The applications of social Internet of Things (SIoT) with large numbers of intelligent devices provide a novel way for social behaviors. Intelligent devices share images according to the groups of their specified owners. However, sharing images may cause privacy disclosure when the images are illegally distributed without owners’ permission. To tackle this issue, combining blind watermark with additive secret sharing technique, we propose a lightweight and privacy-preserving image sharing (LPIS) scheme with illegal distributor detection in SIoT. Specifically, the query user’s authentication information is embedded in two shares of the transformed encrypted image by using discrete cosine transform (DCT) and additive secret sharing technique. The robustness against attacks, such as JPEG attack and the least significant bit planes (LSBs) replacement attacks, are improved by modifying 1/8 of coefficients of the transformed image. Moreover, we adopt two edge servers to provide image storage and authentication information embedding services for reducing the operational burden of clients. As a result, the identity of the illegal distributor can be confirmed by the watermark extraction of the suspicious image. Finally, we conduct security analysis and ample experiments. The results show that LPIS is secure and robust to prevent illegal distributors from modifying images and manipulating the embedded information before unlawful sharing.

1. Introduction

The continuous and rapid development of the Internet promotes the interconnections of things. However, the Internet is a double-edged sword. On the one hand, it brings about the rise of emerging fields and the integration of multiple fields, such as social networks [14], Internet of Things (IoT) [59], and Industrial IoT [10, 11]. On the other hand, it also brings a lot of problems, such as malicious information dissemination [12] and privacy disclosure [13, 14]. Known as the new generation of Internet, IoT is becoming more prevalent with the development of 5G [15] and expands the forms of communications among people to people and things [16]. Moreover, IoT allows various types of devices to perform local tasks with the help of the cloud [17]. However, the response speed from the cloud is generally slow to support the demand of IoT devices. In order to improve the response speed to IoT devices, edge computing adopts devices and platforms with computing, storage, and application to provide nearby services for IoT devices [1820]. After assigning social behaviors to the communication processes, IoT devices can communicate with each other for the purpose of social activities [21], which contribute to the development of social Internet of Things (SIoT) [2224]. SIoT is rich in applications and has many data sources and types, such as images, text, and sound, which greatly facilitates people’s daily life and work.

As a broadly used carrier of information, images are widely used in SIoT. They can not only record wonderful moments, such as scenery and ethnic activities, but also hold a lot of personal information which may be sensitive to users’ privacy, such as facial information. When an image is captured by a mobile camera, the sensor itself cannot determine whether the image contains private information. To share the information in SIoT, the sensor will share the image according to the group set by its owner. After the image is shared, other users’ operations on the image will not be controlled by the image owner, and others may modify or illegally distribute the image. In this case, the owner’s privacy will be threatened. Access control is a widely used security mechanism that allows only selected groups of authorized users to access images through the designed protocols [2528]. When an authorized user obtains an image, the image can be fully manipulated because the user’s behavior is often autonomous, unpredictable, and not controlled by the image owner. Therefore, access control is restricted in the case of illegal distribution of images by authorized users. Data hiding techniques are suitable for authentication by embedding hidden data in an image [29]. Embedding data in the least significant bit planes (LSBs) is a common way for hiding. Zhang et al. [30] used stream cipher for the encryption and divided the encrypted image into different blocks. Then, each bit of information is embedded in a block by changing half of pixels’ LSBs of the block. Based on [30], Xia et al. [29] proposed a privacy-preserving image retrieval scheme with copy detection. However, these methods are pregnable to attacks but maintain a good visual quality, because the embedded data can be erased by modifying the values of LSBs. To improve the robustness against attacks, researchers have turned their eyes on frequency domain embedding [31]. Singh et al. [32] transformed the cover image through the combination of discrete wavelet transformation (DWT), discrete cosine transform (DCT), and singular value decomposition (SVD) and then embedded image watermark and text watermark in the different components of these coefficients. Zear et al. [33] enriched the diversities of watermarks for adapting the medical needs. Although these methods have good performance in high embedding capacity, they do not support embedding in encrypted image, because values in transformed images are always floating point numbers. Moreover, these methods are not as lightweight as we desired for meeting SIoT applications.

