the improved version for a binary antipodal Interactive proof systems were introduced by Goldwasser spreading sequence. Section 6 presents the security analy- et al. [1]; they are two party protocols in which a prover P sis for these protocols; complexity and implementation con- tries to prove a statement x to a verifier V, and both can make cerns are discussed in Section 7. Finally, some conclusions random choices. The two main properties that an interactive are drawn in Section 8. protocol must satisfy are completeness and soundness; the first one guarantees that a correct prover P can prove all correct 2. NOTATION AND PREVIOUS CONCEPTS statements to a correct verifier V, and the second guarantees that a cheating prover P ∗ will only succeed in proving a In this section, some of the concepts needed for the develop- wrong statement with negligible probability. ment of the studied protocols are briefly introduced. Bold- A special class of interactive protocols are proofs of face lower-case letters will denote column vectors of length knowledge [8], in which the proved statement is the knowl- L, whereas boldface capital letters are used for matrices, and edge of a witness that makes a given binary relation output a scalar variables will be denoted by italicized letters. Upper- true value, such that a probabilistic algorithm called knowl- case calligraphic letters represent sets or parties participating edge extractor exists, and it is able to output a witness for in a protocol. the common input x using any probabilistic polynomial time prover P ∗ as an oracle, in polynomial expected time (weak 2.1. Cryptographic primitives soundness).

2.1.1. Commitment schemes 2.1.3. Zero-knowledge protocols

Commitment schemes [3] are cryptographic tools that, given In order for an interactive proof to be zero-knowledge [1], it acommonpublicparameterparcom, allow that one party of must be such that the only knowledge disclosed to the verifier aprotocolchooseadeterminedvaluem from a finite set M is the statement that is being proved. More formally, an in- = and commit to his choice Cm Com(m, r,parcom), such that teractive proof system (P , V) is statistically zero-knowledge he cannot modify it during the rest of the protocol; the com- if it exists a probabilistic polynomial algorithm (simulator) mitted value is not disclosed to the other party, thanks to the SV such that the conversations produced by the real interac- randomization produced by r, which constitutes the secret tion between P and V are statistically indistinguishable from information needed to open the commitment. the outputs of SV . The required security properties that the commit function must fulfill are binding and hiding; the first one guar- 2.2. Blind watermark detection antees that once produced a commitment Cm to a message m, the committer cannot open it to a different message m; Given a host signal x,awatermarkw,andapairofkeys the second one guarantees that the distributions of the com- {Kemb, Kdet} for embedding and detection (they are the same mitments to different messages are indistinguishable, so one key in symmetric schemes), a digital blind watermark detec- commitment does not reveal any information about the con- tion scheme consists of an embedder that outputs the water- cealed message. Each of these properties can be achieved ei- marked signal y = Embed(x, w, Kemb)andadetector that ther computationally or in an information-theoretic sense, takes as parameters a possibly attacked signal z = y + n, but the information-theoretic version cannot be obtained for where n represents added noise, the watermark w, and the both properties at the same time. detection key Kdet, and it outputs a Boolean value indicat- The commitment scheme used in the present work is ing whether the signal z contains the watermark w, without Damgard-Fujisaki’s˚ scheme [7], that provides statistically- using the original host data x. hiding and computationally-binding commitments, based Threedetectionalgorithmswillbecomparedinterms on Abelian groups of hidden order. Given the security pa- of their Receiver Operating Characteristic (ROC), namely, rameters F, B, T,andk, the common parameters are a mod- additive spread spectrum with a correlation-based detector ulus n (that can be obtained as an RSA modulus), such that (SS), spread-transform dither modulation without distor- Z∗ B the order of n can be upper bounded by 2 ,ageneratorh of tion compensation (ST-DM), and additive spread spectrum a multiplicative subgroup of high order (the order must be with a generalized Gaussian maximum likelihood (ML) de- Z∗ = α F-rough) in n ,andavalueg h , such that the committer tector (GG). In all of them, the host features x are considered J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 3

z H , H z[n] Detection suﬀ. Likelihood 1 0 DCT − statistics function x r Q (r ) ρ wy x Λ x s η Corr. QΛ(.) + × + s 1 L Perceptual PRS analysis α generator

K Figure 1: Block diagram of the watermark embedding process for Figure 2: Block diagram of the watermark detection process for the ST-DM. GG detector.

2 = − i.i.d. with variance σX , the watermarked features are denoted Let ρ (QΛ(rx) rx); then the watermarked vector is given by y = x+w,andz represents the input to the receiver, which by may be corrupted with AWGN noise n, that is considered also 2 1 i.i.d with variance σN . The binary hypothesis test that must y = x + w = x + ρs. (3) be solved at the detector is L In order to detect the watermark, the host features, pos- H0 : z = x + n, (1) sibly degraded by AWGN noise n, are correlated with the = = L H1 : z x + w + n. spreading sequence s, and the resulting value rz k=1zksk is quantized and compared to a threshold η to determine Table 1 summarizes the probabilities of false alarm whether the watermark is present: (P f ) and missed detection (Pm) for the three detectors H [9–11]. 1 QΛ rz − rz ≶ η. (4)

2.2.1. Additive spread spectrum with H0 correlation-based detector Due to the Central Limit Theorem (CLT), the computed In SS, the watermark is generated as the product of a pseu- correlations can be accurately modeled by a Gaussian pdf. dorandom vector s, that we will consider a binary sequence with values {±1} (with norm s2 = L)andaperceptual 2.2.3. Additive spread spectrum with generalized-Gaussian mask α (that is assumed to be constant to simplify the anal- features ff ysis), that controls the tradeo between imperceptibility and = L { 2}= { 2}= 2 Figure 2 shows the detection scheme for this case. The host distortion (Dw (1/L) k=1E wk E αk α ). ffi The maximum-likelihood detector for Gaussian dis- features are assumed to be the DCT coe cients of an image, tributed host features is a correlation-based detector: what justifies the generalized Gaussian model with the following pdf:

H1 L f (x) = Ae−|βx|c , = 1 ≷ X rz zksk η, (2) 1/2 L = 1 Γ(3/c) k 1 H β = , 0 σ Γ(1/c) (5) βc where η is a threshold that depends on the probabilities of A = . 2Γ(1/c) false alarm (P f ) and missed detection (Pm), as indicated in Table 1. The embedding procedure is the same as the one described for SS. For detection, a preliminary perceptual anal- 2.2.2. Spread transform dither modulation ysis provides the estimation of the perceptual mask α that modulates the inserted secret sequence s.Theparametersc Given the host features x and the secret spreading sequence and β are also estimated from the received features. The like- s, which will be considered here binary with values {±1}, lihood function for detection is the embedding of the watermark in ST-DM [12] (similar to H quantized projection QP [9, 10]) is done as indicated in Fig- 1 = c c − − c ≷ ure 1. l(y) β Yk Yk αksk η, (6) k The host features x are correlated with the projection sig- H0 nal s, and the result (rx) is quantized with an Euclidean scalar quantizer QΛ(·)ofstepΔ, that controls the distortion, and where η represents the threshold value used to make the de- with centroids deﬁned by the shifted lattice Λ ΔZ + Δ/2. cision. 4 EURASIP Journal on Information Security

Table 1: Probabilities of false alarm (P f ) and missed detection (Pm) for the three studied detectors.

AddSS ST-DM GG √ 2 2 ∞ − 2 2 − 2 2 P f Q( Lη/ σX + σN ) i=−∞[Q((Δ(i +1/2) η)/ L(σX + σN )) Q((Δ(i +1/2) + η)/ L(σX + σN ))] Q((η + m1)/σ1) √ √ √ − 2 2 − ∞ − − − − Pm Q( L(α η)/ σX + σN ) 1 i=−∞ [Q((iΔ η)/ LσN ) Q((iΔ + η)/ LσN )] 1 Q((η m1)/σ1)

As shown in [6], the pdfs of l(Y) conditioned to hypothe- 100 ses H0 and H1 are approximately Gaussian with the same 2 − variance σ1 , and respective means m1 and m1, that can be estimated from the watermarked image [6]. 10−5

2.2.4. Comparison

f −10 P 10 The three detectors can be compared in terms of robustness through their Receiver Operating Characteristic (ROC), taken from the formulas in Table 1. The correlation-based detec- − tor is only optimum when c = 2, and when c =/ 2, the gen- 10 15 eralized Gaussian detector outperforms it; ST-DM can out- perform both for a sufficiently high DWR (Data to Water- = 2 2 mark Ratio, DWR 10log10(σX /σW )), due to its host rejec- 10−20 tion capabilities. However, the performance of the general- 10−6 10−4 10−2 100 ized Gaussian detector and the ST-DM one are not much far Pm apart when c is near 1 and the DWR in the projected domain STDM GG c = 1 = − (DWRp DWR 10 log10L)islow.Figure 3 shows a plot Cox GG c = 0.5 of the ROC for fixed DWR and WNR (Watermark to Noise = 2 2 Figure 3: Theoretical ROC curves for the studied detectors under Ratio, WNR 10 log10(σW /σN )), with a features shape pa- = AWGN attacks, with DWR = 20 dB, WNR = 0dB, L = 1000, and rameter of c 0.8, that has been chosen as an example of = a relatively common value for the distribution of AC DCT generalized Gaussian distributed host features with c 0.8. coefficients of most images. It is remarkable that even when the exact c is not used, and it is below 1, the performance of the GG detector with c = 0.5 is much better than that of the In order to quantitatively compare the resilience of the correlation-based one, and its ROC remains near the ST-DM three detectors against sensitivity attacks, we will take as ro- ROC. bustness criterion the number of calls to the detector needed Regarding the resilience against sensitivity attacks, it can for reaching an attack distortion equal to that of the water- be shown that the correlation-based detector and the ST-DM mark (NWR = 0 dB). This choice is supported by the fact that one make the watermarking scheme very easy to break when for an initially nonmarked host x in which a watermark w has the attacker has access to the output of the detector, as the been inserted, yielding y,itisalwayspossibletofindavector detection boundaries for both methods are just hyperplanes; z in the boundary whose distortion with respect to y is less Figure 4 shows the two-dimensional detection regions for than the power of the watermark (e.g., taking the intersection each of the three methods. On the other hand, the detec- between the detection boundary and the line that connects x tion function in the GG detector when c<1(Figure 4(c)) and y). Thus, a sensitivity attack can always reach a point presents the property that component-wise modifications with NWR = 0 dB. In general, it is not guaranteed that an at- produce bounded increments; that is, when modifying one tack can reach a lower NWR. Furthermore, given that for a component of the host signal Y, the increment produced in blind detection the original nonmarked host is not known, | |c the likelihood function (6)isboundedby αksk indepen- imposing a more restrictive fidelity criterion for the attacker | | dently of the component Yk if c<1: than for the embedder makes no sense. In light of the previous discussion, we can consider that a watermark has been c c c Yk − Yk − αksk ≤ αksk . (7) effectively erased when a point z is found, whose distortion with respect to y is equal to the power of the embedded wa- This means that it is not possible to get a signal in the termark w; the number of iterations that a sensitivity attack boundary by modifying a single component (or a number N needs to reach this point can thus be used for determining | |c of components such that N αksk is less than the gap to η), the robustness of the detector against the attack. opposed to a correlation detector, in which just making one We have taken blind newton sensitivity attack (BNSA component big (or small) enough can get the signal out of [4]; an RRP-compliant description of BNSA can be found in the detection region. This property can make very difficult [13]) as a powerful representative of sensitivity attacks, and the task of finding a vector in the boundary given only one simulated its execution against the three studied detectors. marked signal. Each iteration of this algorithm calls the detector a number J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 5

(a) (b) NWR (dB) 20

−10 00.511.522.53 ×106 Calls to the detector

STDM GG c = 1.5 = (c) Cox GG c 0.5

Figure 4: Two-dimensional detection boundaries for ST-DM (a), Figure 5: NWR for a sensitivity attack (BNSA) as a function of correlation-based detector (b), and GG detector (c). number of calls to the detector for correlation detector (Cox), ST- DM, and generalized Gaussian (GG) with c = 0.5, and c = 1.5for −4 DWR = 16 dB, P f = 10 ,andL = 8192. of times proportional to the number of dimensions of the ×106 involved signals. The results show that both ST-DM and the 3 correlation detector are completely broken in just one iter-

ation of the algorithm, independently of the dimensionality 0dB 2.5 of the signals, so the attack needs O(L) calls to the detector = in order to succeed (achieving not only a point with NWR < 2 0 dB, but also convergence to the nearest point in the boundary). This is due to their simple detection boundaries, that have a constant gradient. Figure 5 shows the NWR of the at- 1.5 tack as a function of the number of calls to the detector, for −4 the three detectors, using DWR = 16 dB and P f = 10 ,asa 1 result of averaging 100 random executions. The GG detector ﬀ = = is used with two di erent shape factors, c 0.5andc 1.5; 0.5

the number of iterations needed to break the detector in both Number of oracle calls for NWR cases is bigger than for the correlation detectors, due to the ff 0 more involved detection boundary, but this e ectismoreev- 1000 2000 3000 4000 5000 6000 7000 8000 ident when c<1, case in which the detector has the afore- L mentioned property of bounded increments for component- wise modifications at the input. STDM GG c = 1.5 = The involved detection boundary of the generalized Cox GG c 0.5 Gaussian ML detector makes the number of iterations Figure 6: Number of calls to the detector for a sensitivity attack needed for achieving convergence grow also with the dimen- (BNSA) for reaching NWR = 0 dB as a function of the dimensional- sionality of the host. This means that the number of calls to ity of the watermark for correlation detector (Cox), ST-DM, and the detector needed to get a certain target distortion is not generalized Gaussian (GG) with c = 0.5andc = 1.5forDWR = = −4 only higher for the GG detector, but it also grows faster than 16 dB and P f 10 . for the other detectors with the dimensionality of the host (Figure 6)forfixedWNRandP f . We have found empirically that the number of calls needed for reaching NWR = 0dB NWR = 0 dB, for correlation detectors BNSA achieves both is approximately O(L1.5). Furthermore, if we took as robust- NWR < 0 dB and convergence in just one iteration. ness criterion the absolute convergence of the algorithm (not only achieving NWR = 0 dB), the advantage of the GG detec- 2.3. Zero-knowledge watermark detection torisevenbetterbothinnumberofiterationsandinnumber of calls to the detector; that is, while for the GG detector con- The use of zero-knowledge protocols in watermark detec- vergence is slowly achieved several iterations after reaching tion was first issued by Craver [14], and later formalized 6 EURASIP Journal on Information Security by Adelsbach et al. [2, 15]. The formal definition of a zero- 3.1. Zero-knowledge proof that a committed knowledge watermark detection scheme concreted for a integer is the rounded square root of another blind detection mechanism can be stated as follows. committed integer

Definition 1 (Zero-knowledge Watermark Detection). Given Adelsbach et al. presented in [20] a proof for a generic func- a secure commitment scheme with the operations Com() tion approximation whose inverse can be efficiently proven, and Open(), and a blind watermarking scheme with the covering, for example, divisions and square roots. Here, we operations Embed() and Detect(), the watermarked host present a specific protocol for proving a rounded square data z and the commitments on the watermark Cw and root that follows a similar philosophy, we study its commu- key CKw (for a keyed scheme), with their respective pub- nication complexity and propose a mapping (presented in = w Kw lic parameters parcom (parcom,parcom),azero-knowledge Appendix A) that makes possible this zero-knowledge proto- blind watermark detection protocol for this watermarking col to prove the correct calculation of square roots on com- scheme is a zero-knowledge proof of knowledge between a mitted integers (not necessarily perfect square residues): prover P and a verifier V where on common input x := = (z, Cw, CKw ,parcom), P proves knowledge of a tuple aux √ w Kw = y r1 ∧ √ = n y r2 (w, Kw, rcom, rcom) such that PKsqrt y, r1, r2 : Cy g h mod n Cn y g h mod n . (9) w w = ∧ Open Cw, w, rcom,parcom true Kw Kw = ∧ Open CKw , Kw, rcom,parcom true (8) Let Cy be the commitment to the integer whose square root must be calculated. The protocol that prover and verifier = Detect z, w, Kw true . would follow is the next. √ (1) First, the prover calculates the value x = round( y), Adelsbach and Sadeghi introduced in [2]azero- its commitment C , and the commitment to its knowledge watermark detection protocol for the Cox et al. x squared value C 2 , and sends both commitments and [16] detection scheme, that consists in a normalized x C to the verifier. correlation-detector for spread spectrum. In [17], they have y studied the communication complexity of the non-blind (2) The prover proves in zero-knowledge that Cx2 contains ffi the squared value of the integer hidden in Cx, through protocol,thatismuchlesse cient than the blind one, due 2 { = x r1 = x r2 } to the higher number of committed operations that must be PK x, r1, r2 : Cx g h mod n, Cx2 g h mod n . undertaken. Later, Piva et al. also developed a ZK watermark (3) Then, the prover must prove that x2 ∈ [y − x, y + x], detection protocol for ST-DM in [5]. using a modified version of Boudot’s proof [18]with hidden interval, that consists in considering also ran- domness in the commitments of the interval limits cal- 3. ZERO-KNOWLEDGE SUBPROOFS culated by both parties at the first step of the proof. The proofs that are employed in the previous zero- Using this interval instead of the one indicated in knowledge detectors and in the generalized Gaussian one Appendix A, the zero values are also accepted with no are shown in Table 2 with their respective communica- ambiguity when the maximum allowable value for y is tion complexity, which has been calculated when applied to below the order of the group generated by g. The coun- the Damgard-Fujisaki˚ commitment scheme [7]asafunc- terpart is that there are two possibilities for the square root of integers of the form k2 + k,withk an integer, tion of the security parameters F, B, T and k,definedin ff Section 2.1.1. namely k and k + 1. The e ect of this relaxation on the The first five proofs are already existing zero-knowledge conditions imposed before is a small rise in the rounding error, smaller as k grows; if we take into account proofs for the opening of a commitment [7](PKop), the equality of two commitments [18](PK ), the square of a that the numbers that are considered integers are actu- eq ally the quantization of real numbers using a step that commitment [18](PKsq), a commitment is inside an interval [18](PK ) and nonnegativity of a commitment [19] is fixed by the precision of the system, the error is of the int same order as this precision. Nevertheless, the need of (PK≥0). All these proofs are just simple operations, but the lack of working with null values without disclosing any information forces us to make this adaptation. some operations like the computation of the absolute value √ or the square root, both necessary for the first implementa- (4) At last, it is necessary to prove that x ∈ [0, m], if tion of the GG ML detector, led us to the development of the m is the order of the subgroup generated by g.Ifit last two zero-knowledge proofs; PKsqrt represents a proof that is known—by the initialization of the commitment = ∈ a committed integer is the rounded square root of another scheme—that log2(m) l, then proving that x l/2−1 committed integer, and it is based on a mapping of quan- [0, 2 ] is enough; if the working range√ for the com- tized square roots into integers. PKabs allows the application mittedintegersis[−T, T], with T< m (as it will of the absolute value operator to a committed number, with- be if the bit length of T is at most l/2 − 1), then it out disclosing the magnitude nor the sign of that number. suffices with the proof that x is in the working range: Both proofs are described in the following. x ∈ [0, T]. J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 7

Table 2: Zero-knowledge subproofs and their communication complexity.

