Towards Efficient Privacy-preserving Image ... - Clemson University

Download PDF
4 downloads 172 Views 916KB Size Report
Comment
dent, co-operative cloud servers, and keeps the outsourced computation procedures as simple as possible to avoid uti- lizing homomorphic encryption scheme.
Towards Efficient Privacy-preserving Image Feature Extraction in Cloud Computing 1

Zhan Qin1 Jingbo Yan1 Kui Ren1 Chang Wen Chen1 Cong Wang2

Department of Computer Science and Engineering, SUNY at Buffalo, Buffalo, NY 14214 USA 2 Department of Computer Science, City University of Hong Kong, Hong Kong [email protected], [email protected], [email protected], [email protected], [email protected]

ABSTRACT

Keywords

As the image data produced by individuals and enterprises is rapidly increasing, Scalar Invariant Feature Transform (SIFT), as a local feature detection algorithm, has been heavily employed in various areas, including object recognition, robotic mapping, etc. In this context, there is a growing need to outsource such image computation with high complexity to cloud for its economic computing resources and on-demand ubiquitous access. However, how to protect the private image data while enabling image computation becomes a major concern. To address this fundamental challenge, we study the privacy requirements in outsourcing SIFT computation and propose SecSIFT, a high performance privacy-preserving SIFT feature detection system. In previous private image computation works, one common approach is to encrypt the private image in a public key based homomorphic scheme that enables the original processing algorithms designed for plaintext domain to be performed over ciphertext domain. In contrast to these works, our system is not restricted by the efficiency limitations of homomorphic encryption scheme. The proposed system distributes the computation procedures of SIFT to a set of independent, co-operative cloud servers, and keeps the outsourced computation procedures as simple as possible to avoid utilizing homomorphic encryption scheme. Thus, it enables implementation with practical computation and communication complexity. Extensive experimental results demonstrate that SecSIFT performs comparably to original SIFT on image benchmarks while capable of preserving the privacy in an efficient way.

Image Feature Detection; SIFT; Privacy-preserving; Cloud Computing

1.

INTRODUCTION

Nowadays, it is getting more and more popular for owners to outsource image data from local devices to cloud for its great flexibility and cost saving [2]. Popular social network providers commonly utilize image data to realize behavioral advertising, preference analytics, etc., [16]. For example, Facebook and Flickr are extracting qualified features from users’ images and constructing corresponding data mining models to improve their user experiences in social discovery [20]. To manage the massive computation workload in image feature extraction and utilization on the “Big Data”, more and more image owners choose to outsource the computation of image feature extractions to cloud [32]. However, this trend creates the privacy concerns. The outsourced image data reveals private information of the owner, like personal identity, location, or even financial profiles. Moreover, even features extracted from the image may leak important private information. The attacker can deduce the content of image via feature comparisons in a benchmark image database, or even recover part of the image based on these features. Thus, exploring privacy-preserving image feature detection over encrypted cloud data becomes of paramount importance. There is an emerging research field on discovering solutions to enable image processing over encrypted data [15]. In secure multimedia data search [26, 19], the authors propose designs to protect the privacy of the query image when searching over a public database by utilizing oblivious retrieval techniques. Some existing works are interested in the manipulation of encrypted image data in different forms, e.g., face recognition system [10, 25, 23], ECG signals [4], and fingercode authentication system [3]. Others focus on extracting/detecting image features from the ciphertext domain, e.g., Scalar Invariant Feature Transform (SIFT) [14], and shape-based image features [29]. However, all previous works on private image feature detection impose either heavy workload for image owners or unacceptable computational complexity at the cloud side, if not both. Thus, none of them is suitable for practical usages. In [10, 5], image owners have to perform very expensive operations of homomorphic encryption before outsourcing. In [12, 14], existing solutions require the cloud to perform massive homomorphic evaluations in the ciphertext domain (Details refer to Sec. 6). Another common weakness

Categories and Subject Descriptors H.3.3 [Information Systems Applications]: Information Search and Retrieval

General Terms Security, Algorithm Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. MM’14, November 3–7, 2014, Orlando, Florida, USA. Copyright 2014 ACM 978-1-4503-3063-3/14/11 ...$15.00. http://dx.doi.org/10.1145/2647868.2654941.

497

is that no previous work can protect the location information of the feature points, which may subsequently lead to significant information leakage to the cloud server depending the nature of the images [29]. Hence, in this paper, we focus on enabling practical and privacy-preserving SIFT computation over outsourced image. We present SecSIFT, a system for performing privacypreserving image feature detection over private user image data, which scales substantially better than the previous systems. SecSIFT operates under the similar trust model as used in several recent private proposals, i.e., honest-butcurious and independent servers. There are two key points that differentiate our proposal from other homomorphic encryption based solutions [19, 29, 12]: How the privacy of local feature’s locations is defined, and How the computation procedures are distributed among cloud servers. Prior works only protect the image data by encrypting them through a homomorphic encryption scheme. They either leak the locations of feature points to the cloud [13] or require impractical computational resources [19]. In our security model, the privacy of image content is defined in two aspects: the confidentiality of values and the delocalization of keypoints. Both of them are protected. The proposed design also divides the SIFT algorithm into several computation procedures and distributing them to different cloud entities. The efficiency of the proposed system is promised by utilizing splitting based encryption, Order Preserving Encryption (OPE), random permutation, and dummy point perturbation as its crypto primitives in different components of the system. Altogether, this paper makes the following contributions:

Scale Scale (first octave)

'ĂƵƐƐŝĂŶ

ŝĨĨĞƌĞŶĐĞŽĨ 'ĂƵƐƐŝĂŶ;Ž'Ϳ

Figure 1: Scale-space Extrema Detection: The image forms a series of octave via convolutions and subtractions [17]. • Scale-space Extrema Detection: This is the stage where the keypoints are detected (located). In this stage, the image is convolved with Gaussian filters at multiple scales, and then successive Gaussian-blurred images are taken. The keypoints are taken as extreme points of the Difference of Gaussians (DoG) that occur at multiple scales. Specifically, a DoG image D(x, y, σ) is given by D(x, y, σ) = L(x, y, ki σ) − L(x, y, kj σ)

(1)

where L(x, y, kσ) is the convolution of the original image I(x, y) with the Gaussian-blur G(x, y, kσ) at scale kσ, i.e., L(x, y, kσ) = G(x, y, kσ) ∗ I(x, y). Hence a DoG image between scales ki σ and kj σ is just the difference of the Gaussian-blurred images at scales ki σ and kj σ. As shown in Fig. 1, for Scale-space Extrema Detection, the convolved images are grouped by octave (an octave corresponds to doubling the value of σ). The DoG images are taken from adjacent Gaussianblurred images per octave.

