Homomorphic encryption can protect user’s privacy when operating on user’s data in cloud computing. But it is not practical for wide using as the data and services types in cloud computing are diverse. Among these data types, digital image is an important personal data for users. There are also many image processing services in cloud computing. To protect user’s privacy in these services, this paper proposed a scheme using homomorphic encryption in image processing. Firstly, a secret key homomorphic encryption (IGHE) was constructed for encrypting image. IGHE can operate on encrypted floating numbers efficiently to adapt to the image processing service. Then, by translating the traditional image processing methods into the operations on encrypted pixels, the encrypted image can be processed homomorphically. That is, service can process the encrypted image directly, and the result after decryption is the same as processing the plain image. To illustrate our scheme, three common image processing instances were given in this paper. The experiments show that our scheme is secure, correct, and efficient enough to be used in practical image processing applications.

1. Introduction

Along with the arrival of the cloud computing fever, there emerge a lot of service outsourcing applications based on cloud computing platform (such as SaaS). Users who request the service just need to upload their data to the service and wait for the result. This brings users great benefits, but also the risk of privacy disclosure, because the service provider (SP) can access users’ plain sensitive information arbitrarily. To balance the privacy with usability of data in cloud computing, many computable encryption technologies are proposed, such as homomorphic encryptions [15]. The idea of these encryptions can be represented as follows.

“Enc” represents the encryption process, and “Dec” represents the decryption process. For a function taking the plaintexts as input, there exists a function (where ) taking the ciphertexts as input, such that

According to (1), user uploads the encrypted data to service, and instead of using to operate on user’s plain data, the service can operate on the encrypted data by using and return to user the encrypted result. After decryption, user will get the expected result which is the same as . Thus, the service can run correctly without knowing user’s plain data. And then, the privacy is safe from disclosure.

Homomorphic encryption seems a good way to protect privacy in service outsourcing applications, especially when handling the integer data type. But as the data types in cloud computing are diverse, how to use homomorphic encryption in other types is still a challenging problem. For example, with the popularization of photograph equipment, a large amount of digital images are generated every day. It has become one of the most popular forms of personal data for users. Consequently, the online image processing services are widely used for users to edit their images. But the image may also contain privacy that the user does not want SP to see. To protect the privacy in this data type, we proposed a scheme using homomorphic encryption in image processing services.

In broad terms, image processing includes all kinds of operations on the image. But it is hard to handle the privacy issues in all kinds of image processing using one scheme. So in this paper, the image processing mainly refers to the processes based on pixels. That is, the new color of pixel is computed according to the old ones. The operations on plain pixels can be seen as a function . Taking the old pixels and some other parameters (if necessary) as inputs, outputs the new pixel. When using the traditional image encryptions [68], operating on the encrypted pixels is meaningless. Thus no one can process the encrypted image without decryption. However, by encrypting each pixel separately using homomorphic encryption, the service can operate on the encrypted pixels using . Then the service can process the encrypted image without decryption.

Unfortunately, there are no appropriate homomorphic encryptions which can be used in image encryption yet. Unpadded-RSA [1] and ElGamal [2] cryptosystems satisfy (1) when consists of only multiplication operations. But it needs both addition and multiplication operations in image processing. Neither do Goldwasser and Micali [3] or Paillier [4] cryptosystems fit image encryption, as consists of only addition operations. Gentry’s fully homomorphic encryption [5] is too complex to apply in image processing, because it encrypts one bit each time, with the runtime more than 30 seconds even in “toy” security level [9]. The homomorphic cryptosystems proposed in [10, 11] are oriented to integers, but as the floating numbers are involved in operations in image processing, these cryptosystems cannot be used either. Besides, these are all public key encryptions which need a large key size to ensure the security. Thus, the sizes of ciphertexts are too large to store or transmit online.