Proof CompPK (bits) m r PKop[m, r : Cm = g h mod n]3|F| + |T| +2B +3k +2 (1) = m r1 ∧ (2) = m r2 | | | | PKeq[m, r1, r2 : Cm g1 h1 mod n Cm g2 h2 mod n]4F + T +2B +5k +3 = m r1 ∧ m2 r2 | | | | PKsq[m, r1, r2 : Cm g1 h1 mod n g2 h2 mod n]4F + T +3B +5k +3 m r PKint[m, r : Cm = g h mod n ∧ m ∈ [a, b]] 25|F| +5|T| +10B +27k +2|n| +20 m r ≥ [ , : = mod ∧ ≥ 0] 11| | +4| | +12 +14 +9 PK 0 m r Cm g h n m √ F T B k = m r1 ∧ √ = n m r2 | | | | | | PKsqrt[m, r1, r2 : Cm g h mod n Cn m g h mod n]48F +9 T +18B +53k +6 n +39 m r1 |m| r2 PKabs[m, r1, r2 : Cm = g h mod n ∧ C|m| = g h mod n]19|F| +6|T| +16B +24k +15

Claim 1. The presented interactive proof is computationally Claim 2. The presented interactive proof is computationally sound and statistically zero-knowledge in the random oracle sound and statistically zero-knowledge in the random oracle model. model.

A sketch of the proof for this claim is given in Appen- A sketch of the proof for this claim can be found in dix C. Appendix C. The communication complexity of this protocol is shown The communication complexity of this protocol is given in Table 2. in Table 2.

3.2. Zero-knowledge proof that a committed integer is 4. ZERO-KNOWLEDGE GG WATERMARK DETECTOR the absolute value of another committed integer The zero-knowledge version of the generalized Gaussian de- This proof is a zero-knowledge protocol that allows the appli- tector conceals the secret pseudorandom signal sk using the cation of the absolute value operator to a committed number, Damgard-Fujisaki˚ scheme [7] Csk . The supposedly water- without disclosing the magnitude nor the sign of that num- marked image Yk is publicly available, so the perceptual anal- ber ysis (αk) and the extraction of the parameters βk and ck can x r1 |x| r2 be done in the public domain, as well as the estimation of the PK x, r , r : C = g h mod n ∧ C| | = g h mod n . abs 1 2 x 1 1 x 2 2 threshold η for a given point in the ROC. In this first imple- (10) mentation, only shape factors c = 1orc = 0.5areallowed, As in a residue group Zq there is no notion of “sign,” we so the employed ck will be the nearest to the estimated shape are using the commonly known mapping: factor. The target is to perform the calculation of the likelihood function: ⎧ ⎛ ⎞ ⎪ q ⎨⎪1, x ∈ 0, , Ak 2 ⎜ ⎟ = = ck ⎜ ck − − ck ⎟ sign(x) ⎪ D β ⎝ Yk Yk αksk ⎠ , (12) ⎪ q k ⎩−1, x ∈ +1,n − 1 ; k 2 Bk taking into account that −x ≡ q − x mod q, the mapping is and the comparison with the threshold η, without disclosing consistent. sk. = x r1 Theprotocolexecutedbyproverandverifiersoasto Let Cx g1 h1 mod n be the commitment to a num- prove that the given image Y is watermarked with the se- ber x, whose sign is not known by the verifier, and C|x| = k | | x r2 quence hidden in Csk is the following: g2 h2 mod n the commitment to a number which is claimed to be the absolute value of x. The scheme of the protocol is as (1) prover and verifier calculate the commitment to Ak = follows: Yk − αksk applying the homomorphic property of the Damgard-Fujisaki˚ scheme: (1) both prover and verifier calculate the commitment to

the opposite of x, with the help of the homomorphic Yk = g properties of the commitment scheme: CAk αk ; (13) C sk = −1 C−x Cx ; (11) (2) next, the prover generates a commitment C|Ak| to the (2) next, the prover must demonstrate that the value hid- absolute value of Ak, sends it to the veriﬁer, and proves den in C|x| corresponds to the value hidden in one in zero-knowledge that it hides the absolute value of

of the previous commitments Cx, C−x, using the ZK the commitment CAk , through the developed proof proof of knowledge described in Appendix B; PKabs (Section 3.2); (3) at last, the prover demonstrates that the value hidden (3) if c = 1 (Laplacian features) then the operation c in C|x| is |x|≥0, using the protocol proposed by Lip- |Ak| is not needed, so, just for the sake of notation = = maa [19]. CBk C|Ak|.Ifc 0.5, the rounded square root of 8 EURASIP Journal on Information Security

|A | must be calculated by the prover; then he gen- phic properties of the commitment scheme. This transfer- k √ erates the commitment C = C , sends it to the ence also diminishes the computational load, as clear-text Bk |Ak| verifier and proves in zero-knowledge the validity of operations are much more efficient than modular operations the square root calculation, through the proof PKsqrt in a large ring. (Section 3.1); The zero-knowledge protocol can be reduced to the fol- (4) both prover and verifier can independently calculate lowing two steps. ck | |ck the value βk and Yk , and complete the commit- (1) prover and verifier homomorphically compute th = = ck | |ck − ted calculation of the sum D k βk ( Yk Bk), D − η thanks to the homomorphic property of the used commitment scheme gG−η C = . (17) th Hk ck | |ck βk k Csk g Yk C = ; (14) D (2) The prover demonstrates the presence of the water- k CBk mark by running the zero-knowledge proof that D − (5) finally, the prover must demonstrate in zero- η>0. − knowledge that D>η, or equivalently, that D η>0, The number of needed proofs during the protocol is which can be done by running the proof of knowledge reduced to only one, what propitiates the aforementioned = −η by Lipmaa [19]onCth CDg . reduction in computation and communication complexity, with the additional advantage that this scheme can be applied 5. IMPROVED GG DETECTOR WITH BINARY to any value of the shape parameter ck,soitwillbepreferred ANTIPODAL SPREADING SEQUENCE (GGBA) to the previous one unless sk is not binary antipodal. When the spreading sequence s is a binary antipodal se- k 6. SECURITY ANALYSIS FOR THE GG quence, so it takes only values {±s}, we can apply a trivial transformation to the detection function of the GG detector DETECTION PROTOCOLS (6): After presenting the protocols for the zero-knowledge implementation of the generalized Gaussian ML detector, we can = ck ck − − ck D βk Yk Yk αksk state the following theorem. k = ck ck − − ck · βk Yk Yk αks 1{s} sk Theorem 1. The developed detection protocols for the general- k ized Gaussian detector are computationally sound and statisti- ck + Y + α s ·1{− } s cally zero-knowledge. k k s k 1 (15) = βck Y ck − Y − α sck · s + s A sketch of the proof for this theorem can be found in k k k k 2s k k Appendix C. 1 The reformulation of the generalized Gaussian protocol + Y + α sck · s − s k k 2s k deserves two comments concerning security. The first one involves the nonlinear operations that were performed under encryption in Section 4, which are now transferred to the 1 = βck Y ck − Y − sα ck + Y + sα ck public clear-text domain. Although this could seem at first k k 2 k k k k k sight a knowledge leakage, currently it is not; all those oper- G ations can be performed with the same public parameters as ck in Section 4 in a feasible time, so the parameters and β G Hk − k Y − sα ck − Y + sα ck s . that are publicly calculated in this protocol could also be ob- 2s k k k k k k tained in the previous version, and their disclosure gives no Hk extra knowledge. (16) The second comment deals with the correlation form of the reformulation, and its resilience to blind sensitivity at- In (15), we use the fact that sk can only be given a value s tacks. Even when the operation performed in the encrypted or −s in order to substitute the indicator function 1{s}(sk) = = − domain is a correlation, the additive term (G) is what pre- (1/2s)(s + sk)and1{−s}(sk) (1/2s)(s sk). serves the bounded-increment property, by virtue of which The factors termed as G and Hk in (16)canbecomputed component-wise modifications of the input signal only pro- in the clear-text domain, working with floating-point preci- duce bounded increments on the likelihood function: sion arithmetic, and then have their commitments generated. c c c c This implies that all the nonlinear operations are transferred −α ≤ Yk − Yk − αsk ≤ α , c<1. (18) to the clear-text domain, greatly reducing the communication overhead, as will be shown in Section 7; only additions The result of the addition is not disclosed during the pro- and multiplications must be performed in the encrypted do- tocol; thus, the correlation cannot be known even when the main, and they can be undertaken through the homomor- term G is public, and both terms cannot be decoupled, so J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 9 no extra knowledge is learned from G, and the difficulty for 104 finding points in the detection boundary, that is a necessary step for sensitivity attacks, remains, as well as the shape of the detection regions, unaltered.

103 7. EFFICIENCY AND PRACTICAL IMPLEMENTATION

We will measure the eﬃciency of the developed protocols in terms of their communication complexity, as this parameter is what entails the bottleneck of the system, and it is easily 102

quantifiable given the complexity measures calculated in the Length of the protocol (kB) previous sections for each of the subprotocols. Taking into account the plot of the raw protocol (Section 4), a total of 2L commitments (with a length |n|)are 101 interchanged, namely the L commitments that correspond to 100 200 300 400 500 600 700 800 900 1000 the secret pseudorandom sequence s and the L commitments Number of watermark coefficients to |Ak|, while in the GGBA detector (Section 5) only the L commitments to s are sent; the rest of the commitments are STDM c = 0.5 either calculated using homomorphic computation or are al- Cox GGBA c = 1 ready included in the complexity of the subprotocols. Thus, the total communication complexity for the detec- Figure 7: Communication complexity in kB for the studied proto- tor applied to Laplacian distributed features and c = 0.5in cols. the first scheme, as well as the complexity for the improved GGBA detector can be expressed as As a numeric example, in Figure 7 the evolution of the communication complexity for every protocol is compared Comp = | |= | |= = = 256 = ZKWDGG(c 1) using F 80, n 1024, B 1024, T 2 and k 40, = | | · for growing L. All the protocols have complexity O(L). The 2L n + L CompPKabs +CompPKop +CompPK≥0 , two protocols for generalized Gaussian host features with Comp ZKWDGG( c=0.5) c = 1andc = 0.5 have a higher complexity, due to the = | | · operations that cannot be computed by making use of the 2L n +L CompPKabs+CompPKop+CompPKsqrt +CompPK≥0 , homomorphic property of the commitment scheme (abso- Comp ZKWDGGBA lute value and square root). Nevertheless, their complexity is = | | · (L +1) n + L CompPKop +CompPK≥0 . comparable to that of the zero-knowledge non-blind detec- (19) tion protocol developed by Adelsbach et al. [17]. On the other hand, the zero-knowledge GGBA detec- In every calculation, L proofs of knowledge of the open- tor achieves the lowest communication complexity of all the ing of the initial commitments have been added, as even studied protocols, even lower than the previous correlation- when they are not explicitly mentioned in the sketch of the based protocols, with the increased protection against blind protocols, they are needed to protect the verifier. sensitivity attacks when c<1 is used, being this the first ben- In order to reduce the total time spent during the inter- efit of the reformulated algorithm. action, it is possible to convert the whole protocol in a non- Furthermore, the communication complexity of the pro- interactive one, following the procedure described in [21], tocol is constant if we discard the initial transmission of the keeping the condition that the parameters for the commit- commitments for the spreading sequence and their corre- ment scheme must not be chosen by the prover, or he would sponding proofs of opening; once this step is performed, the be able to fake all the proofs. In addition to the reduction in protocol can be applied to several watermarked works for interaction time, the use of this technique also overcomes the proving the presence of the same watermark with a (small) necessity of a honest verifier that some subprotocols impose. constant communication complexity. The calculated complexity for Piva et al.’s ST-DM detec- Regarding computation complexity, the original detector and Adelsbach and Sadeghi’s blind correlation-based de- tion algorithm (without the addition of the zero-knowledge tector is the following: protocol) for the generalized Gaussian is more expensive than ST-DM or Cox’s (normalized) linear correlator, due to its nonlinear operations. The use of zero-knowledge pro- Comp ZKWDSTDM duces an increase in computation complexity, as, addition- = | | · ally to the calculation and verification of the proofs, homo- (L +1) n + L CompPKop +CompPKint , morphic computation involves modular products and expo- Comp ZKWDSS nentiations in a large ring, so clear-text operations have al- = | | · (L +1) n + L CompPKop +2CompPK≥0 +CompPKsq . most negligible complexity in comparison with encrypted (20) operations. 10 EURASIP Journal on Information Security

The second beneﬁt of the presented GGBA zero- the conventional square root for positive reals, it is necessary knowledge protocol is that all the nonlinear operations are to bound the domain where it can be applied. The formaliza- transferred from the encrypted domain (where they must be tion of the mapping would be as follows: performed using proofs of knowledge) to the clear-text pub- √ lic domain; thus, all the operations that made the symmetric . : A n √ protocol more expensive than the correlation-based detec- = y ∈ Z+ | y

Current cryptosystems are based in modular operations in a Substituting this last equation in the previous one gives group of high order. Although simple operations like addi- the desired result: tion or multiplication have a direct mapping from quantized 2 ∈ − − real numbers to modular arithmetic (provided that the num- x [y x, y + x 1]. (A.6) ber of elements inside the used group is big enough to avoid 2 the effect of the modulus), when trying to cope with non- Thus, the modular reduction of x is inside the modular integer operations, like divisions or square roots, problems reduction of the interval, and x exists. arise. Uniqueness. Here uniqueness is concerned with modular op- In the following, a mapping that represents quantized erations, and the possibility that the interval [y − x, y +x) in- square roots inside integers in the range {1, ..., n − 1} is pre- clude integers out of the initial representing range {0, ..., n− sented, and existence and uniqueness of the solutions for this 1}, which would result in ambiguities after applying the mod mapping are derived. The target is to find which conditions operator. In the following, all the operations are modular, must be satisfied by the input and the output to keep this and thus, the mod operator is omitted. The intervals also rep- operation secure when the arguments are concealed. √ resent their modular reduction. ∈ Z+ = ∈ ∈ The mapping√ must be such that if y and x y The proof is based on reductio ad absurdum. Let y R = { 2 } ∈ ∩ Z+ ff , then n y : round(x). For this mapping to behave like 1, ..., xm + xm , and let x, x [1, xm] two di erent J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 11

√ √ integerssuchthatbothfulﬁllx=n y, x =n y.Thismeans A similar reasoning can be applied when the working that range includes negative numbers:

x2 ∈ [y − x, y + x) ∩ Z, n n 2 (A.7) − , ...,0,..., − 1 . (A.13) x ∈ [y − x , y + x ) ∩ Z. 2 2

√ Combining the previous relations, x and x must be such In this case, it is enough if x ∈{1, ..., round( n/2)},and that y ∈{1, ..., n/2−1},asx2 covers all the range of positive numbers in which y is included, and there are no ambiguities 2 − 2 ∈ − − ∩ Z x x ( x x , x + x ) . (A.8) with the mod operation, as the overlap in intervals can only be produced with negative numbers, already discarded by the Let us suppose, without loss√ of generality, that x>x.If ≤ − previous conditions. both x, x are less than xm n 1, then their squares Limiting the working range is the biggest issue of this are below n, and follow the same behavior as if no modular method; with sequential modular additions and multiplica- operation were applied. Squares in Z can be represented by tions in Zn, it is only needed that the result of applying the the following recursive formula: same sequence of operations (without applying the modu- Z { − } 2 lus) in belongs to the interval 1, ..., n 1 to reach the yk = k = yk−1 + k + k − 1 =⇒ ⎧ same value with modular operations. In the case of the de- ⎪k−i−1 fined square root, it is necessary that the operations made ⎨ − (A.9) − = 2 − 2 = 2(k l)+k + i, k>i before applying a root also return a number inside the inter- yk yi k i ⎪ = ⎩⎪ l 1 val {1, , − 1}, and it is not enough that the final result of = ... n 0, k i, all the computation is in this interval. what means that in order for x2 and x2 to be spaced less that x + x the next inequality must be satisfied: B. ZERO-KNOWLEDGE PROOF THAT A COMMITMENT HIDES THE SAME VALUE AS x−x−1 x−x−1 ONE OF TWO GIVEN COMMITMENTS 2(x − l)+x + x Wj2 = g h Cx , n; in such case, given the condition imposed on xm, then √ such that e is a randomly chosen t-bit integer (e ∈ ≤ 2 − ≤ 2 − − = − j j y xm + xm n n 1+xm n xm 1. (A.12) k [0, C(k))), uj is randomly chosen in [0, C(k)T2 )anduj1 and u are randomly chosen in [0, C(k)2B+2k). As x = x , this means that y