Considering the uncontrollability and unpredictability of authorized users’ behaviors in SIoT, we propose a lightweight and privacy-preserving image sharing (LPIS) scheme with the capability of illegal distributor detection, aiming at dealing with the potential illegal distribution problem of authorized users. In this paper, illegal distributors may attempt to remove the embedded information for the purpose of illegally sharing images. Direct embedding in the spatial domain is usually vulnerable to LSB attacks [30]. Moreover, JPEG compression technique regards the information embedded in the spatial domain as redundant information and may cause the loss of information upon JPEG attack [34]. We embed the authentication information in the DCT domain by modifying a small number of coefficients of the transformed image for improving the robustness against these two attacks for the reason that the IDCT maps the embedded information to the overall brightness information of the block. Furthermore, the embedding should be operated on the encrypted image to further protect the privacy of the owner. Since the coefficients of the transformed image are floating point numbers, and homomorphic encryption can greatly increase the burden of IoT devices, we adopt the additive secret sharing technique to provide lightweight encryption for preventing image content from being captured by semihonest edge servers. To support additive secret sharing, two edge servers are needed as operating platforms to provide storage and embedding operations. With the help of two edge servers, the image owner can accurately and conveniently identify illegal distributor’s identity when there occurs a suspicious image. The main contributions are summarized as follows:(1)We propose the LPIS scheme with illegal distributor detection in SIoT. By adopting the additive secret sharing technique, the shared images are encrypted, and the embedding phase is supported to be operated in the encrypted domain. Moreover, the embedded information can be extracted without the original image.(2)We use DCT transformation to improve the robustness of resisting against JPEG attack. The visual quality of the embedded image is maintained since only a few coefficients in frequency domain of each block are modified. Meanwhile, we adopt additive secret sharing technique for lightweight encryption to protect the content of the outsourced image and reduce the operational burdens of the owner.(3)Security analysis and ample experiments show that LPIS is secure and robust to different attacks.

The rest of this paper is organized as follows: Section 2 details the problem of illegal distribution, outlines the system model and security model considered in this paper and then highlights the system goals. Section 3 describes the construction of LPIS. Section 4 shows the security analysis and experimental results. The conclusion is given in Section 5.

2. Problem Description

In this section, we present the system model of the LPIS scheme, followed by the security model and system goals.

2.1. System Model

In this paper, we aim at addressing the issue of illegal distribution in SIoT. When IoT devices communicate for social activities, device owners always protect their privacy by allowing information to be shared only within their designated groups. Members of a group tend to share the same interests, but may not necessarily protect the privacy of the data shared by the sharers. For example, when the sensor camera automatically shares the image which contains owner’s private information according to the group specified by the owner, other users in the group (image users) may choose to ignore the owner’s privacy and may share the image, which will cause the privacy disclosure of the image’s owner. We consider such a situation and limitations and propose the LPIS scheme to quickly confirm the identity of the illegal distributor when there occurs a suspicious image. Moreover, to meet the high response speed for IoT devices, we adopt edge servers to provide computing power and nearby services for IoT devices.

As illustrated in Figure 1, the system model in this paper mainly involves four entities: image owner (IO), image users (IUs), and two edge servers ( and ). The IO collects images with sensors and outsources images to edge servers for relieving their local storage and for the convenience of image sharing. We denote the original outsourced image as and transform it into frequency domain by DCT transformation. DCT is adopted to improve the robustness against JPEG attack. JPEG is a widely used compression technique which can remove the redundant information of the image. The information embedded in the spatial domain is always considered as redundant information, so direct embedding in the original image may cause information losses after JPEG compression. Embedding information in DCT domain may mitigate this effect, because IDCT will map the embedded information to the overall brightness information of the block. To protect the privacy of , the IO first encrypts by splitting it into two random shares, and , where . Then, and are distributed to and , respectively. To obtain the shared image, the IU sends his authentication information to the servers, where is a binary image of his signature image and the values of belong to . The servers find the retrieved image and check if IU is on the list of authorized users specified by IO. Once the IU is an authorized user, and will generate two different random vectors representing the values of . and , respectively, embed their random vectors in the corresponding blocks of the image as required (see Section 3.2 for details) and send the embedded image to the IU. The IU just needs to add up two shares and use IDCT; then, the embedded image with authentication information will be obtained. For the entire process, we assume that all communication channels among entities are secure.

2.2. Security Model

Similar to [35], we set edge servers as semihonest entities, which can perform the protocols as defined but may try to learn private information as much as possible when they are interested in the stored data. Both edge servers and are out of the trusted domain of IO. Moreover, we assumed that two servers are noncolluding, which means that neither of servers will reveal more information than protocol messages [35]. This assumption is reasonable and practical because and may be managed by two different service providers. We also consider the external attackers who may eavesdrop on communication channels to obtain encrypted data. In addition, we define the illegal distributors as those who are authorized IUs but illegally distribute shared images for their personal benefits. We have defined illegal distributors separately from external attackers , meaning that they will have different behaviors and no conversion between and is allowed. Meanwhile, we enhance the attack capability of to show that LPIS have good robustness against , while allowing illegal distributors to collude with either or . The specific attack capabilities of the two are shown as follows:(i) may reach a compromise with or to guess plaintexts of all ciphertexts outsourced by IO or the ciphertexts sent from or through an interactive protocol.(ii) may illegally distribute the embedded image for their own benefits after destroying the embedded information. This means that are authorized users but do not obey the rules of image sharing as IO expects. At the same time, may attempt to modify the obtained image to remove the authentication information embedded in the image.