Through the above analysis, we need an efficient homomorphic encryption which can support both addition and multiplication operations on floating numbers. Then we can use it to encrypt the image and process the encrypted image directly. It seems that no existing work has ever proposed any solution for this problem. Our contributions are as follows:(i)We propose an encrypted image processing model based on homomorphic encryption.(ii)We improve Gentry’s homomorphic encryption to propose an efficient secret key homomorphic encryption which can support addition and multiplication operations on floating numbers (IGHE).(iii)We use IGHE in image encryption and give the instances of processing encrypted image.

The rest of this paper is organized as follows. Section 2 outlines our encrypted image processing model and defines the notions that we need. In Section 3, we describe the improvement of Gentry’s homomorphic encryption (IGHE). Section 4 gives the method of image encryption using IGHE, followed by the instances of processing encrypted image. The experimental results are presented in Section 5. Finally, Section 6 concludes the paper.

2. Encrypted Image Processing Model

First of all, we construct an encrypted image processing model based on homomorphic encryption; see Figure 1.

Figure 1(a) is a common online image processing service model. The service has a set of image processing functions as . When image data owner (DO) uploads the image for a specific kind of process request, service provider (SP) will choose the corresponding function to process the image. As SP can access the original image, the privacy may be leaked. In Figure 1(b), DO encrypts the image using a homomorphic encryption before uploading. Thanks to this encryption, SP can operate on the encrypted image with the function corresponding to and return to DO the encrypted result image. After decryption, DO can get the correct processed image. The result is the same as Figure 1(a). But as the image in server is always in encrypted form, the privacy is preserved.

To realize the model, constructing an efficient homomorphic cryptosystem which supports both addition and multiplication operations on floating numbers is the key problem. We will discuss this in the next section. For clear description, the important notations used in this paper are summarized in Notations.

3. Improvement of Gentry’s Homomorphic Encryption

3.1. The Initial Construction of Gentry’s Scheme

Gentry denoted his initial scheme as [5]. It started by fixing a ring and an ideal lattice , with as the basis. Then he used an algorithm IdealGen(, ) to output the public and secret keys and which are the bases of some ideal , such that . The plaintext space was , and “”, “” were the addition and multiplication in . For , set the ciphertext . In decryption, . For any function consisting of “” and “”, was generated by replacing “” and “” with “” and “”, respectively.

Gentry proved that scheme satisfies (1), that is,

But is too complex to encrypt image. For one thing, to prevent the attacker from working out the secret key, the dimension of public key needs to be large enough ( [9]). For another, encrypts one bit each time ( need to be translated into as ). Thus, supposing that each of the elements of vector has bits, the ciphertext will be times larger than plaintext. Therefore, the byte of the encrypted image file will be enlarged at least times. This is unrealistic, not to mention the extra cost for operating on each encrypted bit in the image processing. So we need to simplify to make it more efficient.

3.2. Simplifying Gentry’s Scheme

Our simplified scheme is denoted as . To reduce the size of key, we discard the public key encryption part. That is, the part of is reserved, but the public key encryption part (the ideal ) will no longer be used. The ciphertext of is set as . In decryption, . Then, the key problem is how to construct the ideal lattice .

For any , the ideal generated by is . According to Notations, is an ideal lattice with Rot as the basis. Thus, we set , and is . In , can be seen as the secret key. The encryption and decryption algorithms are described as follows.

. It takes as input the key and a plaintext . It sets and outputs .

. It takes as input the key and a ciphertext . It outputs , where .

Besides, there is an algorithm denoted as Eval which operates on ciphertext.

. It takes as input a set of ciphertexts , where , and a function consisting of “” and “”. It outputs by replacing “”, “”, and “” with “”, “+”, and “”, respectively.

Now let us consider the correctness of ; that is, satisfies (1).

Proof. For , , where , and , we haveIn , instead of computing “” and “”, we can compute “+” and “” to get a result and then output . Thus,That is, satisfy (1).

The security of is the same as , that is, semantic security, as they are all based on ICP.

Definition 1 (ideal coset problem (ICP) in [5]). Fix , , and an algorithm that efficiently samples . The challenger sets . If , it sets , . If , it samples uniformly from . The problem is guessing by given .