(3) The prover calculates the remaining challenge apply- C. SECURITY PROOFS ing an XOR e = e ⊕ s, and then generates the following i j In this appendix, we have included the sketches of the secu- values: rity proofs for the developed protocols. u = y + e x, i i i C.1. Sketch of the proof for Claim 1 ui1 = ri3 + eiri, (B.3) Completeness and soundness of the protocol in Section 3.1 u = r + e r, i2 i4 i are held upon the validity of the mapping of Appendix A. and sends to the verifier e1, u1, u11, u12, e2, u2, u21, u22. Proof. (4) The verifier checks that the challenges , are con- e1 e2 Completeness. If both prover and verifier behave according to sistent with his random key ( = ⊕ ), and then checks, s s e1 e2 the protocol in Section 3.1, then the verifier will accept all the for k ={1, 2}, the proofs subproofs and all its tests will succeed. If x is generated as the − rounded square root of y, the square proof and both range guk huk1 C ek = W , 1 1 xk k1 proofs will be accepted because of the validity of the mapping − (B.4) uk uk2 ek = g h Cx Wk2. of Appendix A and the completeness of these subproofs. Soundness. Taking into account the consideration about inte- The completeness of the proof follows from its definition, gers of the form k2 + k, the binding property of the commit- as if one of the xk is equal to x, then all the subproofs will ment guarantees that the prover cannot open the generated succeed. Cx and Cx2 to incorrect values; thus, appealing to the unique- The soundness of the protocol resides in the key s, that is ness property of the mapping of Appendix A, the computa- generated by the verifier. This protocol can be decomposed tional soundness of the range and squaring subproofs guar- = in two parts, each one consisting in the proof that x xi for antees that a proof for a value that does not fulfill that map- each xi. Both are based in a protocol that is demonstrated to ping will only succeed with negligible probability. be sound [18]. So, without access to e at the first stage, the ∗ i Zero-knowledge. We can construct a simulator SV for the only way for the prover to generate the correct values with V ∗ = = verifier’s view of the interaction. S must generate values Cx nonnegligible probability is that xi x;ifxi / x,hemust and 2 as commitments to random values, that will be statis- generate e in advance for making that the proof succeeds. Cx i tically indistinguishable from the true commitments, due to With this premise, one of the ei must be fixed by the prover, and he indirectly commits to it in the first stage of the pro- the statistically hiding property of the commitment scheme. Furthermore, the statistical zero-knowledge property of the tocol; but the other value e is determined by e and by the j i squaring and range subproofs guarantees that simulators for random choice of the verifier s, so for the prover it is as ran- these proofs exist and generate the correct views, and the gen- dom as s, guaranteeing that the second proof will only suc- eration of Cx and Cx2 does not affect these views, due to their ceed with negligible probability when xj = x. The protocol is witness hiding, due to the followed proce- indistinguishability with respect to the true commitments, dure for developing it [23]; thanks to the statistically hiding and that the simulators do not need knowledge of the com- property of the commitments, all the values generated for the mitted values in order to succeed. false proof will be indistinguishable from those of the true proof. Furthermore, the protocol is also zero-knowledge, as C.2. Sketch of the proof for Claim 2 a simulator can be built that given the random choices (s) Proof. of the verifier can construct both proofs applying the same Completeness. If both parties adhere to the protocol, then trick as for the false proof, and the distribution of the re- when C| | hides the absolute value of the number concealed sulting commitments will be statistically indistinguishable x in C , the protocol always succeeds due to the completeness from that of the real interactions; in fact, the original proto- x of the OR proof and the nonnegativity proof. col was honest-verifier zero-knowledge, but adding the additional XOR on the verifier’s random choice for the true proof Soundness. Due to the binding property of the commitments, makes that the resulting value is completely random, at least the prover cannot open Cx and C|x| to incorrect values. Fur- if one of the parties is honest (it is like a fair coin flip), so the thermore, due to the soundness of the subproofs, if C|x| hides zero-knowledge property is gained in this process. a negative number, the proof in step (3) will fail, so the com- Applying the technique shown in [21], the previous pro- plete protocol will fail (except with negligible probability); on tocol can be transformed in a noninteractive zero-knowledge the other hand, if C|x| does not hide a number with the same proof of knowledge, by using a hash function H, so that absolute value as the one hidden by Cx, the proof in step (2) s = H(W11W12W21W22), and eliminating the transmis- will also fail (except with negligible probability). Thus, the sion of W11, W12, W21, W22. This way, the verifier checks that whole protocol will only succeed for a non-valid input with a negligible probability given by the soundness error of the e1 ⊕ e2 proofs in steps (2) and (3). V ∗ u u − − u u − − Zero-knowledge. We can construct a simulator S such that =s=H g 1 h 11 C e1 gu1 hu12 C e1 g 2 h 21 C e2 gu2 hu22 C e2 . 1 1 x1 x 2 2 x2 x the real interactions have a probability distribution indis- (B.5) tinguishable from that of the outputs of the simulator. The J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez´ 13 statistical zero-knowledge property of the OR and nonnega- ACKNOWLEDGMENTS tivity subproofs guarantees that simulators exist that can produce sequences that are statistically indistinguishable from This work was partially funded by Xunta de Galicia these protocols’ outputs, so the only quantity that the simu- under projects PGIDT04 TIC322013PR and PGIDT04 V ∗ PXIC32202PM, Competitive Research Units Program lator S has to produce is C−x, whose true value can be gen- Ref. 150/2006, MEC project DIPSTICK, Ref. TEC2004- erated directly from Cx due to the homomorphic property of the used commitment scheme. Thus, the whole protocol is 02551/TCM, MEC FPU grant, Ref. AP2006-02580, and statistically zero-knowledge. European Commission through the IST Program under Contract IST-2002-507932 ECRYPT. ECRYPT disclaimer: the information in this paper is provided as is, and no C.3. Sketch of the proof for Theorem 1 guarantee or warranty is given or implied that the infor- Proof. mation is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. This work Completeness. Let us assume that both parties behave accord- was partially presented at ACM Multimedia and Security ing to the protocol. The values C calculated by the correct Ak Workshop 2006 [24] and Electronic Imaging 2007 [25]. prover and the correct verifier coincide. For correctly produced C|Ak|, the completeness of the absolute value subproof guarantees the acceptance of the verifier; equally, the com- REFERENCES pleteness of the rounded square root subproof guarantees the [1] S. Goldwasser, S. Micali, and C. Rackoff,“Theknowledge acceptance for a correctly calculated CBk . Next, the values of complexity of interactive proof systems,” SIAM Journal on CD computed by both parties coincide, and, finally, due to Computing, vol. 18, no. 1, pp. 186–208, 1989. the completeness of the nonnegativity proof, the verifier will [2] A. Adelsbach and A.-R. Sadeghi, “Zero-knowledge watermark accept the whole proof in case the signal {Yk} is inside the detection and proof of ownership,” in Proceedings of the 4th In- detection region. For the case of a binary antipodal spread- ternational Workshop on Information Hiding (IH ’01), vol. 2137 ing sequence (Section 5), if the values G, Hk and Cth are cor- of Lecture Notes in Computer Science, pp. 273–288, Springer, rectly calculated, the completeness of the nonnegativity proof Pittsburgh, Pa, USA, April 2001. guarantees the acceptance when {Yk} is inside the detection [3] I. Damgard,˚ “Commitment schemes and zero-knowledge pro- region. This concludes the completeness proof. tocols,” in Lectures on Data Security: Modern Cryptology in Theory and Practice, vol. 1561 of Lecture Notes in Computer Soundness. The binding property of the commitments as- Science, pp. 63–86, Springer, Aarhus, Denmark, July 1998. sures that the prover will not be able to open the commit- [4] P. Comesana,˜ L. Perez-Freire,´ and F. Perez-Gonz´ alez,´ “Blind | | ments that he calculates (CAk , C Ak , CBk , CD, Cth)towrong newton sensitivity attack,” IEE Proceedings on Information Se- values. Furthermore, the statistical soundness of the used curity, vol. 153, no. 3, pp. 115–125, 2006. subproofs (absolute value, rounded square root, and non- [5] A. Piva, V. Cappellini, D. Corazzi, A. De Rosa, C. Orlandi, and negativity) guarantees that an incorrect input in any of them M. Barni, “Zero-knowledge ST-DM watermarking,” in Secu- will only succeed with negligible probability. This fact, to- rity, Steganography, and Watermarking of Multimedia Contents gether with the homomorphic properties of the commit- VIII, E. J. Delp III and P. W. Wong, Eds., vol. 6072 of Proceed- ments, that makes impossible for the prover to fake the arith- ings of SPIE, pp. 1–11, San Jose, Calif, USA, January 2006. metic operations performed in parallel by the verifier, propi- [6]J.R.Hernandez,´ M. Amado, and F. Perez-Gonz´ alez,´ “DCT- { ∗} domain watermarking techniques for still images: detector tiates that the probability that a signal Yk that is not inside the detection region succeeds the proof be negligible. performance analysis and a new structure,” IEEE Transactions on Image Processing, vol. 9, no. 1, pp. 55–68, 2000. V ∗ Zero-knowledge. We can construct a simulator S such that [7] I. Damgard˚ and E. Fujisaki, “A statistically-hiding integer com- the real interactions have a probability distribution indis- mitment scheme based on groups with hidden order,” in Pro- tinguishable from that of the outputs of the simulator. The ceedings of the 8th International Conference on the Theory and statistical zero-knowledge property of the absolute value, Application of Cryptology and Information Security: Advances rounded square root and nonnegativity subproofs guaran- in Cryptology (ASIACRYPT ’02), vol. 2501 of Lecture Notes In ∗ tee the existence of simulators for their outputs; thus, SV Computer Science, pp. 125–142, Springer, Queenstown, New Zealand, December 2002. can generate CAk , CD,andCth as in a real execution of the protocol, thanks to the homomorphic properties of the com- [8] M. Bellare and O. Goldreich, “On defining proofs of knowledge,” in Proceedings of the 12th Annual International Cryp- mitment scheme. On the other hand, it must generate C|A | k tology Conference on Advances in Cryptology (CRYPTO ’92), and CBk as commitments to random numbers; the statistical hiding property of the commitments guarantees that vol. 740 of Lecture Notes in Computer Science, pp. 390–420, Springer, Santa Barbara, Calif, USA, August 1992. the distribution of these random commitments be indistin- [9] L. Perez-Freire,´ P. Comesana,˜ and F. Perez-Gonz´ alez,´ “Detec- guishable from the true commitments. Furthermore, these ff tion in quantization-based watermarking: performance and generated values will not a ect the indistinguishability of security issues,” in Security, Steganography, and Watermarking the simulators for the subproofs, as these simulators do not of Multimedia Contents VII,E.J.DelpIIIandP.W.Wong,Eds., need knowledge of the committed values in order to succeed. ∗ vol. 5681 of Proceedings of SPIE, pp. 721–733, San Jose, Calif, Thus, the output of SV is indistinguishable from true inter- USA, January 2005. actions of an accepting protocol, and the whole protocol is [10] F. Perez-Gonz´ alez,´ F. Balado, and J. R. Hernandez´ Martin, statistically zero-knowledge. “Performance analysis of existing and new methods for data 14 EURASIP Journal on Information Security

hiding with known-host information in additive channels,” [24] J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez,´ “Zero- IEEE Transactions on Signal Processing, vol. 51, no. 4, pp. 960– knowledge watermark detector robust to sensitivity attacks,” 980, 2003. in Proceedings of the 8th Workshop on Multimedia and Security [11] M. Barni and F. Bartolini, Watermarking Systems Engineering. (MM&Sec ’06), pp. 97–107, Geneva, Switzerland, September Signal Processing and Communications, Marcel Dekker, New 2006. York, NY, USA, 2004. [25] J. R. Troncoso-Pastoriza and F. Perez-Gonz´ alez,´ “Efficient [12] B. Chen and G. W. Wornell, “Quantization index modulation: non-interactive zero-knowledge watermark detector robust to a class of provably good methods for digital watermarking sensitivity attacks,” in Security, Steganography, and Watermark- and information embedding,” IEEE Transactions on Informa- ing of Multimedia Contents IX,E.J.DelpIIIandP.W.Wong, tion Theory, vol. 47, no. 4, pp. 1423–1443, 2001. Eds., vol. 6505 of Proceedings of SPIE, pp. 1–12, San Jose, Calif, [13] P. Comesana˜ and F. Perez-Gonz´ alez,´ “Breaking the BOWS wa- USA, January 2007. termarking system: key guessing and sensitivity attacks,” to appear in EURASIP Journal on Information Security. [14] S. Craver, “Zero knowledge watermark detection,” in Proceed- ings of the 3rd International Workshop on Information Hiding (IH ’99), vol. 1768 of Lecture Notes in Computer Science,pp. 101–116, Springer, Dresden, Germany, September 2000. [15] A. Adelsbach, S. Katzenbeisser, and A.-R. Sadeghi, “Water- mark detection with zero-knowledge disclosure,” in Multime- dia Systems, vol. 9, pp. 266–278, Springer, Berlin, Germany, 2003. [16] I. J. Cox, J. Kilian, T. Leighton, and T. Shamoon, “A secure, robust watermark for multimedia,” in Proceedings of the 1st Inter- national Workshop on Information Hiding (IH ’96), vol. 1174 of Lecture Notes in Computer Science, pp. 185–206, Springer, Cambridge, UK, May-June 1996. [17] A. Adelsbach, M. Rohe, and A.-R. Sadeghi, “Non-interactive watermark detection for a correlation-based watermarking scheme,” in Proceedings of the 9th IFIP TC-6 TC-11 Interna- tional Conference on Communications and Multimedia Security (CMS ’05), vol. 3677 of Lecture Notes in Computer Science,pp. 129–139, Springer, Salzburg, Austria, September 2005. [18] F. Boudot, “Efficient proofs that a committed number lies in an interval,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Ad- vances in Cryptology (EUROCRYPT ’00), vol. 1807 of Lecture Notes in Computer Science, pp. 431–444, Springer, Bruges, Bel- gium, May 2000. [19] H. Lipmaa, “On diophantine complexity and statistical zero- knowledge arguments,” in Proceedings of the 9th International Conference on the Theory and Application of Cryptology and In- formation Security: Advances in Cryptology (ASIACRYPT ’03), vol. 2894 of Lecture Notes in Computer Science, pp. 398–415, Springer, Taipei, Taiwan, November-December 2003. [20] A. Adelsbach, M. Rohe, and A.-R. Sadeghi, “Complementing zero-knowledge watermark detection: proving properties of embedded information without revealing it,” Multimedia Sys- tems, vol. 11, no. 2, pp. 143–158, 2005. [21] M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS ’93), pp. 62–73, ACM Press, Fairfax, Va, USA, November 1993. [22] A. Adelsbach, M. Rohe, and A.-R. Sadeghi, “Overcoming the obstacles of zero-knowledge watermark detection,” in Proceedings of the Workshop on Multimedia and Security (MM&Sec ’04), pp. 46–54, Magdeburg, Germany, September 2004. [23]R.Cramer,I.Damgard,˚ and B. Schoenmakers, “Proofs of partial knowledge and simplified design of witness hiding protocols,” in Proceedings of the 14th Annual International Cryp- tology Conference on Advances in Cryptology (CRYPTO ’94), vol. 839 of Lecture Notes In Computer Science, pp. 174–187, Santa Barbara, Calif, USA, August 1994. Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 31340, 13 pages doi:10.1155/2007/31340

Research Article Anonymous Fingerprinting with Robust QIM Watermarking Techniques

J. P.Prins, Z. Erkin, and R. L. Lagendijk

Information and Communication Theory Group, Faculty of Electrical Engineering, Mathematics, and Computer Science, Delft University of Technology, 2628 Delft, The Netherlands

Correspondence should be addressed to Z. Erkin, [email protected]

Received 20 March 2007; Revised 4 July 2007; Accepted 8 October 2007

Recommended by A. Piva

Fingerprinting is an essential tool to shun legal buyers of digital content from illegal redistribution. In fingerprinting schemes, the merchant embeds the buyer’s identity as a watermark into the content so that the merchant can retrieve the buyer’s identity when he encounters a redistributed copy. To prevent the merchant from dishonestly embedding the buyer’s identity multiple times, it is essential for the fingerprinting scheme to be anonymous. Kuribayashi and Tanaka, 2005, proposed an anonymous fingerprinting scheme based on a homomorphic additive encryption scheme, which uses basic quantization index modulation (QIM) for embedding. In order, for this scheme, to provide sufficient security to the merchant, the buyer must be unable to remove the fingerprint without significantly degrading the purchased digital content. Unfortunately, QIM watermarks can be removed by simple attacks like amplitude scaling. Furthermore, the embedding positions can be retrieved by a single buyer, allowing for a locally targeted attack. In this paper, we use robust watermarking techniques within the anonymous fingerprinting approach proposed by Kuribayashi and Tanaka. We show that the properties of an additive homomorphic cryptosystem allow for creating anonymous fingerprinting schemes based on distortion compensated QIM (DC-QIM) and rational dither modulation (RDM), improving the robustness of the embedded fingerprints. We evaluate the performance of the proposed anonymous fingerprinting schemes under additive-noise and amplitude-scaling attacks.