• It presents the design of SecSIFT, a private system for performing SIFT computation without leaking the private information of the processed image. SecSIFT is typically one to two orders of magnitude more efficient in bandwidth and computation complexity than previous comparable systems (i.e., the systems with similar features and trust model). • It gives formal security proofs to justify the correctness and privacy-preserving guarantee of the proposed mechanism. A detailed evaluation on the utility, privacy, and efficiency of SecSIFT is provided.

Once DoG images are obtained, keypoints are identified as local extrema of the DoG images across scales. This is done by comparing each pixel in the DoG images to its eight neighbors at the same scale and nine corresponding neighboring pixels in each of the neighboring scales. If a pixel value is an extrema among all neighboring pixels, it is selected as a keypoint.

• It describes a complete implementation of SecSIFT. Extensive experiments on Microsoft Azure cloud instance with real dataset across thousands of images (Caltech256) demonstrate the effectiveness and efficiency of the proposed system.

• Feature Descriptor Generation: In this step, the keypoints are assigned orientations based on local image gradient directions. The keypoint descriptor can be represented relative to this orientation, which explaines the invariance to image rotation.

The rest of this paper is organized as follows: The next section gives a brief introduction to SIFT algorithm. Section 3 gives the problem formulation of SecSIFT, and states the design goals of the proposed system. Section 4 presents the system design. We describe analysis and evaluation of the correctness, privacy, and efficiency of the proposed system in Section 5.1, 5.2, and 5.3. Finally, we present related work and conclude in Section 6 and 7, respectively.

First, the Gaussian-blurred image L(x, y, σ) at the keypoint’s scale σ is taken so that all computations are performed in a scale-invariant manner. For an image sample L(x, y, σ), the gradient vector consists of magnitude m(x, y) and orientation θ(x, y), which are calculated using pixel differences: Let the gradient magnitudes be, respectively, denoted as DiffX = L(x + 1, y, σ) − L(x − 1, y, σ), and DiffY = L(x, y + 1, σ) − L(x, y − 1, σ) along different directions. For each 4 × 4 block, the gradient magnitude and orientation are, respectively, computed for each position (x, y) within the block as:  (2) m(x, y) = (DiffX )2 + (DiffY )2 DiffX (3) θ(x, y) = tan−1 DiffY

2.

PRELIMINARY ON SIFT

Scale Invariant Feature Transform (SIFT) is one of the most popular algorithms in computer vision to extract and describe local features in images. We separate it into mainly two stages to describe the algorithm briefly below. Detailed elaboration can be found in [17]:

498

Cloud

Image ‫ܫ‬ ‫ܥ‬

Comparer

Client Feature Descriptor ‫ݒ{ = ܦܨ‬௜ }

‫ܥ‬

Image Encryption

Scale-space Cube Generation

Descriptor Decryption

Descriptor Generation

Comparer

Interesting Point Localization

Figure 3: Architecture and Workflow of SecSIFT. cubes to Comparer, and receives the locations of keypoints from Comparer. Finally it outputs FD vectors as the results of SIFT algorithm to Client.

The magnitude and direction computations for the gradient are done for every pixel in a neighboring region around the keypoint in the Gaussian-blurred image. Note that this gradient vector can also be represented in other forms, besides magnitude and direction, while the accuracy of the SIFT algorithm can still remain largely unchanged. However, different representation forms may lead to different computational complexity in the ciphertext domain, which will be discussed in Sec 4.4. After the computations of the magnitude and direction, an orientation histogram with 36 bins is formed, with each bin covering 10 degrees. Each sample in the neighboring window added to a histogram bin is weighted by its gradient magnitude and a Gaussian-weighted circular window with a σ that is 1.5 times that of the keypoint’s scale. The peaks in this histogram correspond to dominant orientations. Once the histogram is filled, the orientations corresponding to the highest peak and local peaks that are larger than 80% of the highest peaks are assigned to the keypoint.

• Comparer: Comparer performs the comparison procedures, which is designed for performing the discovery of keypoints in SIFT algorithm. More specifically, this procedure is performed through a series of comparisons of neighboring pixels in the scale-space to find local extrema in the image. In our design, the output of Comparer is the cube identifier of the corresponding the keypoint, which is conducted to protect the privacy of the image against both Generator and Comparer at the same time (formally defined in Sec. 4.2.2).

3.2

Security Model

We consider the image I owned by Client to be private. The clients’ goal is to protect the privacy of the image content, while enabling Cloud to execute SIFT algorithm over it. Specifically, we consider the information of image content: pixel values, keypoint locations, and descriptive features extracted from the image, to be clients’ private information. In our security model, we consider the Cloud to be “honestbut-curious” and “independent”. We assume that Cloud acts in an “honest but curious” fashion, which means it correctly follows the designated protocol specification, but is interested in inferring from or analyzes the data flow to learn additional information. In our design, Client uploads his/her image in a split form to multiple cloud entities, which carry out the computations regarding SIFT. Similar to the secure multiparty computation schemes, we assume the cloud entities to be “independent” to each other. This assumption is promised by the independent reputation and financial interests of the cloud server provider. Here, Generators and Comparer would explicitly state non-collusion in their legally binding documents. Thus, the independence among cloud entities can be assured in practice [8].

PROBLEM FORMULATION

3.1

Generators

Generator 2 G

Figure 2: System Architecture: Three independent entities (cloud servers) ensure the privacy of image is preserved in SecSIFT.

3.