Theorem 2. Suppose that there is an algorithm A1 that breaks the semantic security of with advantage . Then there is an algorithm A2 that solves the ICP with advantage .

Proof. The challenger sends an ICP instance . sets , and samples uniformly from . Then, gives to ; sends back a guess of as . Finally, guesses as .
If , is a well-formed ciphertext. As is uniformly random element of , and is uniformly random element of , then is uniformly random element of . In this case, should have advantage to get , which translates into an advantage of for to get .
If , both and are uniformly random elements of . In this case, whatever is, the ciphertexts are uniformly random element of . ’s advantage is 0, which translates into an advantage of 0 for to get .
Overall, ’s advantage is .

The ICP asks one to decide whether is uniform or whether it was chosen according to a known “clumpier” distribution induced by Samp1 (). According to [5], there is no such algorithm that can solve the ICP with an unnegligible probability. Thus, according to Theorem 2, the advantage of algorithm breaking the semantic security of can be ignored; that is, is semantic security.

When , the modular operation can be calculated as or denoted as . As “” and can be operated with operations using the Fast Fourier Transform (FFT) [12], the time complexity of is . Furthermore, as a secret key encryption, a small value of will make security enough. Thus, is efficient and secure for being used in image encryption. But the plaintext space of is , while, in image processing, the data types include integer and float. So we need a mapping between the floats and .

3.3. Expanding Plaintext Space into Floats
3.3.1. A Mapping between Integers and

For , can be written as the polynomial . If we set a fixed value (e.g., or 10), each is corresponding to a number; this numeralization of is denoted as . Meanwhile, any integer with is equal to the polynomial , where ; the sign of is the same as . Thus, each number is corresponding to an element in , denoted as . Thus, for an integer plaintext , in encryption (denoted as ), after getting , it outputs . In decryption (denoted as ), when getting , it outputs .

This scheme is denoted as . We discuss the conditions to make satisfy (1), that is, , where . The operations in are “+” and “×” in real number field.

Lemma 3. For an integer , if and , then satisfies (1).

Proof. Obviously , where . If , then , where consists of “+” and “” in . Besides, we have proved that , where is equivalent to .
As consists of “” and “”, . Denoting the output of as , then . According to Lemma in [5], if , then , that is, .
Above all, we have , that is, satisfies (1).

3.3.2. A Mapping between Floats and

Now we need to expand the plaintext space into floats. To encrypt a floating number which is accurate to (i.e., ), we can change it into integer and encrypt to output the ciphertext . In this case, , and . So, the correct output of decryption should be . But as , to keep the multiplication homomorphic, we redefine it (“”) as , where , that is, .

Lemma 4. If and , then , where , .

See the proof in Appendix B.

Finally, our homomorphic encryption (IGHE) is described as follows.

. It takes as input the security parameters and . It chooses a random vector from repeatedly until , and then it outputs ).

. It takes as input the key and a plaintext . It sets ; then, after choosing a random vector from , it outputs .

. It takes as input the key and a ciphertext . It sets and outputs .

. It takes as input a function and a set of ciphertexts , where Dec, , . It outputs by replacing “”, “+”, and “×” in with “”, “+”, and “” in , respectively.

According to Lemmas 3 and 4, if includes t multiplications, as long as and , IGHE satisfies (1). To gain a high accuracy with a small value of , we set . Next, we will use IGHE to realize the encrypted image processing model in Figure 1(b).

We have proved that is semantic security. If algorithm can break the semantic security of IGHE, then, for , one can first map the ciphertext into float and use to break the security of . Thus, IGHE is also semantic security.