Copyright © 2007 J. P. Prins et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION buyer into any content without the buyer’s consent and subsequently accuse the buyer of illegal redistribution. Intellectual property protection is a severe problem in today’s To protect the identity of the buyer, anonymous finger- digital world due to the ease of illegal redistribution through printing schemes have been proposed [1, 2]. In [2], the buyer the Internet. As a countermeasure to deter people from il- and the merchant follow an interactive embedding proto- legally redistributing digital content such as audio, images, col, in which the identity information of the buyer remains and video, a fingerprinting scheme embeds specific informa- unknown to the merchant. When the buyer wishes to pur- tion related to the identity of the buyer by using watermark- chase, for instance, an image, he registers himself to a reg- ing techniques. In conventional fingerprinting schemes, this istration centre and receives a proof of his identity with a identity information is embedded into the digital data by the signature of the registration centre. Then the buyer encrypts merchant and the fingerprinted copy is given to the buyer. his identity and sends both encrypted identity and the proof When the merchant encounters redistributed copies of this of identity to the merchant. The merchant checks the valid- fingerprinted content, he can retrieve the identity informa- ity of the signature by using the public key of the registration of the buyer who (illegally) redistributed his copy. From tion centre. After the buyer convinces the merchant, through the buyer’s point of view, however, this scenario is unattrac- the provided identity proof, that the encrypted identity in- tive because during the embedding procedure, the merchant deed contains the identity information of the buyer, the mer- obtains the identity information of the buyer. This enables a chant embeds the identity information of the buyer into cheating merchant to embed the identity information of the the (encrypted) image data by exploiting the homomorphic 2 EURASIP Journal on Information Security property of the cryptosystem. Then the encrypted finger- Table 1: Table of symbols. printed image is sent to the buyer for decryption and future use. A.1. Cryptosystems In this scheme, the merchant can only retrieve the iden- Symbol Usage tity information of the buyer when it is detected in a copy p, q Large primes of size k of the fingerprinted image. This idea, first presented in [2], n Modulus was constructed in [3, 4] using digital coins. In order to em- g Generator bed the identity information of the buyer, a single-bit com- m Message mitment scheme with exclusive, or homomorphism, is used c that allows for computing the encrypted XOR of two bits by Cipher-text , ∈ Z∗ Z∗ multiplying their ciphertexts. In [5], Kuribayashi and Tanaka r s R n r and s are random blinding factors from n observe that this construction is not efficient because of the E(m) Encryption (and integer rounding) of m low enciphering rate. The single bit commitment scheme can D(c) Decryption of ciphertext c only contain one bit of information for a log 2n-bit cipher- A.2. Watermarking and fingerprinting text, where n is a product of two large primes. Symbol Usage In order to increase the enciphering rate, Kuribayashi and x/X Original sample/original signal Tanaka suggested using a cryptosystem with a larger message space. They introduced an anonymous fingerprinting y/Y Watermarked sample/watermarked signal algorithm based on an additive homomorphic cryptosystem z/Z Received sample/received signal that allows for the addition of values in the plaintext do- w/W Individual watermark bit/total watermark main by multiplying their corresponding ciphertexts. Con- d Dither sequently, Kuribayashi and Tanaka used a basic amplitude Δ Quantization step size quantization-based scheme similar to the well-known quan- QΔ(·) Uniform quantizer with step size Δ tization index-modulation (QIM) scheme as the underly- α DC-QIM factor ing watermarking scheme. Since QIM essentially modulates (integer-valued) quantization levels to embed information ρ Gain factor Scaling factor used for rounding/reducing quanti- bits into a signal, QIM can elegantly be implemented in an c additive homomorphic cryptosystem. However, QIM is a ba- zation step size sic watermarking scheme that has limited robustness com- v(·) Function to normalize coefficients for RDM. pared to other watermarking schemes. The embedding po- id Buyer identity sitions can easily be retrieved from an individual fingerprinted copy and are thus vulnerable to local attacks. Such attacks result in minimal overall signal degradation, while ayashi and Tanaka. In Section 4, we describe the proposed completely removing the fingerprint. Furthermore, QIM is anonymous fingerprinting schemes using the subtractive vulnerable to simple, either malevolent or unintentional, dither QIM, DC-QIM, and RDM watermarking schemes. global attacks such as randomization of the least significant Section 5 describes the experiments that evaluate the robust- bits, addition of noise, compression, and amplitude scal- ness of the proposed schemes compared to the original wa- ing. termarking schemes. Section 6 discusses the security ben- In this paper, we use the ideas in [5] to build anonymous efits of using specially constructed buyer ids. Conclusions versions of state-of-the-art watermarking schemes, namely, are given in Section 7. A list of used symbols is provided in distortion-compensated QIM (DC-QIM) [6]andrational Table 1. dither modulation (RDM) [7]. By adapting these watermarking schemes to the anonymous fingerprinting protocol of Kuribayashi and Tanaka, we improve the robustness of the 2. WATERMARKING AND ENCRYPTION embedded fingerprints and, as a consequence, the merchant’s PRELIMINARIES security. As DC-QIM and RDM are based on subtractive- dither QIM (SD-QIM), they both hide the embedding lo- 2.1. Basic quantization-index modulation cations from the buyer more effectively, preventing local, targeted attacks on the fingerprint. With respect to global Quantization-index modulation (QIM) is a relatively recent attacks, like additive noise and amplitude scaling, RDM is watermarking technique [6].Ithasbecomepopularbecause provably equivalent in robustness, while DC-QIM is prov- of the high watermarking capacity and the ease of implemen- ably better in robustness against additive noise attacks. Fur- tation. The basic quantization-index modulation algorithm thermore, RDM improves the QIM scheme so that the fin- embeds a watermark bit w by quantizing a single-signal sam- gerprint becomes robust to amplitude-scaling attacks. ple x by choosing between a quantizer with even or odd The outline of this paper is as follows. In Section 2, we in- values, depending on the binary value of w. These quantiz- troduce the basic QIM watermarking scheme, as well as the erswithastepsizeΔ ∈ N are denoted by QΔ-even(·)and additive homomorphic cryptosystem of Okamoto-Uchiyama QΔ-odd(·), respectively. [8], on which the approach in [5]isbased.InSection 3, Figure 1 shows the input and output characteristics of the we review the anonymous fingerprinting scheme by Kurib- quantizer, where w ∈{0, 1} denotes the message bit that is J. P. Prins et al. 3

Q2Δ(x) 2.2. Homomorphic encryption schemes w = 1 The idea of processing encrypted data was first suggested by = w 0 Ahituv et al. in [9]. In their paper, the problem of decrypting data before applying arithmetic operations is addressed and a new approach is described as processing data without decrypting it first. Δ Succeeding works showed that some asymmetric cryp- x tosystems preserve structure, which allows for arithmetic op- Δ erations to be performed on encrypted data. This structure preserving property, called homomorphism, comes in two main types, namely, additive and multiplicative homomorphism. Using additive homomorphic cryptosystems, performing a particular operation (e.g., multiplication) with encrypted data, results in the addition of the plaintexts. Similarly, using a multiplicatively homomorphic cryptosys- Figure 1: Quantizer input-output characteristics. tem, multiplying ciphertexts, results in the multiplication of the plaintexts. Paillier [10], Okamoto-Uchiyama [8], and Goldwasser-Micali [11] are additively homomorphic cryp- embedded into the host data. The watermarked signal sample tosystems while RSA [12] and ElGamal [13] are multiplica- y then is tively homomorphic cryptosystems. The anonymous fingerprinting scheme proposed in [5] is based on the addition of the fingerprint to the digital Q (x), if w = 0, = Δ-even data, and hence, an additive cryptosystem is used. Among y = (1) QΔ-odd(x), if w 1. the candidates, the Okamoto-Uchiyama cryptosystem is chosen for efficiency considerations [5]. In the next section, the The quantizers QΔ-even(·)andQΔ-odd(·)aredesignedsuch Okamoto-Uchiyama cryptosystem is described. We observe, that they avoid biasing the values of y, that is, the expected however, that the anonymous fingerprinting schemes, pro- (average) value of x and y are identical. The trade-off be- posed in this paper, can easily be implemented by using other tween embedding distortion and robustness of QIM against additively homomorphic cryptosystems. It is, however, re- additive noise attacks is controlled by the value of Δ.The quired to have a sufficiently large message space to represent detection algorithm requantizes the received signal sample the signal samples. Further, the underlying security proto- z with both QΔ-even(·)andQΔ-odd(·). The detected bit w = cols, such as the proof protocol for validating the buyer iden- {0, 1} is determined by the quantized value QΔ-even(z)or tity, must be suitable for the chosen cryptosystem. QΔ-odd(z) with the smallest distance to the received sample A requirement for the cryptosystem is that it is proba- z. bilistic in order to withstand chosen plaintext attacks. Such This scheme of even and odd quantizers can also be im- attacks are easily performed in our scheme because individ- plemented by using a single quantizer with a step-size of 2Δ ual signal samples are usually limited in value (e.g., 8 bit). If and subtracting/adding Δ when w = 1. Implementing the we were to use a nonprobabilistic cryptosystem, this would quantizer in this way allows for the implementation of the enable the buyer to construct a codebook of ciphertexts for scheme in the encrypted domain as was shown in [5]. all possible messages (in total, 28 = 256) using the public key A serious drawback of basic QIM watermarking is its and decrypt through this codebook. Fortunately probabilis- sensitivity to amplitude-scaling attacks [7], in which signal ticcryptosystemswereintroducedin[11], which enable the samples are multiplied by a gain factor ρ. If the gain fac- encryption of a single plaintext to n ciphertexts, where n is tor ρ is constant for all samples, the attack is called a fixed- a security parameter related to the size of the key. To which gain attack (FGA). In amplitude-scaling attacks, the detector ciphertext the plaintext is encrypted is dependent on a blind- does not posses the factor ρ, which causes a mismatch being factor r, which is usually taken at random. Selecting dif- tween embedder and decoder quantization lattices, affecting ferent r’s does not affect the decrypted plaintext. By having the QIM-detector performance dramatically. a multitude of ciphertexts for a single plaintext, the size of a Another drawback of basic QIM is that the embedding codebook will become 28·2n, and thus impractically large, positions can be retrieved from a single copy. The embedding preventing such attacks. All the above-mentioned addi- positions are those signal values xi that have been (heavily) tive homomorphic-encryption schemes (Paillier, Okamoto- quantized to QΔ-even(xi)andQΔ-odd(xi), and have a constant Uchiyama, and Goldwasser-Micali) are probabilistic, and difference value equal to Δ, that is, the quantizer coarseness hence withstand chosen plaintext attacks. parameter. By constructing a high-resolution histogram, the From Section 3 onwards, we compactly denote the en- buyer can easily observe the even-spaced spikes of signal in- cryption and the decryption of a message with E(m)and tensity values and identify, and thus attack the embedding D(c), respectively, omitting the dependency on the random positions locally. This results in the removal of the finger- factor r. In the scope of this paper, an additive homomor- print with little degradation to the overall signal. phic cryptosystem will be used for encrypting signal samples 4 EURASIP Journal on Information Security

which do not necessarily need to be integer values. In this cryptosystem, so that E(W) = (E(w0), E(w1), ..., E(wl−1)). case, rounding to the nearest integer value precedes the en- These encrypted values are sent to the merchant. cryption, and thus, in this paper, E(·) denotes both rounding The merchant ﬁrst quantizes the samples of the (audio, and encryption. image, and video) signal that the buyer wishes to obtain, using a quantizer with coarseness 2Δ, that is, x = Q2Δ(x). Here, 2.2.1. Okamoto-Uchiyama cryptosystem the quantizer step size Δ is a positive integer to ensure that the quantized value can be encrypted. He then encrypts all Okamoto and Uchiyama [8] proposed a semantically secure quantized signal samples x with the public key of the buyer, and probabilistic public key cryptosystem based on compos- yielding E(x). The merchant selects watermark embedding ite numbers. Let n = p2q,wherep and q are two prime positions by using a unique secret key that will be used to numbers of length k bits, and let g be a generator such that extract the watermark from the redistributed copies. In or- p−1 2 the order of g modp is p. Another generator is deﬁned as der to embed a single bit of information wj into one of the h = gn. In this scheme, the public key is pk = (n, g, h, k)and quantizedandencryptedvalueE(x) at a particular water- the secret key is sk = (p, q). mark embedding position, the merchant performs the following operation: Encryption. Δ E(y) = E x × E w j k−1 (6) A message m (0

−1 ± where () denotes modular inverse in the cyclic group de- Δwj ﬁned by the encryption scheme. When the buyer decrypts xi yi the received encrypted and watermarked signal values, he ob- Q2Δ tains the following result for the watermark embedding positions: d di i + ,if≥ ( ), = x wj Δ x Q2Δ x Figure 2: Subtractive dither QIM. y (9) x − wj Δ,ifx

±Δwj are equivalent except for the rounding of the dither di to in- xi yi tegers before encryption. How to limit the adverse effect of Q 2Δ integer rounding will be addressed next. α di SD-QIM di Two improvements of (10) are desirable. In the first place, we can subtract di before encrypting Q2Δ(xi + di). This ff 1 − α e ectively removes the last protocol step, and hence eliminates an unnecessary encryption operation. The resulting Figure 3: Distortion-compensated QIM. scheme can then be rewritten as follows: ⎧ ⎨⎪ Δ E(Q2Δ(xi +di) − di) × E(wj ) ,ifxi ≥ Q2Δ(xi), E(yi)= − ⎩⎪ Δ 1 In QIM terminology, a small amount of dither di is added E(Q2Δ(xi +di) − di) × (E(wj) ) ,ifxi 2512). As a consequence of scaling on the value of x + d , in order to achieve the desired i i xi, the dither di andallencryptedbitsE(wj ) of the decom- quantization level. posed identity of the buyer also have to be scaled by c.We (iv) Encrypt the dither di to obtain E(di). Note that, since note that scaling introduces extra computation. However, the ∈ R di , the encryption operation includes modulo dither can be scaled and subtracted before encryption, result- n rounding to an integer. Multiply the result of the ing in a very small increase in complexity. The scaling of the previous step with the modular inverse of E(d )asso i encrypted bits E(wj ) of the decomposed identity of the buyer to implement the subtraction of the dither di from has to be taken into account in the protocol steps, which is Q2Δ(xi + di). relatively easy since the scaling can be combined with the Summarizingtheaboveprotocolsteps,weobtain multiplication of wj with Δ. The resulting embedding equa- ⎧ tion can be summarized as follows: ⎧ ⎨⎪ × Δ ≥ Δ E(Q2Δ(xi + di)) E(wj ) ,ifxi Q2Δ(xi), ⎪E c·(Q x + d − d × E w , = ⎪ 2Δ i i i j E(ti) ⎪ −1 ⎨⎪ ⎩ Δ if x ≥ Q2 x , E(Q2Δ(xi + di)) × (E(wj ) ) ,ifxi

· ffi signal component α xi to form the final embedded coe - ±Δwj y cient yi. The embedder chooses an appropriate value for α xi i Q2Δ depending on the desired detection performance and robust- 1 d d ness of DC-QIM; an often selected value is as in [15]: i SD-QIM i v(Yi−1) σ2 α = w , (14) 2 2 −L σw + σn v(Yi−1) Z 2 = 2 where σw Δ /3 is the variance of the watermark in the wa- Figure 4: Rational dither modulation. 2 termarked signal, and σn is the variance of the noise or other degradation that an attacker applies in an attempt to ren- der the watermark bits undetectable. Obviously, the standard 4.3. Rational dither modulation SD-QIM scheme is optimal only if an attacker inserts little 2→ or no noise into the watermarked image since, for σn 0, we DC-QIM provides a significant improvement in robustness find α→1. The difference in robustness between SD-QIM and compared to the basic QIM scheme. Nevertheless, the DC- DC-QIM becomes especially relevant if the variance of the QIM scheme is known to be very sensitive to gain or volu- 2 2→ 2 attacker becomes large relative to σw, that is, σn σw. metric attacks, which is just simply scaling of the image in- As the differences between the SD-QIM and DC-QIM tensities. Because of the use of the scaling factor c in SD-QIM watermarking scheme merely consist of plaintext multiplica- and DC-QIM in order to reduce the sensitivity to integer- tions and ciphertext additions, DC-QIM can also be achieved rounding before encryption, the buyer has an excellent op- within the limitations of the homomorphic additive encryp- portunity to perform a gain attack on the watermarked sig- tion scheme used by the Kuribayashi-Tanaka protocol. The nal. The gain effect causes the quantization levels used at the basic embedding operations can now be written as follows: detector to be misaligned with those embedded in the pur- ⎧ chased and illegally distributed digital data, effectively mak- ⎪ Δ ⎪E(Q2Δ(α·xi + di) − di) × E(wj ) , ing the retrieval of the watermarked identity bits impossible ⎪ ⎨ if α·x ≥ Q (α·x ), [16]. = i 2Δ i E(ti) ⎪ −1 Perez-Gonzalez et al. [7], proposed the usage of QIM on ⎪ ( ( · + ) − ) × ( ( )Δ) , ⎪E Q2Δ α xi di di E wj (15) ratios between signal samples as so to make the watermark- ⎩ · · if α xi

E(yi) = E(ti) × E((1 − α)·xi). proach, known as rational dither modulation (RDM), is robust against both additive-noise and fixed-gain attacks. The Equation (15) results in the following watermarked values yi RDM-embedding scheme is illustrated in Figure 4. The ro- after decryption: bustness against fixed gain attacks is achieved by normalizing the signal value (or DCT coefficient) xi by v(Yi−1), which is · + − + · ,if· ≥ · , = Q2Δα xi di di wj Δ α xi Q2Δ α xi a function that combines L previous watermarked signal val- ti = Q2Δ α·xi + di − di − wj ·Δ,ifα·xi ≥ Q2Δ α·xi , ues Yi−1 (yi−1, yi−2, ..., yi−L). An example for the function v(Yi−1) is the Holder¨ vector norm, as suggested in [7]: yi = ti +(1− α)·xi. (16) i−1 1/p 1 p v(Yi−1) = ym . (18) The plaintext distortion-compensated QIM and the above L m=i−L Kuribayashi-Tanaka distortion-compensated QIM (KT DC- QIM) are equivalent, except again for the rounding of the The SD-QIM watermark embedding will then take place us- real-valued dither di and (1−α)·xi to integers before encryp- ing the normalized signal values xi/v(Yi−1), yielding tion. ⎧ ⎪ Similar to the subtractive dither-QIM watermark algo- ⎪ · xi − ⎪v Yi−1 QΔ-even + di di , rithm, KT DC-QIM can be modified to subtract the dither ⎪ v Yi−1 ⎨⎪ if = 0, before encryption, and to scale the signal values before en- = wj − · yi ⎪ (19) cryption. Furthermore, the term (1 α) xi can be added ⎪ · xi − ⎪v Yi−1 QΔ-odd + di di , before encryption, further reducing the number of encryp- ⎪ v Y − ⎩⎪ i 1 tions needed. The resulting KT DC-QIM embedding equa- if wj = 1, tions then become: ⎧ where the multiplication of the quantization results with ⎪E c· Q α·x + d − d × E w Δ, ⎪ 2Δ i i i j v(Yi−1) is required to scale the coefficients to their original ⎨⎪ if α·xi ≥ Q2Δ α·xi , value range. Another way of viewing RDM is that it is equiv- = − E(ti) ⎪ Δ 1 ⎪ · · − × alent to using SD-QIM with a signal amplitude-dependent ⎪E c Q2Δ α xi + di di E wj , ⎩ quantization coarseness v(Yi−1)·Δ. if α·xi