Client

Generator 1 G

System Architecture

As illustrated in Fig. 2, we consider a high-level architecture of SecSIFT. At the core, the system consists of two parties: Client and Cloud. Client may represent either an individual or an enterprise customer, who owns private image data and aims to outsource the computation task on SIFT Feature Descriptors (FDs) over these images to cloud. Specifically, to keep sensitive image data confidential against unauthorized access, cryptographic techniques need to be applied to the image data before outsourcing. In our system, Client encrypts the image, denoted by plaintext matrix I, into a ciphertext matrix, denoted by C, and then uploads it to Cloud. The expected image processing results from Cloud are a set of SIFT descriptors, which are FD vectors of keypoints in the image obtained by the SIFT algorithm. Cloud consists of three entities: two Generators and a Comparer, which are independent cloud server providers. These entities are named according to the functionality they perform in SecSIFT:

3.3

Design Goals

Our ultimate goal is to design a privacy-preserving SIFT feature detection system that supports the outsourced image feature detection service, while providing the strongest possible protection on the image content privacy and simultaneously maintaining the efficiency. In particular, we have the following design goals: Image Content Privacy: As claimed in our security model, the cloud entities should get no access to the image content like pixel values and detected features. According to the accepted security standard in image encryption [28], the confidentiality of the image is protected when each pixel of the image is encrypted. Consider an image as a matrix, if ev-

• Generators: Generators are composed of two cloud entities (servers) that perform mirrored procedures over encrypted image. Thus, for simplicity, we consider them as one entity: It receives encrypted image from Client. And then it generates the scale-space and corresponding scale-space cubes (27 neighboring pixels from 3 scales). After that, it sends permuted scale-space

499

(a)

(b)

(c)

(d)

(e)

(f)

Figure 4: SIFT features (intermediate) in plaintext domain (a), (b), (c) and ciphertext domain (d), (e), (f ). ery element is protected (depending on different encryption scheme), the whole matrix, i.e., the image is protected. Following this methodology, we define the privacy of image data values to be the confidentiality of values. Moreover, in outsourced image local feature extraction like SIFT algorithm, the location of keypoints may also leak image content, e.g., the shape of objects in the image. As shown in Fig. 4, though not considered in general image retrieval applications, intermediate result such as feature points along strong edges and their locations form crude object shapes, which reveal sensitive information of images. To solve this problem, we define the delocalization of keypoints: For each cloud entities, it is computationally hard to get the location of keypoints in the image, which means the keypoint’s location of the image is protected against Cloud. The delocalization property can prevent the cloud entities deducing private content shapes from the images. Computational Savings: Client’s workload in SecSIFT should be substantially less than the workload of completing a local SIFT program. Cloud Efficiency: It is further desirable to reduce the computational complexity on Cloud process as much as possible and finally make it acceptable when compared with a local SIFT program.

4.

SecSIFT SYSTEM DESIGN

As shown in Fig. 3, SecSIFT algorithm consists of five sequential components: Image Encryption, Scale-space Cube Generation, Keypoint Discovering, Descriptor Generation, and Descriptor Decryption. The detailed construction of each component will be shown in Sec. 4.1-4.5. Here, we first give a high-level description on the system workflow of SecSIFT. At the beginning, Client takes an image and security parameters as the system inputs and passes the encrypted (split) image C and seedc to Generators and seedd to Comparer (Sec. 4.1). After receiving the ciphertext from Client, Generator generates the corresponding scale-space and cubes. Then it shuffles surrounding pixels and encrypts the cube through an OPE scheme and passes the encrypted cubes attached with corresponding identifiers to Comparer (Sec. 4.2). Comparer decrypts the received cubes from both Generators and locates the keypoints by discovering the cubes that include extrema. The corresponding identifiers attached to the keypoints are then sent back to two Generators, inserted with some dummy identifiers (Sec. 4.3). Generators locate the

500

Algorithm 1 Splitting based Image Encryption Input: The matrix of the image, I, security parameter κ; Output: The ciphertext pair: C1 and C2 ; Control parameters sid , sp , and sd ; 1: Generate prime modulus t := Genprime (1κ ), and matrix R ← P RG(1κ ); 2: for each pixel at position (x, y) in I do 3: Encrypt I(x, y) by splitting the value: C1 (x, y) = R(x, y), C2 (x, y) = (I − R(x, y)) mod q; 4: end for 5: Generate control parameters sid ← P RGid (1κ ), sp ← P RGp (1κ ), and sd ← P RGd (1κ ); 6: return C1 , C2 , sid , sp , and sd . corresponding pixel points in the image after receiving those identifiers from Comparer, and then generate feature descriptors of keypoints over ciphertext domain and sends them back to Client (Sec. 4.4). Finally, Client discards the feature descriptors corresponding to the dummy identifiers, and then decrypts the rest of feature descriptors as the system output (Sec. 4.5).

4.1

Client: Image Encryption

Before outsourcing an image to Cloud, Client needs to encrypt the image and generate a set of control parameters to control the privacy-preserving mechanisms on different cloud entities. Instead of encrypting each pixel of the image through a public key based homomorphic encryption scheme as in the existing works [25, 14], Client additively splits the image matrix I into two ciphertext matrices: It first generates a prime modulus q, which defines the message space of the encryption scheme, and a random matrix R, whose elements are chosen from [0, q −1]. Then, it encrypts the image by splitting the matrix I into two matrices: C1 = R and C2 = (I − R) mod q and sends them to Generators, respectively: Client → Generator1 : C1 ; Client → Generator2 : C2 . The details are illustrated in Alg. 1. After that, Client generates and sends control parameters sid , sp , and sd to Generators and Comparer: Client → Generators : (sid , sp ); Client → Comparer : sd . Specifically, sid and sp synchronize the generation of scale-space cubes’ identifiers and permutations on Generators (Sec. 4.2.2). And sd controls the generation of dummy identifiers on Comparer (Sec. 4.3).

4.2 4.2.1

Generator: Scale-space Cube Generation Scale-space Generation

After receiving ciphertexts C1 and C2 from Client, both Generators perform convolutions and subtractions, as in the original SIFT algorithm, to generate scale-space. Specifically, for each pixel in the ciphertext matrix Ci , Generator performs the following computations to generate the DoG images at scale σ: D(x, y, σ) = (G(x, y, ki σ) − G(x, y, kj σ)) ∗ Ci (x, y) 2

2

2

(4)

−(x +y )/2σ 1 . The results of Gauswhere G(x, y, σ) = 2πσ 2e sian function at different scales are a set of constant matrices, which are considered to be public information to all participants. Thus, the generation of these matrices can be performed by Generator over plaintext domain. Note that Generators work over encrypted images, which are split into

Algorithm 2 OPE based Cube Encryption Require: The split image cube Cubei ; Ensure: i ; The encrypted split image cube Cube 1: for each pixel in Cubei do 2: for predefined bucket j = 1...m do 3: Generating a set of bucket [pl , ph ), with h − l − 1 points; 4: end for 5: if a distribution over [0, ph ) has the density function pq + r for constant q and r; then 6: For any constant z > 0; q 2 p + p); 7: M(p) = z( 2r 8: end if i−1  f wj + 9: At bucket width w, flat value f is f = fmin +

two homologous ciphertexts. Therefore, both Generators must compute in the same operation order for each encrypted pixel to generate a homologous scale-space.