So far, we have introduced our homomorphic encryption IGHE which is simplified and improved from Gentry’s homomorphic encryption. The differences between IGHE and Gentry’s scheme are as follows:(i)IGHE is a symmetric encryption, while Gentry is a public key encryption. The purpose of public key is for service to use the public key to operate on the encrypted data. We omitted the public key encryption part, because we have another way to let service operate on the encrypted data without using key (see Section 4.2). The main benefit of symmetric encryption is that a smaller size of secret key can reach to the security level as high as public key. Then, in the same security level, as the size of key is smaller, our scheme is more efficient than Gentry’s scheme.(ii)Gentry’s scheme is universal and fully homomorphic; it takes each bit as the plaintext. As the image processing can also be presented as a batch of operations of bit, theoretically the scheme can be used for encrypted image processing. But considering the complexity, it is hard to implement. While our scheme takes the byte as plaintext, and, after inducing the homomorphic addition and multiplication operations on floats, we can easily realize the encryption image processing.

4. Encrypted Image Processing Using IGHE

4.1. Image Encryption Using IGHE

The values of colors are less than 256, and it usually has only one multiplication in image processing. By choosing an appropriate value of and , after process, it is easy to keep the result less than ( when ) and accurate to . Thus, IGHE can be applied in encrypted image processing.

An image with width and height consists of pixels. As we know, a pixel can be seen as a combination of the three-primary colors, we denote the pixel in the th row and th column as , with representing the color of red, green, and blue, respectively. Firstly, we use KeyGen to output the key . Then, after reading the image file and getting the pixels array , we encrypt by calling ImgEnc.

. For each pixel in , it encrypts sequentially to get , where . The ciphertext of is denoted as . After getting all , it outputs as a ciphertexts array of .

For a given image, there are pixels with each having 3 integers. ImgEnc encrypts all these plaintexts separately. Thus, the time complexity of ImgEnc is . is the set of all the encrypted pixels, as each ciphertext is an -dimensional column vector; is an matrix. Thus, the size of is .

In decryption algorithm, each in will be decrypted separately to get the pixel .

. For each cipher pixel in , we decrypt sequentially to get , where ; if , set ; if , set . Then, after getting all , it outputs as the pixels array of plain image.

As the color must be an integer in , after getting , the result will be rounded into the nearest integer in . The time complexity of ImgDec is .

4.2. Processing Encrypted Image

We concentrate on the processing method which is based on addition and multiplication operations on the pixels. In these processes, the new color in a pixel is calculated by a function , where represents the color of a pixel and represents the data from SP. As IGHE is a secret key encryption, SP does not have the key to encrypt . However, SP can translated into (), which is a special ciphertext with in Enc(b, , ). We denote this translation as Enc(, ), which can be run by SP without the key .

As shown in Figure 1(b), firstly, user uploads the encrypted image by calling ImgEnc and asks for a processing method request corresponding to the function . Then, SP returns to user the encrypted result by calling Eval. Finally, by calling ImgDec, user will get the correct plain result same as Figure 1(a). In Eval, the function was generated to process the encrypted image, where , and . In these methods, as SP does not need any key, there is no need to share the key. User just needs to keep the secret key safely.

In the image processing, we may like to change the color of the image, add a watermark (or photo frame) on the image, or change the size of the image. To illustrate our scheme, we use these three common kinds of image processing as instances.

4.2.1. Color Transformation

The original color transformation is based on the color matrix [13] CM which is a matrix. The th row and th column are denoted as , where is often a floating number. Given CM and the original pixel , the resulting pixel is computed aswhere is , and is the transparency of the pixel . For the image without transparency, the default value of is 255.

In the instance, DO wants to change the color of his image, such as grayness and binarization. But he does not know the value of CM, while there are many kinds of color transformation operations in SP, with each kind corresponding to a value of CM.

DO uploads the ciphertext C, then, in encrypted image color transformation, SP uses the encrypted form of CM () to compute each encrypted resulting pixel .

As SP knows , he can compute and then encrypt as one plaintext.

4.2.2. Image Addition

Give two images , , add on with a transparency tp; then the resulting pixel is

In one instance, IO gives SP two encrypted images and and asks SP to add them with the transparency tp. The encrypted resulting pixel is

In another instance, IO gives SP one encrypted image and chooses a plain image (e.g., a photo frame) from SP to add on the encrypted image with the transparency tp. In SP’s image, the pixels may have different transparencies ; when added on , the true transparency of is . And the encrypted resulting pixel is

As SP knows , he can compute and then encrypt and as one plaintext.