values yi are available during watermark detection. In the Table 2: Table of parameters. Kuribayashi-Tanaka protocol, the watermarked signal values Algorithm Scaling factor Quantization step size Noise or DCT coefficients yi are only available to the merchant in SD-QIM c = 1, 2, 5, 10, 100 Δ = k for k,1≤ k ≤ 20 an encrypted form E(yi). Unfortunately, the embedder can- = = ≤ ≤ = not make use of v(Yi−1) as a normalization factor, primarily DC-QIM c 1, 10, 100 Δ 5k for k,1 k 20 σn 15 = = ≤ ≤ = because the homomorphic division (and multiplication for c 10 Δ k for k,1 k 20 σn 15 that matter) is not defined for two encrypted values in a ho- c = 100 Δ = k for k,1≤ k ≤ 20 RDM momorphic additive-encryption scheme. Also the evaluation c = 1000 Δ = 8k for k,1≤ k ≤ 20 of the normalization function v(Yi−1)(e.g.,(18)) may not be c = 10.000 Δ = 75k for k,1≤ k ≤ 20 computable on encrypted values. Consequently, we will have to use the original signal/coefficientvalues(xi−1, xi−2, ..., xi−L), which will have the same statistics as (yi−1, yi−2, ..., yi−L)forsufficiently large identity information will be embedded into the DC DCT co- value of L. Experimental results have shown that an appro- efficients of 8 × 8 blocks. Per image, we embed 64 bits of priate value of L is 25. For this value of L, the detection re- identity information into 64 DC DCT coefficients that are sults, using normalization on v(Xi−1), are sufficiently close to pseudorandomly selected based on a secret key only known × the results based on normalization using v(Yi−1). to the merchant. In all experiments, we use the 256 256 Since RDM applies QIM on the ratio xi/v(Xi−1), atten- pixels gray-valued Lena and Baboon images. Because of run- tion should be paid to the integer rounding process. Since time efficiency and the availability of the necessary proofs, xi/v(Xi−1) will usually be around (the real number) 1.0, the we selected the Okamoto-Uchiyama cryptosystem for all ex- rounding to an integer will almost always yield (the integer) periments as in [5]. The Okamoto-Uchiyama cryptosystem 1, introducing unacceptably large watermarking distortions. has a smaller encryption rate compared to (generalized ver- Therefore, the scaling of the ratio with a factor c becomes sions of) Paillier because of a smaller message space for the essential in RDM. Furthermore, after quantization of the ra- same security level. However, as signal values are usually tio xi/v(Xi−1), the result needs to be multiplied with v(Xi−1). sampled with 8 bit precision, a smaller message space is not Thanks to the homomorphic property, this can be carried a problem for our application, while the ciphertext size is re- out by an exponentiation in modulo arithmetic with v(Xi−1) duced with the Okamoto-Uchiyama cryptosystem, resulting in the encrypted domain. To this end, obviously v(Xi−1)has in lower overall computational complexity. to be an integer, requiring another rounding step. In case this We not only compare the performance of the plaintext rounding effect is severe, another scaling can be carried out and ciphertext versions of the SD-QIM, DC-QIM, and RDM ff on v(Xi−1). Since, in our experiments, this effect showed to watermarking schemes, but we also evaluate the e ect of in- be negligible, we do not consider scaling of v(Xi−1) itself. We teger rounding and the scaling parameter c on the perfor- denote the rounded value of v(Xi−1)byvint(Xi−1). mance. In our graphs, each point shown is based on 100 mea- Using again the notation di for the uniformly distributed surements, and each measurement is a complete, new itera- dither, the RDM-embedding equations become tion of the Kuribayashi-Tanaka protocol. A table of parame- 1 ters for algorithms can be found in Table 2. ⎧ ⎪ x Δ ⎪ · i − × ⎪E c Q2Δ + di di E wj , ⎪ vint(Xi−1) ⎪ 5.1. Subtractive dither QIM ⎪ · · ⎪ c xi ≥ c xi ⎨ if Q2Δ , vint Xi − 1 vint(Xi − 1) E t = An important performance measure of a watermarking i ⎪ −1 ⎪ · xi − × Δ scheme is the bit-error rate (BER) of the watermark detector ⎪E c Q2Δ +di di E wj , ⎪ v (X − ) as a function of the strength of embedding the watermark. ⎪ int i 1 ⎪ · · ⎩⎪ c xi c xi The BER is a measure that quantifies the probability Pe of if

100 100

10−1 10−1

e −2 e −2 P 10 P 10

10−3 10−3

10−4 10−4 30 32 34 36 38 40 42 28 30 32 34 36 38 40 DWR (dB) DWR (dB)

KT SD-QIM, c = 1 KT SD-QIM, c = 10 KT SD-QIM, c = 1 KT SD-QIM, c = 10 KT SD-QIM, c = 2 KT SD-QIM, c = 100 KT SD-QIM, c = 2 KT SD-QIM, c = 100 KT SD-QIM, c = 5 SD-QIM KT SD-QIM, c = 5 SD-QIM (a) (b)

Figure 5: SD-QIM bit error rate (BER) Pe as a function of the document-to-watermark ratio (DWR) for the original SD-QIM scheme and KT SD-QIM with diﬀerent scaling factors c = 1, 2, 5, 10, and 100 for (a) Lena and (b) Baboon images.

2 Here, σx is the variance of the data, into which the water- 5.2. Distortion-Compensated QIM mark is embedded, which, in our case, are the DC DCT co- ffi × 2 Figure 5 showed the BER in a scenario without any explicit e cients of 8 8 blocks. Further, σw is the variance of the distortion caused by the embedded watermark. Following attacks on the watermark. Distortion-compensated QIM can 2 = 2 be used to provide optimal robustness against additive noise [6], we equate σw Δ /3. The objective, a watermarking scheme, is to have a low BER with a high DWR. The proper attacks. Therefore, we will show the performance of the values for the DWR and thus Δ is application and data de- Kuribayashi-Tanaka adaptation of DC-QIM and compare it pendent. In this paper, we are not concerned with select- with the original DC-QIM and the previously discussed SD- ing a suitable value of Δ. We rather study the behavior of QIM. A measure of the amount of noise introduced relative the BER as a function of the DWR for the plaintext and to the strength of the watermark is the watermark-to-noise Kuribayashi-Tanaka versions of the SD-QIM watermarking ratio (WNR): scheme. σ2 WNR = 10 log w (dB). (22) Figure 5 shows the BER-DWR relation for the two ver- 10 σ2 sions of the SD-QIM algorithm. The performance of the n 2 Kuribayashi-Tanaka version of the SD-QIM (KT SD-QIM) Here, σn is the variance of the additive zero-mean Gaussian watermarking scheme is shown for several values of the scal- noise that the attacker adds to the fingerprinted content. The ing factor c. Although there is no deliberate attack performed value of α is chosen according to (14) so that the DC-QIM on the watermark, the inverse DCT transform, and conse- scheme is tuned for a specific additive noise-variance level. = quential rounding to 8 bit pixel values introduces a distor- In all our√ experiments, we use σn 15 and change the value tion into the fingerprinted signal. The robustness of the wa- of Δ = 3σw as so to obtain a varying WNR. termarking scheme is sufficient, however, to result in no-bit Figure 6 shows the BER-WNR relation for SD-QIM and errors at a DWR of 31–34 dB. A peculiar effect is the in- DC-QIM. We choose to fix the amount of additive noise increased robustness of the heavily rounded (i.e., scaling fac- stead of the DWR because we are interested in the effect the tor c = 1) KT SD-QIM compared to the original water- scaling factor c has on the required embedding strength (i.e., marking scheme. We believe that this behavior is caused by value of Δ and thus the watermark power) and not a variable the distorting effect of the (inverse) DCT transform. By in- amount of additive noise. Therefore, Figure 6 cannot be eas- creasing the scaling factor c, we can approximate the per- ily compared to other literature on watermark robustness. As formance of the original SD-QIM. The performance is al- in our previous experiment, the watermark distortion is cal- = 2 = 2 ready closely approximated with c 100 in this instance, culated using the expression σw Δ /3[6]. but in general, the application, the data, and the implemen- As can be observed, the performance of the DC-QIM is tation of the DCT will determine which value of c is required better than SD-QIM with additive noise, which is in accor- to approximate the performance of the plaintext SD-QIM dance with [6]. We are mostly concerned with the compari- scheme. son of the original version of the DC-QIM scheme and the 10 EURASIP Journal on Information Security

100 100

10−1 10−1 e e P P

10−2 10−2

−4 −2 0 2 4 6 8 10 12 −4 −2 0 2 4 6 8 10 12

WNR (dB), σn = 15 WNR (dB), σn = 15

Original SD-QIM Original DC-QIM Original SD-QIM Original DC-QIM KT SD-QIM, c = 1 KT DC-QIM, c = 1 KT SD-QIM, c = 1 KT DC-QIM, c = 1 KT SD-QIM, c = 100 KT DC-QIM, c = 100 KT SD-QIM, c = 100 KT DC-QIM, c = 100 (a) (b)

Figure 6: SD-QIM and DC-QIM bit error rate (BER) as a function of the watermark-to-noise ratio (WNR) with additive noise (σn = 15) for the original SD-QIM and DC-QIM schemes and the KT SD-QIM and DC-QIM schemes with diﬀerent scaling factors c for (a) Lena and (b) Baboon images.

Kuribayashi-Tanaka adaptation of DC-QIM. As expected, timal embedding strength for a specific application. A scaling the performance of the original DC-QIM scheme and the factor of 100 performs much better, but 1000 approximates Kuribayashi-Tanaka adaptation of DC-QIM (KT DC-QIM) the original RDM closely. differ very little. Also the scaling factor c has little effect on Besides the equivalent robustness to additive-noise at- the BER. This can be explained by the fact that the additive tacks of RDM compared to SD-QIM, RDM is robust against noise dominates the errors caused by the integer rounding. amplitude-scaling attacks. Figure 8 shows the robustness of SD-QIM, DC-QIM, and RDM to a performed amplitude- 5.3. Rational dither modulation scaling attack. SD-QIM and DC-QIM, show a high vulnerability against amplitude-scaling attacks. At a small gain fac- Unlike the previous two watermarking schemes, rational tor ρ of 1.05, approximately 50 percent of the buyer’s identi- dither modulation (RDM) depends on a sufficiently large fying information cannot be retrieved correctly, while RDM is robust throughout the whole range for the gain factor. Al- scaling factor c in order to achieve a quantization coarseness ff Δ lower than 1. The scaling factor c determines the possi- though theoretically RDM should not be at all a ected by an ble resolution of Δ. We are interested to see which resolution amplitude-scaling attack, some bit errors start to show up at is required in order to achieve good performance. Although gain factors larger than 1.06. These are inherent to the 8 bit the results depend on the data and the strength of the added data-representation format, which easily overflows for large noise, the trend of these results will be observed for other gain factors. cases and data as well because the signal coefficients xi are normalized before embedding. 6. SECURITY ASPECTS OF BUYER IDENTITY Figure 7 shows the bit error rate (BER) performance of RDM as a function of the watermark-to-noise ratio (WNR) As fingerprint detection is a signal processing operation, de- for the plain text and Kuribayashi-Tanaka versions of RDM. tected fingerprints will usually be distorted even without at- The different curves reflect different values for the scaling tacks on the fingerprint by a malicious buyer, as discussed factor c. Because of the complexity of the analytical expres- in Section 4. The fingerprint can, for instance, be distorted 2 sion of the watermark distortion σw in [7], we measured the by perfectly legitimate signal-processing operations such as watermark distortion directly from the data. compression, the obligatory inverse DCT, and consequential Figure 7 shows that the value of the scaling factor c deter- rounding. In this scenario, the merchant would normally not mines the points of the Pe-WNR curve, which are attainable be able to present a perfectly retrieved buyer id. The regis- by the Kuribayashi-Tanaka RDM scheme. With a scaling fac- tration center could accept merchant buyer id submissions, tor c = 10, only WNRs with 12 dB or higher are reachable which are similar to a correct buyer id. However, the security (see “KT RDM, c = 10” curve in Figure 7, which starts at of the buyer depends on the inability of the merchant to guess 12 dB), allowing for very little flexibility in choosing the op- a correct buyer id. To allow the merchant to submit similar J. P. Prins et al. 11

100 100

10−1 10−1 e e P P

10−2 10−2

10−3 10−3 −50 5 101520 −50 5 101520

WNR (dB), σn = 15 WNR (dB), σn = 15

Original RDM KT RDM, c = 100 Original RDM KT RDM, c = 100 KT RDM, c = 10 KT RDM, c = 1000 KT RDM, c = 10 KT RDM, c = 1000 (a) (b)

Figure 7: RDM bit error rate (BER) as a function of the watermark-to-noise ratio (WNR) with additive noise (σn = 15) for the original RDM scheme and KT RDM scheme with diﬀerent scaling factors c for (a) Lena and (b) Baboon images.

100 rors at the registration center. This approach has the advantage that it moves the computational complexity of the error correction from the registration center to the merchant. − There is a choice to be made concerning the locations of 10 1 the embedding positions for each buyer. The embedding positions can be changed for each buyer, but this would not provide any real beneﬁts to the robustness of the total ﬁn-

e −2 P 10 gerprinting scheme other than that colluding buyers would have to compare their individual fingerprinted version with a number of other versions in order to detect the embedding 10−3 locations. If the embedding locations are identical for each fingerprinted copy, buyers who have located these embedding positions could publish these, and all buyers could then remove the fingerprint from their copy. Using unique em- 10−4 1.03 1.035 1.04 1.045 1.05 1.055 1.06 1.065 bedding positions for each buyer has, however, a big disad- Gain factor (ρ) vantage upon detection. As with any fingerprinting scheme, the merchant cannot know the used embedding positions be- KT SD-QIM fore detection, as the detection procedure is the sole method KT DC-QIM to discriminate between copies. The unavailability of the em- KT RDM bedding positions prevents the merchant from detecting the Figure 8: KT bit error rate (BER) as a function of the gain factor buyer id, resulting in a deadlock. In order to break this dead- (ρ) for KT SD-QIM, KT DC-QIM and KT RDM schemes with c = lock, the merchant could estimate the embedding positions − 1000. The DWR is fixed to 7.1 dB. Datapoints below a BER of 10 3 by using a nonblind detection procedure (e.g., subtract the are plotted for visualization, but in reality 0. original image from the encountered image and thus find the most likely candidate embedding locations, as they will show up to have a high difference to the original signal) or by embedding a pilot signal to identify the used embedding buyer ids and for the registration center to accept these would positions. However, this would be ineffective for heavily at- thus harm the buyer’s security. tacked copies, which are heavily distorted by attacks. Another By letting the registration center extend the buyer id with way to retrieve the correct buyer id is to let the merchant a forward-error-correcting scheme, the merchant can com- detect for all possible embedding locations and use a (soft) pensate for a small and fixed maximum number of bit errors error-correction scheme to determine the most likely buyer in the buyer id. This is of course equivalent to increasing the id, based on the distance, the detected id is from a valid code- size of the buyer id and allowing for a small number of bit er- word in the used error-correction scheme. This, however, 12 EURASIP Journal on Information Security makes the detection procedure linear in complexity related Although rounding errors can be made arbitrarily small to the number of buyers as it has to be performed for each through the use of scaling factors, the practical need, as used combination of embedding positions. shown in the experiments, is small. As integer quantization Although dithering prevents an individual buyer to de- step sizes have to be used because of the homomorphic en- tect the embedding positions, a coalition of buyers can col- cryption scheme, the distortion introduced by the finger- lude to find them. By comparing different fingerprinted print embedding is usually larger than the distortion intro- copies, the coalition can locate the differing samples and co- duced by integer rounding. As a consequence, rounding with efficients and, as the fingerprint embedding is the predomi- a scaling factor of one (i.e., no scaling) already has accept- nant cause of these differing samples, consequently, the em- able performance. The scaling factor has its use, however, in bedding positions. This vulnerability can be eliminated by increasing the effective quantizer resolution. Although this is constructing the buyer’s ids through the scheme of Boneh of limited use for signals with a relatively large value range, it and Shaw [17], making them collusion secure. The collusion is essential for signals with a small value range, as is the case security of the scheme of Boneh and Shaw depends on gen- for RDM after normalization. erating buyer ids such that they have a number of identical Due to attacks on the digital content or transmission er- bits wj for any colluding coalition of c buyers. Because these rors, the identity information of the buyer can be extracted buyer id bits are identical, the coalition is not able to detect with bit errors. In that case, using error-correction codes these embedded bits by comparing their individually finger- can improve the abilities of the merchant to recover the printed copies. This does, however, require that the embed- identity information. By letting the registration center se- ding positions are identical for each fingerprinted copy. Be- lect the buyer identity information, we can incorporate these cause the embedding positions for these bits cannot be deter- error-correction capabilities or even provide a collusionse- mined, they are safe from targeted attacks and can therefore cure fingerprinting scheme. This greatly increases the em- be detected correctly by the merchant even after the attack by bedded buyer’s identification information and the complex- the colluding buyer coalition. Constructing such a collusion- ity of constructing a valid identity at the registration cen- secure code for a large coalition constitutes a large increase in ter. Although this might not be practical in real applications, the buyer id length. As shown in [17], the length is equal to it provides a theoretical solution to the problem of collu- O(c4 log (N/e)log(1/e)), where c is the number of colluding sion. buyers, N is the total number of buyers, and e is the proba- By adapting the DC-QIM and RDM watermarking bility that the cheating buyer cannot be retrieved after a col- schemes to the anonymous fingerprinting protocol of Kurib- lusion attack. Because of the anonymity of the embedding ayashi and Tanaka, we increased the robustness of the em- procedure, the registration center will have to generate the bedded fingerprints, while preserving the anonymity of the collusionsecure buyer ids as this will be the only person the fingerprinting protocol. Consequently, the buyer’s ability to merchant trusts to generate a valid buyer id. successfully attack embedded fingerprints is reduced, increasing the deterrence to the illegal redistribution of digital 7. CONCLUSION content. In conventional fingerprinting schemes, the buyer’s identity is known to the merchant during embedding. This knowl- ACKNOWLEDGMENTS edge can be easily abused by a malicious merchant by creating fingerprinted copies containing this identity informa- The work described in this paper has been supported in part tion without the buyer’s consent. After distribution, the mer- by the European Commission through the IST Programme chant can claim a license violation for this specific buyer. To under Contract no. 034238-SPEED. The information in this deal with this problem, Kuribayashi and Tanaka proposed a document reflects only the authors’ views, is provided as is reasonably efficient solution in [5] based on embedding the and no guarantee or warranty is given that the information buyer identification information using additive homomor- is fit for any particular purpose. The user thereof uses the phic encryption schemes. The problem of the proposed pro- information at its sole risk and liability. tocol in [5] is the vulnerability of the underlying basic QIM watermarking scheme, which is fragile to simple attacks like amplitude scaling and allows for the detection of the embed- REFERENCES ding positions. Therefore, we have proposed to adapt DC- QIM and RDM techniques to the anonymous fingerprinting [1] N. Memon and P. Wong, “A buyer-seller watermarking proto- scheme of Kuribayashi and Tanaka. col,” IEEE Transactions on Image Processing, vol. 10, no. 4, pp. We have adapted DC-QIM and RDM techniques, which 643–649, 2001. hide the embedding locations, unlike basic QIM, because [2] B. Pfitzmann and M. Waidner, “Anonymous fingerprinting,” in International Conference on the Theory and Application of they are based on SD-QIM. They perform provably equiv- Cryptographic Techniques (EUROCRYPT ’97), vol. 1233, pp. alent (RDM) or better (DC-QIM) than the watermark- 88–102, Konstanz, Germany, May 1997. ing scheme in the original work against additive-noise at- [3] B. Pfitzmann and A.-R. Sadeghi, “Coin-based anonymous fin- tacks. Furthermore, RDM provides robustness to amplitude- gerprinting,” in International Conference on the Theory and scaling attacks which is a major drawback of the basic QIM Application of Cryptographic Techniques (EUROCRYPT ’99), scheme used in [5]. vol. 1592, pp. 150–164, Prague, Czech Republic, May 1999. J. P. Prins et al. 13