4.2.2

Cube Encryption

After generating the scale-space, Cloud needs to discover keypoints as local extrema from the scale-space through comparisons. However, these comparisons cannot be performed by a cloud entity. It could leak the pixel values in the image, though the image is encrypted. If only one cloud entity performs all the tasks, it will lead to pixel value leakage to the cloud. Note that even if the cloud performs the comparisons in the ciphertext domain, it can still learn the values of encrypted pixels: The comparable ciphertexts enables Cloud to deduce the content of the image through comparing all encrypted pixel values in the image. To solve this problem, we assume the existence of three non-colluding cloud entities. Our scheme is designed in such a way that none of them alone can deduce any pixel value information by itself. Comparer is introduced as a cloud server to discover keypoints through comparing neighboring pixels in scale-space. To better illustrate the balance between privacy and effectiveness of the proposed solution, we first analyze two naive solutions and their shortcomings:

Mi (p − pmin −

i−1 

j=1

wj );

j=1

10:

i := cmin + Encrypted the pixel in split image Cube i−1  wjc + (Mci )−1 (f − fmin − wjf ),

i−1 

j=1

j=1

11: end for i ; 12: return Cube

• Cube Permutation: A naive solution is dividing the scale-space into multiple cubes, which contain 27 pixels acrossing 3 scales, and permutating these cubes randomly before sending them to Comparer. However, only permutation alone cannot break the space correlations of neighboring cubes completely. It is still computationally possible for Comparer to discover the space order of cubes through traversing all cubes and finding the overlapping pixels (18 pixels at maximum) among neighboring cubes.

wt , we also get the mapping function Mt and associated parameters st and z t . Assume the maximum width for each bucket is K = max[wi ]. Note that f denotes flatten space, t denotes target stage, and c denotes cipher space: Mc (wc ) = z c (sc (wc )2 + wc ), z=

K t nt ; + wt

st (wt )2

(5)

where s = q/2r. After that, we save the bucket boundaries in the cipher space in the data structure Kc . For every bucket, we also save the quadratic coefficients sc and the scale factor z c . The scheme enables the split image recovery as follows: First, when computing the scale factors for each bucket by using the constraint. In this step, the bucket should map to a space proportional to the number of points in the bucket, in which the duplicate points are excluded. Thus, adjacent plaintext values in the regions will be mapped to flattened values that are relatively close. Suppose that using our modified scheme, a plaintext value p maps into a value f in the flat space, and p + 1 maps into f  . When encrypting p, we choose the random value close to the interval’s center [ f 2−f ). Thus, the encrypted value of p will be uniformly spread in the interval [f, f  ). Combining the intra-bucket uniformity generated by the linear splines, and the interbucket uniformity from the scale factors together results in the flattened distribution to be uniform. In addition, to identify the extent, the OPE scheme maintains distance between plaintexts, and we start from analyzing the distance of any two random plaintexts. The size of the ciphertext depends on the skew in the plaintext and target distributions. p to be the smallest gap between sorted values Assume gmin p t , gmin , and in the plaintext. Similarly, we can define gmax t . Then, the additional number of bits needed by the gmax ciphertext in the worst case is approximated as:

• Noise Perturbation: Another naive solution is perturbing noises into pixels to hide the overlapping pixels in neighboring cubes. The perturbed noises make it computational impossible for Comparer to find overlapping pixels in neighboring cubes. However, the noise perturbation based solution may badly weaken the effectiveness of the system. Specifically, the precision of comparisons is compromised by noise perturbation. The reason is that the effectiveness on comparisons and the protection on ciphertexts inherently contradict to each other in noise perturbation mechanisms. Based on the previous analysis on the possible solutions, we propose a novel solution to discover the keypoints in the scale-space without compromising the privacy of the image. In this solution, the OPE scheme proposed in [1] is adopted to enable the ciphertext comparisons to be performed by Comparer. However, since the image data uploaded by Client is over ciphertext domain, we cannot directly use the scheme in [1]. Thus, we need to carefully modify a piece-wise linear spline to enable Comparer to recover the split image from OPE ciphertexts. The complete construction is explained in the following: Cube Encryption: As illustrated in the Cube Permutation, Generator first divides the scale-space into cubes, as shown in Fig. 1. At the beginning, Generator encrypts all pixels in the processed image cubes through an OPE scheme, as shown in Alg. 2. The modeling of target distribution yields a set of buckets {B1t , ..., Bkt }. For every bucket of length

ladd = log(

501

p gmax gt ) + log( max ) p t gmin gmin

(6)

Algorithm 4 Descriptor Generation Input: ¯ The perturbed cube ID set {ID}; Output: The descriptor of keypoint Vdi ; ¯ ∈ {ID} ¯ do 1: for Each ID 2: Compute the position of keypoint from the ID set: ¯ (x, y) = H −1 (ID); 3: for each surrounding block of keypoint do 4: V (0) = V (0) + (L(x + 1, y, σ) − (L(x − 1, y, σ); 5: V (1) = V (1) + (L(x, y + 1, σ) − (L(x, y − 1, σ); 6: V (2) = V (2)+(L(x−1, y −1, σ)−(L(x+1, y +1, σ); 7: V (3) = V (3)+(L(x+1, y −1, σ)−(L(x−1, y +1, σ); 8: Concatenate region features together: Vd = (Vd ||V (0)||V (1)||V (2)||V (3)); 9: end for 10: end for 11: return Vdi ;.