4.2.3. Image Scaling

Image scaling is also common image processing. Here we discuss the quadratic linear interpolation method. The size of original image is . Suppose that, after scaling, the size of becomes . Then, is computed according to four adjacent pixels in . They are , where , , andwhere .

In the instance, IO asks SP to scale the encrypted image   times in width and times in height. So the encrypted resulting pixel iswhere , , , and .

5. Experiments

We run some experiments to test the performance of our scheme. All the experiments are carried out on a computer equipped with two processors, each with 3.1 GHz clock speed, and the computer has 4 GB RAM.

5.1. Security

Now we analyze the statistical security of the encrypted image.

In our scheme, the ciphertext is an -dimensional integer vectors. We use 4 bytes to represent the integer; then each element of can represent a new pixel in the encrypted image. The top byte represents the transparency , and the rest represent the color of red, green, and blue, respectively. So a plain pixel will be changed into new pixels in encrypted image. We store the encrypted image in.PNG format and calculate the histograms of original and encrypted image, respectively. Figure 2(a) is the original image, and its histogram is shown in (b). Figure 2(c) is a part of the encrypted image, and the histogram is shown in (d).

Figure 2 indicates that the histogram of the encrypted image is fairly uniform and is significantly different from that of the original image. Thus, our scheme can resist the statistical analysis attack.

5.2. Correctness

We do the same type of processing both on the original image and on the encrypted image to get the processed image and . The error between and is

If , the encryption pixel of is error. If all the are zero, our scheme is correct.

As the floating numbers are accurate to , the value of will affect the correctness of our scheme. To test this, we choose different value of . For each , we encrypt an image to get and do the same kind of image processing on and to get and . Then, we compute the for every pixel.

We fix . Table 1 shows the correctness of our scheme with different value of . The “Error Rate” means the rate of error in . “None” means decrypted with no process. In “color transformation (CT),” each time we set the value of CM randomly. The elements of CM are accurate to 0.001. In “image addition (Add.),” we add the same image on and several times. Each time we set a different value of transparency ranging from 0 to 100%. In “image scaling (Scal.),” each time we choose from , and set .

In Table 1, the error becomes less and smaller as increases. When increases to 4, there is no error; then our scheme is correct. The error rate of “None” is zero, so no matter what is, if we decrypt an encrypted image with no process, we can get the original image with no error. That is because the value of color is integers, so the accuracy of 100 is enough.

In “Add.”, the transparency is a number with two decimals, so when , there is no error any more. In “CT”, as the random value of CM has three decimals, the error is zero when . In “Scal.”, the data may be an infinite decimal. But since the value of color is smaller than 256, when , . So there will be no error after rounding the result to the nearest integer.

Figure 3 shows some result of image (left image) and image Dec() (right image) after the image processing when and . In (a), the left image is the original image. We encrypt the left image and decrypt the cipher image to get the right image. In (b), we remove the color (grayness) of the original image; this is realized by setting CM a specific value. In (c), we set the elements of CM random values. And in (d), we choose a photo frame to add on the original image; the transparency is 60%.

The two images in each figure look the same. According to Table 1, they do have the same pixel in the same position.

Above all, the image can be processed in encrypted form. After decryption, user will get the same image as processing directly on plain image. Thus, our scheme is correct.

5.3. Efficiency

Figure 4 shows the runtime of the key generation, encryption, decryption, addition, and multiplication processes of our scheme IGHE and Gentry’s scheme.

We can see, when, in the same value of , our scheme is more efficient than Gentry’s scheme. When is 32, the runtime of “DEC” of Gentry is even more than 100 ms, which is not marked in Figure 4. What is more, note that as Gentry’s scheme is a public encrypt system, to keep security, is at least 512 [9]. Then, the running time of each process will be more than 5 s. Thus, IGHE is more efficient than Gentry’s scheme.