[4] B. Pfitzmann and A.-R. Sadeghi, “Anonymous fingerprinting with direct non-repudiation,” in Proceedings of the 6th Inter- national Conference on the Theory and Application of Cryptol- ogy and Information Security (ASIACRYPT ’00), vol. 1976, pp. 401–414, Kyoto, Japan, December 2000. [5] M. Kuribayashi and H. Tanaka, “Fingerprinting protocol for images based on additive homomorphic property,” IEEE Transactions on Image Processing, vol. 14, no. 12, pp. 2129– 2139, 2005. [6] B. Chen and G. W. Wornell, “Quantization index modulation: a class of provably good methods for digital watermarking and information embedding,” IEEE Transactions on Informa- tion Theory, vol. 47, no. 4, pp. 1423–1443, 2001. [7]F.Perez-Gonzalez,C.Mosquera,M.Barni,andA.Abrardo, “Rational dither modulation: a high-rate data-hiding method invariant to gain attacks,” IEEE Transactions on Signal Process- ing, vol. 53, no. 10, part 2, pp. 3960–3975, 2005. [8] T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secure as factoring,” in International Conference on the Theory and Application of Cryptographic Techniques (EU- ROCRYPT ’98), vol. 1403, pp. 308–318, Espoo, Finland, June 1998. [9] N. Ahituv, Y. Lapid, and S. Neumann, “Processing encrypted data,” Communications of the ACM, vol. 30, no. 9, pp. 777–780, 1987. [10] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes,” in International Conference on the Theory and Application of Cryptographic Techniques (EURO- CRYPT ’99), vol. 1592 of Lecture Notes in Computer Science, pp. 223–238, Springer, Prague, Czech Republic, May 1999. [11] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour- nal of Computer and System Sciences, vol. 28, no. 2, pp. 270– 299, 1984. [12] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commu- nications of the ACM, vol. 21, no. 2, pp. 120–126, 1978. [13] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1986. [14] I. D. Shterev and R. L. Lagendijk, “Amplitude scale estimation for quantization-based watermarking,” IEEE Transactions on Signal Processing, vol. 54, no. 11, pp. 4146–4155, 2006. [15] M. Costa, “Writing on dirty paper,” IEEE Transactions on In- formation Theory, vol. 29, no. 3, pp. 439–441, 1983. [16] F. Bartolini, M. Barni, and A. Piva, “Performance analysis of ST-DM watermarking in presence of nonadditive attacks,” IEEE Transactions on Signal Processing, vol. 52, no. 10, pp. 2965–2974, 2004. [17] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data,” IEEE Transactions on Information Theory, vol. 44, no. 5, pp. 1897–1905, 1998. Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 48179, 16 pages doi:10.1155/2007/48179

Research Article Transmission Error and Compression Robustness of 2D Chaotic Map Image Encryption Schemes

Michael Gschwandtner, Andreas Uhl, and Peter Wild

Department of Computer Sciences, Salzburg University, Jakob-Haringerstr. 2, 5020 Salzburg, Austria

Correspondence should be addressed to Andreas Uhl, [email protected]

Received 30 March 2007; Revised 10 July 2007; Accepted 3 September 2007

Recommended by Stefan Katzenbeisser

This paper analyzes the robustness properties of 2D chaotic map image encryption schemes. We investigate the behavior of such block ciphers under different channel error types and find the transmission error robustness to be highly dependent on the type of error occurring and to be very different as compared to the effects when using traditional block ciphers like AES. Additionally, chaotic-mixing-based encryption schemes are shown to be robust to lossy compression as long as the security requirements are not too high. This property facilitates the application of these ciphers in scenarios where lossy compression is applied to encrypted material, which is impossible in case traditional ciphers should be employed. If high security is required chaotic mixing loses its robustness to transmission errors and compression, still the lower computational demand may be an argument in favor of chaotic mixing as compared to traditional ciphers when visual data is to be encrypted.

Copyright © 2007 Michael Gschwandtner et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION which means that in some sense bitstream compliance is not an issue, however, they cannot be combined in a straightfor- A significant amount of encryption schemes specifically tai- ward manner with traditional compression techniques. lored to visual data types has been proposed in literature dur- Compensating errors in transmission and/or storage of ing the last years (see [9, 20] for extensive overviews). The data, especially images, is fundamental to many applications. most prominent reasons not to stick to classical full encryp- One example is digital video broadcast or RF transmissions tion employing traditional ciphers like AES [6]forsuchap- which are also prone to distortions from atmosphere or in- plications are the following: terfering objects. On the one hand, effective error concealment techniques already exist for most current file formats, ff (i) to reduce the computational e ort(whichisusually but when image data needs to be encrypted, these techniques ff achieved by trading o security as it is the case in par- only partly apply since they usually depend on the data for- tial or soft encryption schemes); mat which is not accessible in encrypted form. On the other (ii) to maintain bitstream compliance and associated func- hand, error correction codes may be applied at the network tionalities like scalability (which is usually achieved protocol level or directly to the data but these techniques ex- by expensive parsing operations and marker avoidance hibit several drawbacks which may be not acceptable in cer- strategies); tain application scenarios. (iii) to achieve higher robustness against channel or storage (i) Processing overhead: applying error correction codes errors. before transmission causes additional computational Using invertible two-dimensional chaotic maps (CMs) demand which is not desired if the acquiring and send- on a square to create symmetric block encryption schemes ing device has limited processing capability (like any for visual data has been proposed [4, 8] mainly to serve the mobile device). first purpose, that is, to create encryption schemes with low (ii) Data rate increase: error correction codes add redun- computational demand. CMs operate in the image domain dancy to data; although this is done in a fairly efficient 2 EURASIP Journal on Information Security

manner, data rate increase is inevitable. In case of low- this topic is related to the CMs’ robustness against a specific bandwidth network links (like any wireless network) type of errors (value errors): we investigate the lossy com- this may not be desired. pression of encrypted visual material [10]. Clearly, data encrypted with classical ciphers cannot be compressed well: due One famous example for an application scenario of that to the statistical properties of encrypted data no data reduc- type are RF surveillance cameras with their embedded pro- tion may be expected using lossless compression schemes, cessors, which are used to digitize the signal and encrypt it lossy compression schemes cannot be employed since the re- using state-of-the-art ciphers. If further error correction can constructed material cannot be decrypted any more due to be avoided, the remaining processing capacity (if any) can be compression artifacts. For these reasons, compression is al- used for image enhancement and higher network capacity always required to be performed prior to encryption when lows better quality images to be transmitted. In this work we classical ciphers are used. However, for certain types of ap- investigate a scenario where neither error concealment nor plication scenarios it may be desirable to perform lossy com- error correction techniques are applied, the encrypted visual pression after encryption (i.e., in the encrypted domain). data is transmitted as it is due to the reasons outlined above. ff CMs are shown to be able to provide this functionality to a Due to intrinsic properties (e.g., the avalanche e ect) certain extent due to their robustness to random value errors. of cryptographically strong block ciphers (like AES), such We will experimentally evaluate different CM configurations techniques are very sensitive to channel errors. Single bits with respect to the achievable compression rates and quality lost or destroyed in encrypted form cause large chunks of of the decompressed and decrypted visual data. data to be lost. For example, it is well known that a single A brief introduction to chaotic maps and their respec- bit failure of AES-encrypted ciphertext destroys at least one tive advantages and disadvantages as compared to classical whole block plus further damage caused by the encryption ciphersisgiveninSection 2. Experimental setup and used mode architecture. Permutations have been suggested to be image quality assessment methods are presented in Section 3. used in time-critical applications since they exhibit signif- Section 4 discusses the robustness properties of CM block ci- icantly lower computational cost as compared to other ciphers with respect to different types of network errors and phers, however, this comes at a significantly reduced security compares the results to the respective behavior of a classi- level (this is the reason why applying permutations is said cal block cipher (AES) in these environments. Section 5 dis- be a type of “soft encryption”). Hybrid pay-TV technology cusses possible application scenarios requiring compression has extensively used line permutations (e.g., in the Nagravi- to be performed after encryption and provides experimental sion/Syster systems), many other suggestions have been made results evaluating a JPEG compression, a JPEG 2000 com- to employ permutations in securing DCT-based [21, 22]or pression and finally JPEG 2000 with wavelet packets, all with wavelet-based [14, 23] data formats. In addition to being very varying quality applied to CM encrypted data. Section 6 con- fast, permutations have been identified to be a class of cryp- cludes the paper. tographic techniques exhibiting extreme robustness in case transmission errors occur [19]. Bearing in mind that CM crypto systems mainly rely on 2. CHAOTIC MAP ENCRYPTION SCHEMES permutations makes them interesting candidates for the use in error-prone environments. Taken this fact together with Using CMs as a (mainly) permutation-based symmetric the very low computational complexity of these schemes, block cipher for visual data was introduced by Scharinger wireless and mobile environments could be potential appli- [17] and Fridrich [8]. CM encryption relies on the use of dis- cation fields. While the expected conclusion that the higher crete versions of chaotic maps. The good diffusion properties security level of cryptographically strong ciphers implies of chaotic maps, such as the baker map or the cat map,soon higher sensitivity to errors compared to CM crypto systems attracted cryptographers. Turning a chaotic map into a sym- is nothing new, we investigate the impact of different error metric block cipher requires three steps, as [8] points out. ff models on image quality to obtain a quantifiable tradeo be- (1) Generalization. Once the chaotic map is chosen, it tween security and transmission error robustness. The rise of is desirable to vary its behavior through parameters. wireless local area networks and its diversity of errors enforce These are part of the key of the cipher. the development of new transmission methods to achieve good quality of transmitted image data at a certain protec- (2) Discretization. Since chaotic maps usually are not dis- tion level. crete, a way must be found to apply the map onto a finite square lattice of points that represent pixels in an Accepting the drawback of a possibly weaker protection invertible manner. mechanism, it may be possible to achieve better quality results in the decrypted image after transmission over noisy (3) Extension to 3D. As the resulting map after step two is a channels as compared to classical ciphers. In this work we parameterized permutation, an additional mechanism compare the impact of different types of distortions of trans- is added to achieve substitution ciphers. This is usually mission links (i.e., channel errors) on the transmission of im- done by introducing a position-dependent gray level ages using block cipher encryption with CM encryption (see alteration. Figure 1,partA). In most cases a final diffusion step is performed, often Additionally (see Figure 1, part B), we focus on an is- achieved by combining the data line or column wise with the sue different to those discussed so far at first sight, however, output of a random number generator. Michael Gschwandtner et al. 3

Sender Receiver

Raw image data Distorted raw image data A) Transmission error

B) Lossy compression Distortion

CM/AES JPEG/JPEG 2000 JPEG/JPEG 2000 CM/AES encryption compression decompression decryption

Figure 1: Experimental setup examining (A) transmission error resistance and (B) lossy compression robustness of CM and AES encryption schemes.

The most famous example of a chaotic map is the stan- Discretizing a chaotic Cat map is fairy simple and intro- dard baker map: ducedin[4]. Instead of using the fractional part of a real number, the integer modulo arithmetic is adopted: B: [0, 1]2 −→ [0, 1]2, ⎧ 2 2 ⎪ y 1 Cdisc : N −→ N , ⎨⎪ 2x, if 0 ≤ x< , 2 2 (1) B(x, y) = x 1 a (5) ⎪ y +1 1 C (x, y) = A mod N, A = . ⎩⎪ 2x − 1, if ≤ x ≤ 1. disc y bab+1 2 2 This corresponds geometrically to a division of the unit Finally, an extension to 3D is inserted that may be applied square into two rectangles [0, 1/2[×[0, 1] and [1/2, 1]×[0, 1] to any two-dimensional chaotic map. As all chaotic maps that are stretched horizontally and contracted vertically. Such preserve the image histogram (and with it all correspond- a scheme may easily be generalized using k vertical rectangles ing statistical moments), a procedure to result in a uniform × [Fi−1Fi[ [0, 1[ each having an individual width pi such that histogram after encryption is desired. The extension of a two = i = = N 2→N 2 Fi j=1 pj , F0 0, Fk 1. The corresponding vertical dimensional discrete chaotic map F : to three di- rectangle sizes pi, as well as the number of iterations, intro- mensions consists of a position-dependent grey-level shift duced parameters. Another choice of a chaotic map is the (assuming L grey levels L :={0, ..., L − 1})ateachlevel Arnold Cat map: of iteration:

2 −→ 2 2 2 C: [0, 1] [0, 1] , F3D : N × L −→ N × L ⎛ ⎞ (2) 11 x i C(x, y) = mod 1, ⎜ ⎟ i (6) 12 y F i, j, g = ⎝ j ⎠ , = F(i, j). 3D ij j h i, j, gij where x mod 1 denotes the fractional part of a real number x by subtracting or adding an appropriate integer. This The map h modifies the grey level of a pixel and is a function chaotic map can be generalized using a Matrix A introduc- = of the initial position and initial grey level of the pixel, that ing two integers a, b such that det(A) 1 as follows: = is, h(i, j, gij) gij + h(i, j)modL. There are various possible x 1 a choices of h,weuseh(i, j) = i· j. C (x, y) = A mod 1, A = . (3) gen y bab+1 Since chaotic maps after step two or three are bijections of a square lattice of pixels, an additional spreading of lo- Now each generalized chaotic map needs to be modified cal information over the whole image is desirable. Otherwise to turn into a bijective map on a square lattice of pixels. Let the cipher is extremely vulnerable to known plaintext attacks, N :={0, ..., N − 1}, the modification is to transform do- since each pixel in the encrypted image corresponds exactly 2 main and codomain to N . Discretized versions should avoid to one pixel in the original. The diffusion step is often real- floating point arithmetics in order to prevent an accumula- ized as a linewise process, for example, tion of errors. At the same time they need to preserve sen- ∗ ∗ sitivity and mixing properties of their continuous counter- v(i, j) = v(i, j)+G v(i, j − 1) mod L,(7) parts. This challenge is quite ambitious and many questions arise, whether discrete chaotic maps really inherit all impor- where v(i, j) is the not-yet modified pixel at position (i, j), tant aspects of chaos by their continuous versions. An im- ∗ v(i, j) is the modified pixel at that position, and G is an ar- portant property of a discrete version F of a chaotic map f bitrarily chosen random lookup table. is Concerning robustness against transmission errors, CMs lim max f (i/N, j/N) − F(i, j) = 0. (4) of course are expected to be more robust when diffusion steps N→∞ 0≤i,j

Table 1: Cardinality of key spaces K(N). Table 2: Tested image encryption algorithms for part A.

N = 20 N = 25 N = 128 N = 512 Name Description Baker map keyset1 83343 571 1031 10126 2DCatMap Cat map Baker map keyset2 524288 16777216 1038 10153 2DBMap Baker map Cat map 400 625 16384 262144 3DCatMap Cat map with 3D extension AES128 1038 1038 1038 1038 2DCatDiﬀ Cat map with diﬀusion step AES256 1077 1077 1077 1077 AES128ECB AES using ECB on 128 bit blocks AES128CBC Same as AES128ECB, using CBC

Table 3: Tested image encryption algorithms for part B. during encryption, that is, in diffusion steps, a single pixel error in the encrypted image causes several pixel errors in the Name Description original image. For this reason, we investigate both settings 2DCatMap5/7/10 Cat map with 5/7/10 iterations ff with and without di usion. 2DCatDiff5 Cat map with diffusion step and five iterations ff It should be clear that chaotic maps have di erent prop- 3DCatMap5 Cat map with 3D extension and five iterations erties when compared to conventional block ciphers. Typi- 2DBMap5/17 Baker map with 5/17 iterations cally, conventional block encryption schemes like AES work on block sizes of 128, 256, or 512 bit. key space contains 2n elements, where n is the number of key bits, which is usually Table 4: Employed keys/parameters for experiments. often 1 : 1 to block size. Name Value As the main property of CM is permutation, it operates BakerMapKey1 192,32,32 on larger units, that are full (square) images. Their smallest BakerMapKey2 32,64,32,16,32,32,16,8,8,8,8 element to be permuted is a pixel. To encrypt an N × N image, N2! permutations exist. However, the key space available AES IV 10111213141516171819202122232425 to parameterize the chaotic map is often orders of magni- AESKey 000102030405060708090A0B0C0D0E0F tude smaller. Another drawback is dependency on image size. CatMapKey 2,3,1,1 There are configurations where a small change in image size causes key space to shrink dramatically (see keyset1 and key- set2 in Table 1). In Table 1, cardinalities of key spaces K(N) 3. EXPERIMENTAL SETUP for Baker map, Cat map,andAES are compared choosing a We analyze both transmission error resistence (part A) and representative N × N grey-scale image. While the number of compression robustness (part B) of three different flavors of iterations and parameters for the diffusion step is usually part the chaotic Cat map algorithm, a simple 2D version of the of the key for chaotic encryption algorithms they have been Baker map and AES using different block encryption modes neglected for this comparison. It is evident that key space, es- (see Tables 2, 3). All chaotic ciphers use 10 iteration rounds, pecially for smaller image sizes, is insufficient. In this case or if not specified differently. for problematic image sizes, padding should be used to pre- Since the number of iterations used in CM algorithms vent a guessing of all possible key combinations. At this point largely affects the distribution of distortions caused by lossy a main drawback of the Cat map becomes evident: its pa- compression, we examine the impact of this parameter on rameters offer little combinations compared to other chaotic image quality. The diffusion step has been excluded from all maps. chaotic maps, except CatDiff. All algorithms are applied to a Chaotic maps are generally sensitive to initial conditions set of 10 natural and 6 synthetic 256 × 256 images with 256 and parameters. But some discrete versions bear unexpected grey levels referenced in Figure 2 (only 13 of 16 pictures are behavior when using similar keys. While classical encryp- shown due to copyright restrictions) using two sets of rep- tion algorithms are sensitive to keys, chaotic maps such as resentative encryption keys (keyset2 represents a strong key the Baker map exhibit a set of keys S(K)foreachkeyK, whereas keyset1 exhibits certain weaknesses with respect to such that the image encrypted with K and decrypted using security). Key parameters for the visual quality experiment k ∈ S(K), k=K is close to its original. We get similar results are given in Table 4. when using keys that are derived from the original by replacing a large parameter by two smaller ones or merging two small parameters into a larger one. This has been observed 3.1. Setup by [8]. Accepting the drawback of a further limitation of key A flow chart to illustrate the test procedure for both part A space (the intruder may be content to find a key that pro- and part B is depicted in Figure 1. Recapitulating, the test duces acceptable approximations of original images and con- procedureisasfollows. tinues with refinement), this may also be seen as a feature of the encryption system. Transmission errors destroying single (i) Part A: transmission error robustness. After encryption, bits of the key do not necessarily lead to fully destroyed de- a specific type of error as introduced in Section 4.1 is cryption. Heuristics could produce a similar key, that allows applied to the encrypted image data. Finally, the image decryption at a low but probably sufficient quality. is decrypted and the result is compared to the original. Michael Gschwandtner et al. 5