Algorithm 3 Cube ID Perturbation Input: The random number sid , the ID set of keypiont {ID}; Output: ¯ The perturbed cube ID: {ID}; 1: Generating a binomial pseudorandom matrix M = P RGM (|I|, sid ); 2: for All (x, y) ∈ I do 3: if M (x, y) > 0 then 4: Computing DID := H(sid , x, y); 5: for each DID ∈ / {ID} ¯ = {ID} ∪ {DID}; 6: {ID} 7: end if 8: end for ¯ 9: return {ID};. Note that we can explicitly control g t , i.e., the length introduced by the target stage, while g p depends on the different format of the image data. Permutation: After the encryption of OPE scheme, both Generators generate cube identifiers and permutate the cubes under a same set of control parameters. First, each Generator generates an identifier for each cube, denoted as CID. It generates it with the control parameter and corresponding position in the image matrix as the inputs: CID = H(sid , x, y). Recall that (x, y) is the position in the image matrix, and H is a predefined random hash function. Since both Generators use the same control parameter si d in identifier generation, the identifiers of the cubes at same positions can be synchronized. After that, Generators performs the permutation of cubes with the sp from Client, pixel position and scales as the inputs: Seq = Hp (sp , x, y, σ). For this procedure, si d from CID generation and sp from cube permutation guarantee the synchronization of operations in Generators.

4.3

For feature descriptor extraction conducted over ciphertext domain, the histogram and vector computations require high computational complexity and are too complicated to be implemented over ciphertext domain. Thus, we modify the original descriptor to generate the weighted magnitudes located at four directions (i.e., 0◦ , 45◦ , 90◦ , and 135◦ ) in the proposed system, which constitutes a 4-dimensional vector, as shown in Fig. 5. Since a 16 × 16 region contains sixteen 4 × 4 blocks, a 64-dimensional feature descriptor for a keypoint is established. Due to the security constraint on comparisons, no additional information of encrypted feature descriptor can be extracted from the ciphertext domain by Generators. Our experimental results reveal that modified SecSIFT descriptors successfully maintain the robustness of the proposed system, as illustrated in Fig. 6(b). In our design, the feature descriptor calculated in the ciphertext domain for each 4 × 4 block is conducted as follows: Let V (k), k = {0, 1, 2, 3, } denote the feature vector of a 16 × 16 block:

Comparer: Keypoint Discovering

1 and Cube 2 from After receiving split image cubes Cube Generators, Comparer recovers the encrypted cubes through 2 . Then, it identifies cubes  = Cube 1 + Cube additions: Cube that include extremum through comparing 26 pixels with the centre pixel in the cube. After that, to protect the location of keypoints against Generators, Comparer generates a set of dummy identifiers, i.e., DIDs, with the sd from Client. Then, it mixes them with CIDs connected with extrema, before sending them back to Generators, as shown in Alg. 3. The detailed privacy analysis of inserting DIDs will be shown in Sec. 5.2.

4.4

Diff45◦ Diff135◦

Diff0◦ = (L(x + 1, y, σ) − (L(x − 1, y, σ) Diff90◦ = (L(x, y + 1, σ) − (L(x, y − 1, σ) = (L(x − 1, y − 1, σ) − (L(x + 1, y + 1, σ) = (L(x + 1, y − 1, σ) − (L(x − 1, y + 1, σ)

(7)

As shown in Alg. 4, each Generator generates a descriptor as split 64-dimensional vector Vd . Then, it sends Vd attached with the CID to Client. Note that the descriptors of keypoints include vectors of dummy points. To protect the privacy of location of the keypoints, Generator is designed to perform the descriptor generation of these dummy points. The corresponding computation complexity depends on the number of inserted dummy points from the security parameter settings. However, these dummy points do not affect the decryption workload on Client end. Client can distinguish the dummy descriptors from the real descriptors by simulating Comparer to generate {DID}.

Generator: Descriptor Generation

Generators perform the adjusted feature descriptor generation procedures, after receiving the perturbed cube ID set ¯ from Comparer. As described in Sec. 2, SIFT derives {ID} the feature descriptor of keypoint from computing the magnitude and direction of its neighboring pixels in the plaintext domain. The orientation assignment is executed for each detected feature point. The histogram of weighted magnitudes, which are defined on a number of restrictive directions, is derived based on the Eq. (3). A normalized region of size 16 × 16, which is expanded from the region covering the derived orientation, is built. A 128-dimensional SIFT feature descriptor is established for the 16×16 region, which is further divided into sixteen 4 × 4 blocks, around a feature point.

4.5

Descriptor Decryption

Before recovering the encrypted descriptor (feature vector) by subtracting the split feature descriptors: Vd = Vd2 − Vd1 , Client needs to identify and discard the dummy feature descriptors. Recall that DIDs are computed from the pseudorandom matrix M , which only depends on the size of the image and the control parameter sid . Thus, Client can ef-

502

0.4 0.3 0.2 0.1 20

(a)

(b)

5.1.2

Correctness Analysis and Evaluation Correctness of Feature Descriptors

Since neighboring input value must have similar output ciphertext under order preserving encryption, the proposed algorithm may not return the exact answers. In the scenario of SIFT algorithm, SecSIFT algorithm should output a noisy list of keypoint at Comparer. Recall that given a plaintext space of size M , i.e., the domain size |D| = M , and ciphertext space N , assuming m1 < m2 ∈ [M ]. The following theorem provides the utility guarantee of SecSIFT: Theorem 1. Let t = (N −1)/(M −1), and assume t > 7. Let m1 ← [M ], m2 ← [M ]{m1 }, (c1 , c2 ) = Encr,k (m1 , m2 ), w = c2 − c1 mod M , and d = m2 − m1 mod M . Then 3 1  t (M − 1)/lnM

(8)

Proof. √ Let t = (N − 1)(M − 1). Let b be a fixed value M − 1) to be determined later. Define β = (less than √ 2tb M −1 . Assume w is uniformly random in [N − 1], so t−2 P rm1 ,m2 [w < β + 1]
7. This bound gives us the idea of good values for t = N/M . In particular, we can find that choosing a constant for t > 7, which means choosing N to be a constant multiple of M , is sufficient in order to make the above probability negligible. Whether the constant should be large or small depends on the tolerance for random intervals to be shallow. The upper bound of noise introduced by the OPE scheme to the image value is 3t ln (1/M ).

SYSTEM EVALUATION

P rm1 ,m2 [2d > w]
w] < P rm1 ,m2 [2d > w|w > β + 1] +P rm1 ,m2 [|w < β + 1] 1 2b √ + < 2/M + N −1 (t − 2) M − 1 2 1  < 2/M + t − 2 (M − 1)/lnM

We conduct a thorough experimental evaluation of the proposed system on real image database: Caltech256, which contains 30,607 images with total size 1.2GB. Our experiment is implemented using C programming language on both local workstation and Microsoft Azure cloud instance. The local workstation runs with an Intel Core2 Duo CPU (E6550) running at 2.33GHz, 4GB of RAM and a 7200RPM disk drive. The cloud side process is conducted on Azure with large standard instance type. We analyze and present our evaluation result in three aspects: correctness, privacy, and efficiency.