Encryption and decryption will cost extra running time. Besides, processing encrypted image is slower than processing plain image. We test the efficiency of ImgEnc, ImgDec, and the three encrypted image processing algorithms (CT, Add., and Scal.). We choose different values of and record the running time of each algorithm. Figure 5 shows the average running time of each algorithm on one pixel. The common time means the running time of plain image processing.

From Figure 5, we can see that all the running time increases as increases. When , all algorithms can process each pixel in 10 μs. This is 10 times slower than processing the plain pixel. But for a 1-megapixel image, the process can be finished in 10 seconds. To protect the privacy, this compromise of efficiency is worthy. When is 16 or 32, it may take a long time to process the large size image, but our scheme is still suitable for the small size image.

5.4. Size of Encrypted Image

After encryption, the size of encrypted image is enlarged. By setting different value of , we record the size of secret key, the size of encrypted image, and the space of encrypted image file in.PNG format. See Table 2. “Plain” means the original image.

As described in Section 5.1, the key and ciphertext of IGHE are -dimensional vectors, with each element having a 4-byte integer. The size of secret key is . A plain color takes one byte. After encryption, the encrypted color takes bytes, with bytes representing the transparency. So, in the encrypted image, the width grows by 3 times, and the height grows times. And the size of  .PNG file is enlarged times.

Figure 6 shows that, with the size of image increasing, both the size of encrypted image and the runtime of CT process are increasing.

For , the time for processing a 5-megapixel image is about 1 minute, but the size of the encrypted image is up to 200 megapixels. So considering both the efficiency and the communication overhead, our scheme is suitable for small size image encryption and processing, but not proper for larger size of image yet. According to Figure 6, for , the proper size range may be less than 2 megapixels, and, for , it should be less than 1 megapixel.

6. Conclusion

In this paper, we improve Gentry’s homomorphic encryption to propose an efficient, simplified secret key homomorphic encryption (IGHE). We use it in the image encryption, so that the image can be processed in encrypted form to protect the privacy. Any image processing that consists of addition and multiplication operations on single pixel can be translated into the encrypted-formed process. We give the color transformation, image addition, and image scaling as the examples.

By using our scheme, the image can be processed in the server in encrypted form; after decryption in client, user can get the correct processed image that is the same as processing the plain image. So our scheme can protect privacy in online image processing. Our scheme is secure, but it enlarges the running time of process and the space for storing encrypted image. So our scheme is not proper for processing large size of image yet.

As the value of color is less than 256, when translating into vector, most elements of the vector are zero. To use these elements, we will research on translating batch colors in one vector to decrease the running time and the size of encrypted image.


A. Proving

Proof. Suppose . The multiplication can be viewed asFurthermore, asthus,The coefficient of () isBesides, supposethen, .
Thus, .

B. Proving Lemma 4

Proof. We fix , and suppose the floating number is accurate to , that is, .
Then, .
Suppose , where .
We have .
And .
Then, or .
Besides, , and .
Suppose ; then .
As , then .
Thus, .
Furthermore, as ,


:The commutative ring , where is monic and of degree . In this paper, we set , same as [14]
:The bold lowercase letter represents the element of , that is, . It can be written both as a polynomial, for example, , and as a vector, for example, . Besides, we denote as 0 and as 1
:The ideal lattice in . is the basis of , that is, [15]
:The circulant matrix generated by . The th row and th column in are
:The multiplication in ring , . See the proof in Appendix A. Besides, the addition in is the same as the addition in , still denoted as “+”
:The value of is randomly chosen from
:. It can be efficiently computed as ·, where “” rounds each element of the vector to the nearest integer
:The modular addition operations. , .

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported in part by NSFC under Grant no. 61472316, Research Fund for the Doctoral Program of Higher Education of China under Grant no. 20120201110013, Scientific and Technological Project in Shaanxi Province under Grants no. 2016ZDJC-05 and no. 2014JQ8322, Basic Science Research Fund in Xi’an Jiaotong University (no. XJJ2014049 and no. XKJC2014008), and Shaanxi Science and Technology Innovation Project (2013SZS16-Z01/P01/K01).