(ii) Part B: compression robustness. After encryption, three Table 5: ITU-R-BT500-11 subjective quality rating scales. diﬀerent compression algorithms (JPEG, JPEG 2000, and JPEG 2000 with wavelet packets) are applied to Quality Description the encrypted image data. To assess the behavior of the 5Excellent described processing pipeline, the image is ﬁnally de- 4 Good compressed, decrypted and the result is compared to 3Fair the original image and the achieved compression ratio 2Poor (using the encrypted image as reference) is recorded. 1Bad

3.2. Image quality assessment nals being shown at the same time, that is, in one assessment It is difficult to find reliable tools to measure quality of dis- step, using the quality levels introduced in Table 5. torted images. This is especially true in a low-quality sce- In the following section we give a short description of nario. Several metrics exist, such as the signal-to-noise ra- the observed results with respect to distortions. In order to tio (SNR), peak SNR (PSNR), or mean-square error (MSE), complement the subjective ratings, we also report the refer- which are frequently used in quantifying distortions (see ence PSNR value. While it is clear, that in some cases further [3, 7]). Mao and Wu [11] propose a measure specifically tai- error correction by means of denoising might be useful and lored to encrypted imagery that separates evaluation of lumi- thus better results can be achieved, we do not concentrate on nance and edge information into a luminance similarity score postprocessing techniques at this point. (LSS) and an edge similarity score (ESS), reflecting properties of the human visual system. According to the authors, this 4. TRANSMISSION ERROR ROBUSTNESS measure is well suited for assessing distortion of low-quality images. LSS behaves in a way very similar to PSNR. ESS is In this section, our goal is to provide a comparison of two the more interesting part in the context of the survey pre- completely different block ciphers with respect to their be- sented here, as it reflects the extent for structural distortion. havior in the transmission of encrypted visual data over noisy ESS is computed by block-based gradient comparison and channels. Therefore, this section introduces a set of distor- ranges, with increasing similarity, between 0 and 1. However, tion models we believe are practical and illustrative for ap- reliable assessment of low-quality images should be made by plications. human observers in a subjective rating as this cannot be accomplished in a sensible way using the metrics above. Subjec- tive visual assessment of transmissions yields a mean opin- 4.1. Classification of used error models ion score (MOS) [1] evaluating gradings of human observers according to strictly specified testing conditions. Such con- Much work has already been done to classify transmission ditions are specified in, for example, [2] for the subjective errors occurring at wireless data transmission and a variety assessment of the quality of television pictures. These meth- of sophisticated network simulators already exist. To focus ods can be extended to the assessment of images in general on a generally applicable comparison of the two encryption and are frequently adopted, such as in [5]. Recommendation mechanisms CM and AES, we arrange simulations that can ITU-R-BT500-11 [2] introduces both double stimulus (with be described by the following model: a sender S transmits reference picture) and single stimulus (without reference pic- asequences0, s1, s2, ..., sn of n + 1 bytes over a lossy chan- ture) assessment methods with a strictly defined testing envi- nel. Receiver R receives a sequence r0, r1, r2, ..., rm of bytes, ronment, that is, quality and impairment scales, lighting con- that is possibly different to s0, s1, s2, ..., sn. There are situa- ditions and also restrictions regarding selection of observers. tions where n=m. We identify two categories of observable We have decided to adopt only a subset of features, in partic- errors. ular, (i) Value errors, where n = m and r0, r1, ..., rn are derived (i) we adopt to a simultaneous double stimulus method from the original sequence alternating selected bytes. (SDSCE) with reference and test pictures being shown More formally, there exists a set A ⊂{0, ..., n} and at the same time; error function f such that for all i ∈{0, ..., n} (ii) we employ the specified five-graded quality scale (see Table 5). ∈ Additionally, we conform the specified condition, that at f (si)ifi A; ri = (8) least fifteen subjects, nonexperts, should be employed. si else. Since [2] specifies subjective video quality assessment methods, it should be noticed that observers evaluate the av- Note that f may depend on additional random variables. erage quality of the frames displayed. In our case still images are evaluated. Therefore, we let the observer vote for the av- (ii) Buffer errors, where bytes are changed, inserted, re- erage quality of three different test pictures (encrypted using moved, and possibly resorted. There exists a set A ⊂ the same algorithm, but different keys) with respective origi- {0, ..., m} and error function f such that a received 6 EURASIP Journal on Information Security

stream may be described as Table 6: State transitions in Two-State Model. Probability State transition ∈ f (si)ifj A; p Stay in normal ∀ j ≤ m ∃i ≤ n : rj = (9) si else. (1 − p) Change to error q Stay in error Various combinations of such errors can occur. However, to (1 − q) Change to normal extend the observations to existing network behavior, it is inevitable to model characteristics of transmission packets and network protocols. We believe at this point that the introduced classes are sufficient to show the main differences be- distortions in RF transmissions. Moderate rain causes pix- tween the two algorithms CM and AES. Another reason why els in satellite TV transmissions to be distorted using specific further modeling is not adequate at this point is the follow- distribution functions. ing: if we get close to an error saturation, the category of er- ff ror should be negligible, as many small bu er errors behave (iii) Random Markov chain similar to many value errors. Similarly to the error model introduced before this model 4.2. Value errors assumes that a byte is overwritten by a random value if it is selected to contain an error. But the decision if a byte has an Proceeding with the notion of an incoming distorted se- ff error is made conforming to a 2-state Markov chain. quence r0, r1, ..., rn, one can identify several di erent subsets Given two states (1 = error and 0 = normal), there A and functions f to model a value error. are transition properties to stay or change the current state. Transitions are handled as shown in Table 6.Espe- (i) Static error cially for modeling errors in wireless transmission, this model has frequently been adopted (see, e.g., [13]). Let In this model every single byte will be changed, that is, A = X∼U(0, 1), Y∼U(0, 1) be uniformly distributed random {0, ..., n}. The change for all bytes is quite simple: each byte variables and p, q ∈ [0, 1] denote state-transition probabil- gets logically ORed with a static byte b ∈{0, ..., 255}.For ities as introduced before, then we formulate a state func- our experiments we have assigned to b the value 85. Thus, we tion returning the current state at time t with starting state have for all i ∈{0, ..., n} : r = s OR b. This can be used i i i I ∈{0, 1} as follows: to simulate defect bus lines, which are permanently at a high 0 error level. I(t0):= I0 ⎧ (ii) Random error and random Gaussian error ⎪1ifI(t ) = 0 ∧ X >p ⎨ i i (12) = = ∧ ≤ I ti+1 : ⎪ or I(ti) 1 Yi q; The most general error assumption may be the selection of ⎩⎪ A using distribution functions. Having to transmit n bytes, 0 else. for each byte si a specifically distributed random variable de- cides whether i ∈ A or i ∈ A, that is, whether it is trans- Thus, if we use again E∼UD(0, 255), we have ∀i ∈{0, mitted correctly or not. The classes random error and ran- ..., n}: dom Gaussian error use the uniform distribution and normal distribution for selection, respectively. Let X∼U(0, 1) be a = (standard, continuous) uniformly distributed random vari- Ei if I(ti) 1; ri = (13) able and let E∼UD(0, 255) denote a discrete uniformly dis- si else. tributed random variable, then a random error is defined for ∈{ } all i 0, ..., n by For the implemented error model we make the following assignments: p = 0.98, q = 0.03, I0 = 0. Ei if Xi

Ei if Xi >p; the major problem here is a possible perturbation, replaying ri = (11) si else. and loss of packets consisting of one or multiple bytes. These errors are often simulated with special network The assignments for our experiments are as follows: μ = 0, simulators like ns2 (see at http://www.isi.edu/nsnam/ns). σ = 1, p = 2.5. This error model is often used to simulate Reference [12] shows that these errors happen in bursts Michael Gschwandtner et al. 7

def random buﬀer() def random packet() { { for (i = 0; i

(subsequently). We do not consider the error in bursts as this We show the mean opinion scores of 107 (90 male, 17 fe- makes an assumption on the transmission channel, and in male) human observers for the test pictures Lena, Landscape, the encryption context “real random” errors are the worst and Ossi together with the reference mean PSNR values in case scenario. As the error may occur inside the destroyed Table 7. The maximum absolute MOS distance between male buffer and on the “error edges” (for blockciphers in chain- and female observers is 0.26 and 0.19 for image-quality ex- ing mode only), we can see that the impact with bursts is less perts versus nonexperts. Especially for random packet errors, severe as there are fewer “error edges.” experts tend to grade AES and CM diffusion results better, while finding CM random Gaussian errors to be more both- (i) Random buffer error ersome. As can be seen in Table 7, mean PSNR is a good indi- The most simple case is when packet size is a single byte. To cator for MOS. Since subjective image assessments are time model a behavior where each sent byte may be lost, repli- consuming (they cannot be automated), we analyze the com- cated, or finally perturbated in the final sequence the corre- plete test picture set in Figure 2 with respect to this quality sponding actions are modeled as random variables. In our metric. current implementation, only one type of error (add or re- It is clear that comparison results largely depend on the move of a selected byte) per transmission is possible. The de- parameters of the error model, such as the error byte b for scribed simulation models errors appearing on serial trans- static error or the error rate r. Figure 3 depicts exactly this mission links, where the sender and the receiver are slightly relationship comparing CM and AES error resilience perfor- out of synchronization. Algorithm 1 is a simplified pseu- mance against different error rates (the plots display average docode representation of the implemented algorithm. PSNR values of the images displayed in Figure 2). Inspect- ing the mean PSNR curves, we can see that for all differ- (ii)Randompacketerror ent types of errors, 2DCatMap and 2DBMap do not differ much,aswellasdonotdiffer AES encryption modes. It also Compared to the random buffer error, the random packet illustrates CMs superiority in transmission error robustness error represents an error which is more likely in current sys- for random errors. Interestingly, also 3DCatMap performs tems. As practically any modern computer networks (wired equivalently to the pure 2D case for value errors (compare and wireless) are packet switched, packet loss errors, dupli- also Table 6). The results for random buffer errors also in- cated packets, or out-of-order packets of any common size dicate superiority of CMs, but the low overall PSNR range can occur during transmissions. Simulation of packet loss obtained does not really lead to visually better results. For (the most common error) is done by cutting out parts (con- random buffer errors, 3DCatMap gives equal results to the sisting of an arbitrary number of bytes) of the encrypted im- 2DCatDiff variant contrasting to the value error cases. For age or overwriting them with a specified byte. The imple- random packet errors, AES exhibits 1.5–2 dB higher mean mented algorithm is sketched in Algorithm 2. PSNR values than standard 2D CM crypto systems. It is 8 EURASIP Journal on Information Security

Table 7: Comparing AES and CM with respect to objective and subjective image quality using Landscape, Lena, and Ossi test images.

Static error Random error R. Gaussian error R. buﬀer error R. Packet error Algorithm Mean PSNR MOS Mean PSNR MOS Mean PSNR MOS Mean PSNR MOS Mean PSNR MOS Original 13.87 3.10 28.36 4.61 27.53 4.57 10.54 1.39 11.25 2.12 2DCatMap 13.87 3.06 28.34 4.50 27.52 4.56 9.56 1.02 9.73 1.43 2DBMap 13.87 3.07 28.47 4.57 27.37 4.58 9.60 1.00 10.13 1.13 3DCatMap 14.74 2.78 28.43 4.53 27.59 4.56 8.47 1.00 8.92 1.17 2DCatDiﬀ 8.47 1.00 14.24 3.03 13.30 2.75 8.47 1.00 8.46 1.00 AES128ECB 8.52 1.00 16.56 3.21 15.77 3.00 8.58 1.02 10.93 2.40 AES128CBC 8.46 1.00 16.47 3.12 15.63 2.92 8.55 1.04 11.48 2.23

4.4.1. Static error

For simulating the static error case, all bytes are ORed with b = 85 (Figures 4(a) and 4(b)). It is evident that results for AES are unsatisfactory. As every byte of the encrypted image is changed, the decrypted image is entirely destroyed re- (a) Anton (b) Building (c) Cat sulting in a noise-type pattern. The distortion of the CM- encrypted image is exactly as significant as if the image had not been encrypted. The cause for the observable preserva- tion of the original image is the fact that simple 2D CM is solely a permutation. In contrast, 3D CM consists of an additional color shift depending on pixel positions. Also the 3D CM handles this type of distortion well whereas the diffusion (d) Disney (e) Fractal (f) Gradient step added destroys the result. The number of alternately dependent bits can be controlled with the number r of iteration rounds. If just a few rounds are used, an error does not spread over large parts of the image. Using many rounds, a single flipping bit causes the scrambling of the entire image.

(g) Grid (h) Landscape (i) Lena 4.4.2. Random error and random Gaussian error

As we have expected, random error and random Gaussian error show very similar results. When considering properties of block ciphers, we can see that the alternation of a single byte destroys the encrypted block in ECB mode (including a byte of the following block in CBC/CFB mode). This causes every (j) Pattern (k) Niagara (l) Tree error to destroy bs bytes (bs +1 in CBC/CFB) in the decrypted image, where bs is the used block size (see Figure 5(b)). Fur- ther errors occurring in already destroyed blocks have no effect. This leads to stronger impact on block ciphers when parameters for error probability are small. When the error rate is high, this drawback is reduced as more and more errors lie within the same damaged block. The CMs cope very well (m) Ossi with this distortion type since errors are not expanded and the result is again identical as if the image had not been en- Figure 2: Test pictures for transmission errors and compression ro- ff bustness. crypted (see Figure 5(a)). Again, applying di usion is the exception where degradation may become even more severe as compared to the AES cases. also interesting to see that for AES even at very low error 4.4.3. Random buffer error rates starting at 4-5 percent random errors cause at least as much damage to image quality than random packet er- Using random buffer error in the AES case, we observe the rors. However, when error rates become very high, there is following phenomenon. Each time the encrypted blocks get not much difference between any of the introduced error synchronized with their respective original counterparts, the models. following blocks are decrypted correctly until the next error Michael Gschwandtner et al. 9

30 11 20 10.5 18 25 16 10 20 14 9.5 15 12 PSNR (dB) 9 PSNR (dB) PSNR (dB) 10 10 8.5 8 5 8 6 0102030405060708090 0102030405060708090 0102030405060708090 Error probability (%) Error probability (%) Error probability (%)

2DCatMap/2DBMap/3DCatMap 2DCatMap/2DBMap 2DCatMap/2DBMap 2DCatDiff 3DCatMap/2DCatDiff 3DCatMap/2DCatDiff AES128ECB/AES128CBC AES128ECB/AES128CBC AES128ECB/AES128CBC (a) Random error (b) R. buffer error (c) R. packet error

Figure 3: Comparing AES and CM transmission error robustness against error rate.

(a) 2DCatMap (b) AES128ECB

Figure 4: Effect of static byte errors on Lena image. occurs (see Figure 6(b)). If we use CBC or CFB, the block 4.4.4. Random packet error directly after the synchronization point SP is additionally de- ff stroyed. Of course, this analysis is only correct in case identi- For random packet error we distinguish two di erent ver- calkeysareemployedforeachblock. sions: As we model only insertion or deletion of bytes, we reach (1) the packet loss gets detected and the space is padded SPs every blocksize (bs) errors. Each time an error occurs we with bytes; step either into an error phase, where every pixel is decrypted (2) no detection of the packet loss is done. incorrectly, or a normal phase (where pixels get decrypted correctly). Let us assume that for the number of errors e, the As to the first version we observe, when using AES, that the × blocksize bs, and the image size is the relation lost part plus bs (respective 2 bs) bytes are destroyed. With 2DCatMap and 3DCatMap only the amount of lost pixels is destroyed. This case corresponds to a value error occurring is bs e (14) in bursts or a local static error, the results obtained show the bs respective properties. In the second case (which is covered in Table 7)CMhas holds. Then we get approximately (bs − 1) times more error the same synchronization problems as in random buffer error phases than normal phases. If the error rate exceeds the upper which causes the image to be entirely degraded (Figure 7(a)). bound, the entire image is destroyed. The impact on block ciphers depends on the size of the The reason why CM-encrypted images are completely packet ps. If the equation ff destroyed with random bu er error (Figure 6(a)) is the in- ps mod bs = 0 (15) herent sensitivity with respect to initial conditions. In most cases, neighboring pixels in the encrypted image are far apart holds, the error gets compensated very well (shown in in the decrypted image. Every time an error occurs, the pix- Figure 7(b); this block-type shift can be inverted very eas- els are shifted by one and the decrypted pixels are completely ily). Scrambled parts after the cut points come to bs out of place. In CM we cannot identify SPs. (respective 2 × bs). If the packet size is different, only the 10 EURASIP Journal on Information Security

(a) 2DCatMap (b) AES128ECB

Figure 5: EﬀectofrandombyteerrorsonLenaimage.

(a) 2DCatMap (b) AES128CBC

Figure 6: Effectofbuffer errors on Lena image. parts of the image lying between synchronization points and On the other hand, application scenarios exist where a the next error are decrypted correctly. compression of encrypted material is desirable. In such a sce- In normal packet switched networks, the packets need nario classical block or stream ciphers cannot be employed. identification numbers and therefore lost packets can be de- For example, dealing with video surveillance systems often tected. That is why the first case of random packet errors is concerns about protecting the privacy of the recorded per- most likely to occur. sons arise. People are afraid what happens with recorded data OverallwehavefoundexcellentrobustnessofCMwith allowing to track a persons daily itineraries. A compromise respect to value errors which results in significantly better be- to minimize impact on personal privacy would be to con- havior as compared to classical block ciphers in such scenar- tinuously record and store the data but only view it, if some ios. However, CM cannot be said to be robust against trans- criminal offense has taken place. mission errors in general, since the robustness against buffer To assure that data cannot be reviewed unauthorized, it is errors is extremely low due to the high sensitivity towards transmitted and stored in encrypted form and only few peo- initial conditions of these schemes. Depending on the target ple have the authorization (i.e., the key material) to decrypt scenario, either CM or classical block ciphers may provide it. better robustness properties. Theproblem,asdepictedinFigure 8, is the amount of memory needed to store the encrypted frames (due to hard- ware restrictions of the involved cameras, the data is trans- 5. COMPRESSION ROBUSTNESS mitted in uncompressed form in many cases). For this reason, frames should be stored in a compressed form only. As already outlined in the introduction, classically encrypted When using block ciphers, the only way to do this would be images cannot be compressed well, because of the typical the decryption, compression, and re-encryption of frames. properties encryption algorithms have. In particular it is not This would allow the administrator of the storage device to possible to employ lossy compression schemes since in this view and extract the video signal which obviously threatens case potentially each byte of the encrypted image is changed privacy. There are two practical solutions to this problem. (and most bytes in fact are), which leads to the fact that the (1) Before the image is encrypted and transmitted, it decrypted image is entirely destroyed resulting in a noise- is compressed. Beside the undesired additional computa- type pattern. Therefore, in all applications involving com- tional demands for the camera system, this has further disad- pression and encryption, compression is performed prior to vantages, as transmission errors in compressed images have encryption. usually an even bigger impact without error concealment Michael Gschwandtner et al. 11

(a) 2DCatMap (b) AES128CBC

Figure 7: Eﬀect of packet errors on Lena image.