5.1.1

23

0.ϴ 0.ϳ

Figure 6: Correctness Evaluation. √ Define dR = min{(M − 1)w/N + b(M − 1)/ M − 1, M − 1}. Note that (M −1)w/N is the most likely plaintext distance of w. Then we can deduce that dR < w/2, whenever w > β +1. Hence

ficiently regenerate the dummy matrix M and discard the descriptors with the corresponding DIDs. After recovering the feature vectors, Client can perform the orientation calculation to get the assigned orientations and convert the feature vectors of each block to the main orientation as the original SIFT. The effectiveness of adjusted descriptors will be discussed in Sec. 5.1. From the client’s perspective, the encryption and decryption computational complexity are both linear to the size of the image. The communication complexity between Cloud and Client contains the upload bandwidth (2|I|) and the download bandwidth (|F D|), which depend on the size and content of the image.

5.1

22

1 0.ϵ

(a) Error distance.

Figure 5: Original SIFT feature gradient vector (a) and modified feature descriptor (b).

5.

21

ǀĞƌĂŐĞƉƌĞĐŝƐŝŽŶŽĨŝŵĂŐĞŵĂƚĐŚŝŶŐ

ǀĞƌĂŐĞĞƌƌŽƌĚŝƐƚĂŶĐĞ

0.5

(9)

503

Experimental Results

We first analyze the correctness of the proposed system from the view of keypoint localizations. We conduct the experiments regarding comparison between keypoints detected from the plaintext domain and the ones from the ciphertext domain in SecSIFT. The Euclidean distances between the closest keypoints from different domains are computed: The keypoints from SecSIFT and original SIFT are obtained respectively. After that, the corresponding keypoints in SecSIFT based on the ones from original SIFT are discovered. The standard Euclidean Distance is utilized to quantify these distances. Fig. 6(a) illustrates the average error distance between corresponding keypoints. The error is introduced by the randomness from the OPE scheme. In fact the maximum distance between corresponding keypoints from different domains is smaller than 3.56, which means they still have more than 63% overlapping neighboring pixels. Given the descriptor generated by SecSIFT, we next focus on the precision of the matching results. Basically, the experiments are analogous to the application of image matching. We randomly select 1, 000 images from 10 categories, and perform original SIFT, SIFT with modified descriptors and SecSIFT to extract their feature descriptors. Then these descriptors are utilized to compute their Euclidean distance to find the corresponding matching image in the image set. The results regarding the top-k matching images are examined here. As shown in Fig. 7, the left column images are the query (target) image, and the right column images are the top-k (k=4) matching images in the database. Fig. 6(b) illustrates the result of image matching performed over SIFT

0.37

1

0.36

0.9

0.35

0.8

0.34

0.7

ĚĚŝƚŝŽŶĂůdŝŵĞ;ƐͿ

Top-4 Matching Image

dŝŵĞ;ŵƐͿ

Target Image

0.33 0.32 0.31 0.3

0.5 0.4 0.3 0.2

0.29

0.1

0.28 0.27

0.6

0 20 21 22 23 24 25 26 27 28 29 30 31 3Ϯ ŽŵĂŝŶƐŝnjĞͮͮŽĨKW;ďŝƚͿ

0 ϭ0 20 ϯ0 40 ϱ0 60 ϳ0 80 ϵ0 100 WƌŽďĂďŝůŝƚLJĂĚǀĂŶƚĂŐĞŽĨŝƐƚŝŶŐƵŝƐŚŝŶŐĂƵŵŵLJWŽŝŶƚ;йͿ

(a) OPE encryption time.

(b) Descriptor generation time. Figure 8: Privacy Evaluation.

Figure 7: An example of image matching using SecSIFT. with modified descriptors and SecSIFT, compared with the original SIFT as the ground truth. When k = 1, the precision is above 99%. The matching results are almost the same. When k > 2, the precision of the proposed system reduces, but still remains above 80% on average.

5.2 5.2.1

where the security experiment is as follows: The experiment Expz[M ],[N ] (A) is performed by the adversary. It returns 1, if (mR − mL + 1 mod M ) < r, while m0 ∈ [mL , mR ], and returns 0 otherwise. Note that the experiment demands that the adversary returns the specified ciphertext that c0 ∈ c, rather than any ciphertext from ciphertext set c. Thus we can use the simple bound deduced from Eq. 12 and 13:

Privacy Analysis and Evaluation

P r[Expz[M ],[N ] (A) = 1] = √

Confidentiality of Pixel Values & Descriptive Feature Vectors

To analyze the confidentiality of the image content, we start with the observed data by each cloud entity. For Generator, it can only observe the encrypted (split) image and the cube identifier CID returned by Comparer. The image splitting mechanism provides the security guarantee of image content against Generator, as long as the client generate a new key every time to encrypt the image. The security strength of the ciphertext depends on the security of the utilized pseudorandom generator function. The information leakage from CID like the location of the keypoints to Generator will be analyzed in Sec. 5.2.2. For Comparer, though the OPE scheme leaks the order of the ciphertext, the information disclosed to Comparer contains only the statistical information [31] (e.g., the counts of different pixel values) over ciphertexts in the scale-space domain. The confidentiality of the image values relies on the security strength of the OPE scheme. Recall that the security of the image content against Comparer is quantified by the domain size |D| = M . Assume for any challenge set size z, there exists an efficient adversary A as a curious Comparer, and we have the following theorem:

5.2.2

(14)

Delocalization of Keypoint Locations

Since Comparer is enabled to read the encrypted pixels in scale cubes for comparisons, Comparer can only attack the system through reconstructing the image from cubes, which means reconstructing the relative location relations among pixels. The permutation algorithm is utilized in our design to protect the locations of keypoints against Comparer. In this case, the permutation of surrounding pixels in a scale cube can effectively sabotage the reconstruction algorithm. For neighboring cubes, the maximum number of overlapping pixels is 18. Assume each cube has 6 directions to discover its neighboring cube. The maximum number of overlapping pixels for two neighboring directions is 12. Through probability deduction, we can discover that the permutation algorithm can decrease the probability of discovering the correct neighboring cubes to be one out of six, which is 16.6%. Assume the size of the image is n, then the possibility of reconstruct the half of the image is approximately 23n . For Generators, the dummy points are inserted into the returned cube identifiers to hide the keypoints locations in the image. Due to the functionality requirements in SIFT, the locations of real keypoints must be revealed to Generators for generating descriptors. However, the dummy keypoints observed by Generators can effectively prevent it distinguishing the location of real keypoints. The experiment Exp|r|,|d| (A) for adversary A, which has |r| real keypoints and |d| dummy points, is described as follows: It returns 1, if A choose a real keypoint from the mixed keypoints group, and returns 0 otherwise. Thus we can get a simple bound:

Theorem 2. For any z and A, if N > 2M , M > 16 + z, such that: 4z z (11) Adv[M ],[N ] (A) < √ M −z+1 Proof. Let N > M, 0 < y < N, 0 < x < M . Recall hypergeometric and negative hypergeometric probabilities:    N −y  ( xy )( M )  N  −x Phgd (N, M, y, x) < ( M ) y−1  N −y  ( )( ) (12) Pnhgd (N, M, y, x) < x−1  N M −x ( M )

P r[Expz|r|,|d| (A) = 1] =

As shown in [6], random OPE are naturally linked to negative hypergeometric probabilities. This allows us to construct an efficient adversary against OPE scheme, which yields the result that: z z Adv[M ],[N ] (A) < P r[Exp[M ],[N ] (A) = 1]

4z M −z+1

5.2.3

|r| |r| + |d|

(15)

Experimental Results

We conduct the experiments regarding computation time of OPE procedure and additional descriptor generation time for dummy points to test the additional computation complexity introduced by privacy-preserving mechanisms. Fig. 8

(13)

504

Workload Distribution

18 16 14

Client 1.72%

12 Time(s)

Comparer 7Ϯ͘ϰϮ% Generator 25͘ϴϲ%

ϯϱ 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 Image Size (KB)

(a), (b) show the results. As the strength of the strength of the confidentiality and delocalization property grows, the additional time complexity increases: The time complexity of one OPE encryption procedure grows, as the domain size |D| of OPE increases (from 20 to 30 bits). In Fig. 8(b), we conduct the experiments of the additional computational time of descriptor generation procedures for different scales of dummy point insertion. Regarding the growth additional time complexity of descriptor generation, the probability of distinguishing the dummy points from the mixed descriptors decreases.

Figure 10: The computation time of SecSIFT on different size of images. privacy-preserving classification of ECG signal and privacypreserving fingercode authentication system are presented in [4] and [3] by Barni. Another orthogonal work [22] proposes a privacy-preserving identical image copies searching system based on the signs of DCT image coefficient. In [7], the utilization of secure multiparty computation techniques is proposed in a biometric identification system. The most similar work to this paper is Hsu’s work [12], which utilizes homomorphic encryption scheme (Paillier) to enable a secure SIFT computation over the ciphertext. However, the proposed scheme has two drawbacks: 1) It introduces unrealistic computational complexity on encrypted data comparison. The proposed algorithm requires the cloud to traverse half of the ciphertext space for each comparison. Assuming a 512-bit modulus of the Paillier cryptosystem, the cloud needs to perform 2256 multiplications (homomorphic additions) for each ciphertext comparison. 2) The data owner needs to encrypt and decrypt each pixel in the image under Paillier scheme. It is an unpractical workload to the data owner, especially compared with the splitting based encryption scheme in our system (0.02-0.5s/pixel vs. 0.040.08μs/pixel). Another work [29] demonstrates that shapebased image feature extraction can be carried out within ciphertext domain in a multiple cloud server structure. Based on Yao’s garbled circuits [30] and Gentry’s work on fully homomorphic encryption (FHE) [11], a general solution has been shown to allow homomorphic evaluations over ciphertext domain. However, applying these general mechanisms to our image computation application would be far from practical, due to its extremely large size of the circuit that cannot be handled in practice and the huge computation complexity of FHE operations. Another existing list of work that loosely relates to (but is also significantly different from) our research proposal is secure multiparty computation (SMC) [30]. However, schemes in the context of SMC are in general ill-suited when applied to practical system models, as they usually assume no single party knows all the problem input and impose comparable computation burden on each involved parties [24]. In short, practically efficient mechanisms with immediate practices for private image computation outsourcing in cloud are still missing.

Efficiency Evaluation

In order to evaluate the efficiency of the proposed system, the experiments are conducted regarding the time cost of data preprocessing phase and image feature detection phase. Fig. 9 shows the computational complexity on the different entities in SecSIFT for an image with size of 300 × 300. The result shows that the Client takes a minimum computational complexity, since most of the workloads, like scale-space generation and extreme discovering, are taken by Generators and Comparer. As shown in Fig. 10, the time complexity of the proposed system remains to be fully practical, i.e., about the order of seconds. Meanwhile, the homomorphic encryption based scheme requires time complexity at the order of minutes [12] under the same security parameters. The reason is that the public key based homomorphic encryption schemes require massive multiplications and exponentials over ciphertext domain as the homomorphic additions and multiplications.

6.

8 6

Figure 9: The workload distribution of SecSIFT.

5.3

10

RELATED WORK

This outsourced privacy-preserving SIFT is proposed to explore the prospects of private image computation outsourcing, inspired by works [19], [14], [18], [21]. In secure multimedia data search [26], the authors propose a design to protect the privacy of the query image when searching over a public non-encrypted database. In [19], features extracted from images are encrypted in a distance-preserving scheme to enable the direct comparisons for similarity evaluation. Secure image retrieval allows content-based search over encrypted multimedia databases, and therefore offers flexible approaches to manage private multimedia collections online [15]. In [18], the state-of-the-art search indexes for multimedia data are encrypted while the efficient search capabilities are preserved. In [9], authors analyze the security flaws of the typical technology blocks used in state-of-theart content-based image retrieval system. Most of existing works are interested in the manipulation of encrypted image data: A privacy-preserving face recognition system, based on Paillier cryptosystem, is proposed by Erkin [10]. Bianchi [5] generalizes the packing encryption technique proposed by Troncoso-Pastoriza [27]. By utilizing the garbled circuit and homomorphic encryption scheme, [25] and [23] propose privacy-preserving face recognition systems. The

7.

CONCLUSION

In this paper, we proposed a privacy-preserving SIFT system over encrypted image data. The proposed system explores the techniques of splitting based encryption, orderpreserving encryption, random permutation, and dummy points perturbation to enable secure image computation outsourcing with practical performance. The correctness, privacy, and efficiency of the proposed system were analyzed and evaluated. We further constructed a prototype system

505

SecSIFT and conducted extensive experiments. The experimental results show that the proposed system is correct and effective for different image categories in Caltech256 image database. As our ongoing work, we will continue to research on privacy-preserving image detection algorithms for the effective utilization over encrypted data.

8.

ACKNOWLEDGEMENT

We thank the helpful comments from the anonymous reviewers and Mohan S. Kankanhalli for shepherding our paper. This work was supported in part by US National Science Foundation under grants CNS-1262277 and CNS-1262275, and by RGC of Hong Kong under the ECS grant 9041983.

9.

REFERENCES

[1] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order preserving encryption for numeric data. In Proc. of ACM SIGMOD, 2004. [2] M. J. Atallah, K. N. Pantazopoulos, J. R. Rice, and E. E. Spafford. Secure outsourcing of scientific computations. Advances in Computers, Vol. 54, pp. 215-272, 2002. [3] M. Barni, T. Bianchi, D. Catalano, M. Di Raimondo, et al. Privacy-preserving fingercode authentication. In Proc. of ACM MMSec, 2010. [4] M. Barni, P. Failla, R. Lazzeretti, A. Sadeghi, and T. Schneider. Privacy-preserving ecg classification with branching programs and neural networks. IEEE TIFS, Vol.6, No. 2, pp. 452-468, 2011. [5] T. Bianchi, A. Piva, and M. Barni. Composite signal representation for fast and storage-efficient processing of encrypted signals. IEEE TIFS, Vol. 5, No. 1, pp. 180-187, 2010. [6] A. Boldyreva, N. Chenette, Y. Lee, and A. Oneill. Order-preserving symmetric encryption. In Proc. of EUROCRYPT, 2009. [7] J. Bringer, H. Chabanne, and A. Patey. Privacy-preserving biometric identification using secure multiparty computation: An overview and recent trends. Signal Processing Magazine, 2013. [8] R. Chen, I. E. Akkus, and P. Francis. Splitx: high-performance private analytics. In Proc. of ACM SIGCOMM, 2013. [9] T.-T. Do, E. Kijak, T. Furon, and L. Amsaleg. Challenging the security of content-based image retrieval systems. In Proc. of IEEE MMSP, 2010. [10] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and T. Toft. Privacy-preserving face recognition. In Proc. of PET, 2009. [11] C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. [12] C.-Y. Hsu, C.-S. Lu, and S.-C. Pei. Image feature extraction in encrypted domain with privacy-preserving sift. IEEE Trans. Image Processing, Vol. 21, No. 11, pp. 4593-4607, 2012. [13] C.-Y. Hsu, C.-S. Lu, and S.-C. Pei. Secure and robust sift. In Proc. of ACM MM, 2009. [14] C.-Y. Hsu, C.-S. Lu, and S.-C. Pei. Homomorphic encryption-based secure sift for privacy-preserving feature extraction. In Proc of IEEE SPIE, 2011.

506

[15] Y. Ke and R. Sukthankar. Pca-sift: A more distinctive representation for local image descriptors. In Proc. of IEEE CVPR, 2004. [16] P. Leon, B. Ur, R. Shay, Y. Wang, R. Balebako, and L. Cranor. Why johnny can’t opt out: A usability evaluation of tools to limit online behavioral advertising. In Proc. of ACM SIGCHI, 2012. [17] D. G. Lowe. Distinctive image features from scale-invariant keypoints. International journal of computer vision, Vol. 60, No. 2, pp. 31-110, 2004. [18] W. Lu, A. Swaminathan, A. L. Varna, and M. Wu. Enabling search over encrypted multimedia databases. In Proc. of IEEE SPIE, 2009. [19] W. Lu, A. L. Varna, A. Swaminathan, and M. Wu. Secure image retrieval through feature protection. In Proc. of IEEE ICASSP, 2009. [20] M. Malheiros, C. Jennett, S. Patel, S. Brostoff, and M. A. Sasse. Too close for comfort: A study of the effectiveness and acceptability of rich-media personalized advertising. In Proc. of ACM SIGCHI, 2012. [21] B. Moskovich and M. Osadchy. Illumination invariant representation for privacy preserving face identification. In Proc. of IEEE CVPRW, 2010. [22] F. Movahedi Naini, P. Thiran, M. Vetterli, and J. Unnikrishnan. Privacy-preserving function computation by exploitation of friendships in social networks. In Proc. of IEEE ICASSP, 2014. [23] M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. Scifi-a system for secure face identification. In Proc. of IEEE S&P, 2010. [24] S. J. Patel, A. Chouhan, and D. C. Jinwala. Comparative evaluation of elliptic curve cryptography based homomorphic encryption schemes for a novel secure multiparty computation. Journal of Information Security, Vol. 5, No.1, pp. 12-18, 2014. [25] A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Efficient privacy-preserving face recognition. In Proc. of ICISC, 2009. [26] J. Shashank, P. Kowshik, K. Srinathan, and C. Jawahar. Private content based image retrieval. In Proc. of IEEE CVPR, 2008. [27] J. R. Troncoso-Pastoriza, S. Katzenbeisser, M. Celik, and A. Lemma. A secure multidimensional point inclusion protocol. In Proc. of ACM MMSec, 2007. [28] Y. Wang, K.-W. Wong, X. Liao, and G. Chen. A new chaos-based fast image encryption algorithm. Applied soft computing, Vol. 11, No. 1, pp. 514-522 2011. [29] S. Wang, M. Nassar, M. Atallah, and Q. Malluhi. Secure and private outsourcing of shape-based feature extraction. In Proc. of ICISC, 2013. [30] A. C.-C. Yao. Protocols for secure computations. In Proc. of IEEE FOCS, 1982. [31] Z. Qin, J. Yan, C. Wang, K. Ren, C. W. Chen, and X. Fu. Privacy-preserving Outsourcing of Image Global Feature Detection. In Proc. of IEEE Globecom, 2014. [32] X. Yuan, X. Wang, C. Wang, A. Squicciarini, and K. Ren. Enabling Privacy-preserving Image-centric Social Discovery. In Proc. of IEEE ICDCS, 2014.