Camera Observer Acquired Decryption image Encryption View Insecure channel A) Live observation Database Lossy B) Criminal investigation compression Decompression Decryption

Figure 8: Privacy solution for surveillance systems. strategies enabled. This strategy increases the error rate as cryption to a scalable or embedded bitstream like JPEG2000. induced by decrypting partially incorrect data even further. While this approach solves the question of transcoding in the This is prohibitive in environments where the radio signal is encrypted domain in the most elegant manner, the transmis- easily distorted. sion error robustness problem as discussed for the surveil- (2) The encrypted frames are compressed directly. In this lance scenario remains unsolved. manner, the key material does not have to be revealed when storing the visual data thereby maintaining the privacy of the 5.1. Experiments recorded persons. Figuure 8 shows such a system. Clearly, in this scenario classical encryption cannot be applied. In the Based on the observation of the excellent robustness of CM following we will investigate whether CM can be applied and against value errors, these encryption schemes seem to be which results in terms of quality and compression are to be natural candidates to tolerate the application of compression expected. directly in the encrypted domain without the need for de- A second example where compression of encrypted vi- cryption and re-encryption. The reason is that compression sual data is desirable is data transmission over heterogeneous artifacts caused by most lossy compression schemes may be networks, for example, a transition from wired to wireless modeled as random value errors (e.g., errors caused by quan- networks with corresponding decreasing bandwidth. Con- tization of single coefficients in JPEG are propagated into the sider the transmission of uncompressed encrypted visual entire block due to the nature of the DCT). In the follow- data in such an environment as occurring in telemedicine ing, we experiment with applying lossy compression to the or teleradiology, for example, when changing from the wired encrypted domain of CM. network part to the wireless one, the data rate of the visual material has to be reduced to cope with the lower bandwidth 5.1.1. JPEG-compression of CM encrypted images available. Employing a classical encryption scheme, the data has to be decrypted, compressed, and re-encrypted similar Figures 9–14 show images where the encrypted data got lossy to the surveillance scenario described before. In the network JPEG compressed [15], decompressed, and finally decrypted scenario, these operations put significant computation load again. In these figures, we provide the quality factor q of the onto the network node in charge for the rate adaptation and JPEG compression, the data size of the compressed image in the key material needs to be provided to that network node, percent % of the original image size, and the PSNR of the which is demanding in terms of key management. A solution decompressed and decrypted image given in dB. where the encrypted material may be compressed directly In general, we observe quite unusual behavior of the CM is much more efficient of course. The classical approach to encryption technique. The interesting fact is that despite the tackle this second scenario is to apply format compliant en- lossy compression, a CM-encrypted image can be decrypted 12 EURASIP Journal on Information Security

(a) q = 55: 36%, 23.4 dB (b) q = 45: 37%, 15.9 dB (c) q = 45: 37%, 9.2 dB

Figure 9: Cat map with 5 iterations (without extensions and using 3D and diﬀusion extensions, resp.), keyset2.

(a) q = 30: 29%, 18.9 dB (b) q = 20: 21%, 16.4 dB (c) q = 10: 13%, 14.5 dB

Figure 10: Cat Map with 5 iterations using different compression ratios on the Ossi image, keyset1. quite well (depending on the compression rate of course). As map case with the same data rate (compare Figure 11(a) to already mentioned, this is never the case if classical encryp- Figure 9(a)). The reason is displayed in Figure 11(b); using tion is applied. the Baker map with 5 iterations, we still recognize structures Figure 9 compares the application of the standard 2D Cat (horizontal areas of smoothly varying gray values in a single map without and with additional extensions to increase secu- line) in the encrypted data which means that mixing has not rity (i.e., 3D or diffusion extensions are employed addition- yet fulfilled its aim to a sufficient degree. On the one hand, ally). At a fixed compression rate (slightly lower than 3), we this is good for compression since errors are not propagated obtain a somewhat noisy but clearly recognizable image in to a large extent; on the other hand, this threatens security case of no further extensions are used (Figure 9(a)). Apply- since the structures visible in the encrypted data can be used ing the 3D extension to the standard Cat map (Figure 9(b)), to derive key data used in the encryption process. we observe significant degradation of the decrypted image Increasing the number of iterations (e.g., to 17 as shown as compared to the standard Cat map with identical number in Figures 11(c) and 11(d)) significantly reduces the amount of iterations. However, the image content is still recognizable of visible structures. As it is expected, the compression results whichisnolongertrueincasethediffusion extension is used; are similar now to the Cat map case using 5 iterations. Using see Figure 9(c). It is worthwhile noticing that we obtain the 20 iterations and more, no structures are visible any more same result, noise, no matter which compression rate or im- and the compression results are identical to the Cat map age quality is used in case the diffusion step is performed. Ac- case. tually this result is identical to a result if a cryptographically In Figure 12 we give examples of the effects in case patho- strong cipher like AES had been used instead of Catdiff. logical key material is used for encryption. When using key- The effect when compression ratio is steadily increased set 1 for encryption with the Baker map (Figures 12(a) and is shown in Figure 10 on the Ossi test image. Lower data 12(b)), the structures visible in the encrypted material are rates in compression increase the amount of noise in the de- even clearer and in perfect correspondence also the compres- crypted images, however, still with a compression ratio of sion result is superior to that of keyset 2 (Figure 11). With 5 (21%) the image is clearly recognizable and the quality these setting, an even higher number of iterations are re- would be sufficient for a handhold phone or PDA display, for quired to achieve reasonable security (which again destroys example (Figure 10(b)). Of course, higher compression ra- the advantage with respect to compression). Also for the Cat tios lead to even more severe degradations which are hardly map, weak keys exist. In Figure 12(d) the encrypted data is acceptable for any application (e.g., compression ratio 7.5 shown in case 10 iterations are performed using keyset 1. In in Figure 10(c)). However, higher compression ratios could this case, even image content is revealed and the key param- be achieved with sensible quality using more advanced lossy eters are reconstructed easily with a ciphertext only attack. compression schemes like JPEG2000 [18]forexample. Correspondingly, also the compression results are much bet- Increasing the number of iterations to more than 5 does ter as compared to the case when 5 iterations are applied not affect the results of the Cat map for a sensible keyset (as (see Figure 9(a)). These parameters (weak keys) and corre- used, e.g., in Figure 9). This is not true for the Baker map sponding effects (reduced security) have been described in as shown in Figure 11. When using 5 iterations, the com- the literature on CM and have to be avoided for any applica- pression result is significantly better as compared to the Cat tion of course. Michael Gschwandtner et al. 13

(a) q = 70: 37%, 28.0 dB (b) q = 70: encrypted

Figure 11: Baker map with varying number of iterations (5 and 17 iterations), keyset2.

(a) q = 75: 36%, 30.9 dB (b) q = 75: encrypted

Figure 12: Baker map and Cat map with pathological keyset1 (5 and 10 iterations).

Applying the Cat map with poor quality keys shows an- this case for a higher number of iterations. Figure 13 shows other unique property. While increasing the number of it- the Ossi image when applying 7 and 10 iterations using key- erations increases the security of the Baker map as we have set1, while Figure 10(a) shows the case of 5 iterations. Fixing observed, the opposite can occur for the Cat map for speciﬁc the data rate, the higher the number of iterations is, the better keysets. Accordingly, also compression results are better in the quality gets. 14 EURASIP Journal on Information Security

(a) q = 30: 28%, 19.3 dB, 7 iterations (b) q = 50: 29%, 23.4 dB, 10 iterations

Figure 13: Cat map with 7–10 iterations on the Ossi image, keyset1.

(a) q = 30, 5 iterations (b) q = 30, 7 iterations (c) q = 30, 10 iterations

Figure 14: Cat map with 5–10 iterations on the Ossi image, keyset1, encrypted domain.

The reason for this effect is shown in Figure 14.Themore In general, we observe a significant tradeoff between se- iterations are applied, the more structural information is vis- curity and visual quality of compressed data when compar- ible and key information may be derived. As shown before ing the different settings as investigated. Increasing the num- for the Lena image, with 10 iterations in use already image berofiterationsuptoacertainlevelincreasessecuritybut content is revealed. Of course, due to the higher amount of decreases compression performance (this is especially true coherent structures present in the encrypted domain (espe- for the Baker map which requires a higher number of iter- cially exhibited in Figure 14(c)), corresponding compression ations in general to achieve reasonable security). However, of can achieve better results. course the computational effort increases as well. We face an even more significant tradeoff when increasing security further: the 3D extensions already strongly de- 5.1.2. JPEG 2000-compression of CM encrypted images crease image quality whereas diffusion entirely destroys the capability of compressing encrypted visual data. When the security level approaches the security of cryptographically We have not only evaluated lossy compression using the strong ciphers like AES, also CMs do not offer robustness JPEG algorithm but also with JPEG 2000 [18] and JPEG 2000 against lossy compression any longer. with wavelet packet decomposition [16] and best basis selection using log energy as cost function and full decomposition. Apart from providing visual evidence as shown in the 6. CONCLUSION preceeding subsection, we have also conducted large scale ex- perimentation using the images shown in Figure 2. Figure 15 CM behaves differently with respect to robustness against shows averaged PSNR results for a decreasing amount of transmission errors depending on the nature of errors. compression comparing PSNR quality of original images to WhereasCMhasturnedouttobeextremelyrobustincase three variants of CMs. The results show that the choice of of value errors, the opposite is true for buffer errors. If pixel the algorithm has very little impact on the overall trend of values change, the errors remain restricted to the affected our results. While diffusion entirely destroys robustness to pixels even after decryption whereas missing or added pix- lossy compression, 2D (as well as 3D variants to some ex- els entirely destroy the synchronization of the CM schemes. tent) CMs exhibit a certain amount of robustness against all The observed robustness against value errors also explains sorts of compression. While JPEG2000 with classical pyra- the unique property to tolerate a medium amount of lossy midal decomposition outperforms the JPEG results by up to compression which is an exceptional property not found in 2 dB, the wavelet-packet-based technique performs similar to other ciphers. Applying the Cat map with 5 iterations or the JPEG only. It seems that the deep decomposition structures Baker map with 20 iterations provides a certain degree of se- produced by the best basis search caused by the noise in the curity and decrypted images show acceptable image quality subbands tend to detoriate the results. even after significant JPEG compression. Michael Gschwandtner et al. 15

60 60 60 50 50 50

40 40 40 30 30 30

PSNR (dB) 20 PSNR (dB) 20 PSNR (dB) 20 10 10 10 0 0 0 0 10203040 50 60 70 80 90 100 0 102030405060708090100 0 102030405060708090100 File size (%) File size (%) File size (%)

2DCatMap JPEG 2DCatMap JPEG 2000 2DCatMap JJ 2000 WP 3DCatMap JPEG 3DCatMap JPEG 2000 3DCatMap JJ 2000 WP 2DCatDiff JPEG 2DCatDiff JPEG 2000 2DCatDiff JJ 2000 WP Original JPEG Original JPEG 2000 Original JJ 2000 WP (a) JPEG (b) JPEG 2000 (c) JJ 2000 WP

Figure 15: Mean PSNR versus ﬁle size of 16 diﬀerent test images under varying using JPEG, JPEG 2000, and JPEG 2000 compression with wavelet packets.

However, the statements about robustness only apply [5]S.-G.Cho,Z.Bojkovic,D.Milovanovic,J.Lee,andJ.-J. if CM is used without diffusion step (i.e., in a less secure Hwang, “Image quality evaluation: Jpeg 2000 versus intraonly mode). If diffusion is added, robustness against transmission h.264/avc high profile,” Facta Universitatis, Nis, Series: Elec- value errors and compression is entirely lost. Even in case tronics and Energetics, vol. 20, no. 1, pp. 71–83, 2007. only the 3D extension technique is used, robustness is sig- [6] J. Daemen and V. Rijmen, The Design of Rijndael: AES—The nificantly reduced. Advanced Encryption Standard,Springer,NewYork,NY,USA, As long as a lower security level is acceptable (i.e., diffu- 2002. sion is omitted), classical block ciphers like AES may be com- [7] A. M. Eskicioglu, “Quality measurement for monochrome plemented by CM block ciphers in case of value errors in an compressed images in the past 25 years,” in Proceedings of IEEE ffi International Conference on Acoustics, Speech and Signal Pro- e cient manner (computational demand is much lower and cessing (ICASSP ’00), vol. 4, pp. 1907–1910, Istanbul, Turkey, robustness to transmission value errors is higher). Also, lossy June 2000. compression may be applied in the encrypted domain to a [8] J. Fridrich, “Symmetric ciphers based on two-dimensional certain extent which is not at all possible with classical ci- chaotic maps,” International Journal of Bifurcation and Chaos phers. If high security is required, it is better to stick to clas- in Applied Sciences and Engineering, vol. 8, no. 6, pp. 1259– sical block ciphers in any environment. 1284, 1998. [9] B. Furht and D. Kirovski, Eds., Multimedia Security Handbook, ACKNOWLEDGMENTS CRC Press, Boca Raton, Fla, USA, 2005. [10] M. Gschwandtner, A. Uhl, and P. Wild, “Compression of en- This work has been partially supported by the Austrian Sci- crypted visual data,” in Proceedings of the 10th IFIP Interna- ence Fund, Projects nos. 15170 and 19159. The following tional Conference on Communications and Multimedia Security (CMS ’06), H. Leitold and E. Markatos, Eds., vol. 4237 of Lec- pictures are licensed under Creative Commons: Figure 2(b) ˜ ture Notes on Computer Science, pp. 141–150, Springer, Crete, by Emmanuel SalA, Figure 2(c) by Michael Jastremski, Greece, October 2006. Figure 2(d) by Natthawut Kulnirundorn, Figure 2(h) by Vinu [11] Y. Mao and M. Wu, “Security evaluation for communication- Thomas, and Figure 2(k) by Scott Kinmartin. friendly encryption of multimedia,” in Proceedings of Interna- tional Conference on Image Processing (ICIP ’04), vol. 1, pp. REFERENCES 569–572, Singapore, October 2004. [12] V. Markovski, F. Xue, and L. Trajkovic,´ “Simulation and analy- [1] “Methods for subjective determination of transmission qual- sisofpacketlossinuserdatagramprotocoltransfers,”Journal ity,” ITU-R Recommendation P.800, 1996. of Supercomputing, vol. 20, no. 2, pp. 175–196, 2001. [2] “Methodology for the subjective assessment of the quality [13] G. T. Nguyen, R. H. Katy, B. Noble, and M. Satyanaryanan, of television pictures,” ITU-R Recommendation BT.500-11, “Trace-based approach for modeling wireless channel be- 2002. havior,” in Proceedings of the Winter Simulation Conference [3] I. Avcibas, B. Sankur, and K. Sayood, “Statistical evaluation of (WSC ’96), pp. 597–604, Coronado, Calif, USA, December image quality measures,” Journal of Electronic Imaging, vol. 11, 1996. no. 2, pp. 206–223, 2002. [14] R. Norcen and A. Uhl, “Encryption of wavelet-coded imagery [4] G. Chen, Y. Mao, and C. K. Chui, “A symmetric image encryp- using random permutations,” in Proceedings of International tion scheme based on 3D chaotic cat maps,” Chaos, Solitons Conference on Image Processing (ICIP ’04), vol. 2, pp. 3431– and Fractals, vol. 21, no. 3, pp. 749–761, 2004. 3434, Singapore, October 2004. 16 EURASIP Journal on Information Security

[15] W. B. Pennebaker and J. L. Mitchell, JPEG—Still Image Com- pression Standard, Van Nostrand Reinhold, New York, NY, USA, 1993. [16] M. Reisecker and A. Uhl, “Wavelet-packet subband structures in the evolution of the JPEG 2000 standard,” in Proceedings of the 6th Nordic Signal Processing Symposium (NORSIG ’04), vol. 46, pp. 97–100, Espoo, Finland, June 2004. [17] J. Scharinger, “Fast encryption of image data using chaotic Kolmogorov flows,” Journal of Electronic Imaging, vol. 7, no. 2, pp. 318–325, 1998. [18] D. Taubman and M. W. Marcellin, JPEG2000—Image Com- pression Fundamentals, Standards and Practice,KluwerAca- demic, Boston, Mass, USA, 2002. [19] A. S. Tosun and W. Feng, “On error preserving encryption algorithms for wireless video transmission,” in Proceedings of the ACM International Multimedia Conference and Exhibi- tion, no. 4, pp. 302–308, Ottawa, Ontario, Canada, September- October 2001. [20] A. Uhl and A. Pommer, Image and Video Encryption. From Digital Rights Management to Secured Personal Communica- tion, vol. 15 of Advances in Information Security, Springer, New York, NY, USA, 2005. [21] J. G. Wen, M. Severa, W. Zeng, M. H. Luttrell, and W. Jin, “A format-compliant configurable encryption framework for access control of video,” IEEE Transactions on Circuits and Sys- tems for Video Technology, vol. 12, no. 6, pp. 545–557, 2002. [22] W. Zeng, J. Wen, and M. Severa, “Fast self-synchronous content scrambling by spatially shuffling codewords of compressed bitstreams,” in Proceedings of International Conference on Image Processing (ICIP ’02), vol. 3, pp. 169–172, Rochester, NY, USA, September 2002. [23]W.ZengandS.Lei,“Efficient frequency domain selective scrambling of digital video,” IEEE Transactions on Multimedia, vol. 5, no. 1, pp. 118–129, 2003.