Note that and are forbidden to compromise both and simultaneously. are not allowed to become authorized users in our system either.

2.3. System Goals

The system is expected to achieve the goals of both security and lightweight with high visual performance. In this paper, we assume that edge servers may attempt to learn some private information about IO from the encrypted image while following protocol steps to complete the assigned storage or processing tasks. Therefore, the system treats them as semitrusted service providers. The system goals of the scheme are described as follows:(1)Security: security is the primary goal in our scheme. Our system will suffer threats from two kinds of entities: edge servers and illegal distributors.(a)Security for edge servers: the edge servers are assumed to be honest-but-curious, so the content of the image should be invisible to edge servers during the image sharing process. When being operated in the encrypted form, the image data will never be leaked to any of the edge servers.(b)Robustness against illegal distributors’ attacks: it is difficult to prevent the occurrence of illegal distribution, but we can confirm illegal distributor’s identity as soon as a suspicious image is found. Therefore, the scheme should be robust against various attacks.(2)Lightweight and efficiency: computational processes should be executed on the server side, and the costs at both owners and users should be as low as possible. Because the edge servers are always service providers and the clients are service users, the computational operations should be executed by servers to lower the burden of clients. In addition, IoT devices are always resource-constraint and require timely service responses, so the transmission cost should be as low as possible, and the computational time cost on the server side should be kept as low as possible. The encryption method and secure computation techniques we used are lightweight and suitable for IoT scenarios, and edge servers are able to provide high speed responses for IoT devices.

In the image sharing system, the detection of illegal distributors should not affect the performance of image sharing, which means that the embedding of authentication data should not affect the visual quality of the image. This is the basic requirement of the normal use of shared images.

3. Construction of the LPIS Scheme

In this section, we introduce the implementation of LPIS scheme with illegal distributor detection in SIoT, aiming at achieving the goals as described in Section 2.3. The whole process of LPIS is also shown in Figure 2.

3.1. Image Sharing

Before sending the encrypted image to edge servers, the IO uses DCT transformation to improve the robustness of the scheme, such as hiding the original pixel value of the image and resisting JPEG attack:Step 1. Image transformation: since two edge servers are curious-but-honest entities, IO needs to convert the image from spatial domain to transformed domain by using DCT to protect the original pixel value and the image content. The IO divides into blocks of pixels in spatial domain and applies blockwise DCT transformation for all blocks. We denote the transformed image as .Here, is the image’s original pixel value, is the transformed coefficient, and is the size of the image. Each DCT raw coefficient matrix’s first entry is called Direct Current component and the rest are Alternating Current components. Our scheme is to alter a few AC components to achieve the purpose of embedding authentication information.Step 2. Image encryption: to protect the privacy of , the IO encrypts it based on the additive secret sharing technique. For the transformed image of size , the IO first generates a matrix of the same size as randomly. For protecting the content of , the elements of are randomly and uniformly distributed over a large interval , where should be larger than the largest element of , and acts as the security parameter. Here, we set . The IO then encrypts by splitting it into two shares of elements, such as and . Finally, and are, respectively, sent to two edge servers and .

3.2. Query and Information Embedding

When IUs from the same social circle request a shared image they need, they should send their identity information to the edge servers. Here, we use the signature image signed by IU as the identity information and transform it into binary image of size which is denoted as . Note that the edge servers will receive the same , and only when the passes the validation on both of edge servers, will any further action be taken. Otherwise, the request will be rejected.Step 1. Since the numbers the IO encrypted are decimals, and should first convert the encrypted numbers into integers by multiplying the numbers by , where is the precision of the number they desire. It is worth noting that the operation of multiplying is in the encrypted domain, and no privacy will be leaked. The correctness can be demonstrated as follows:For a shared number , two servers compute , respectively, by using the same (e.g., the hash value of identity information can be used as ). Then,where denotes the round-down operation. After is divided by , the result is similar to when ignoring the accuracy of rounded decimals.Step 2. Both and , sized , are divided into blocks of size (usually to match the block size of DCT transformation). In order to guarantee that the following steps are well processed, the needs to be resized to , which satisfies and at the same time. By doing so, each pixel of resized corresponds to a block of and .Step 3. and , respectively, generate two different pseudorandom vectors, and , of length . The value of belongs to . holds and holds . Each vector represents a value of , in which the value belongs to . For example, vector represents the value 0 and indicates 1. We also introduce the intensity indicator to control the strength of to be added (3). Note that is fixed before the embedding phase and is a constant value which will not be changed across different images. In particular, different values have different effects on image quality as shown in Section 4.2.Step 4. For each side of edge servers, () only embeds in the diagonal elements of the blocks of () where the corresponding pixel value of is . Note that both and are multiplied by to be consistent with and . We denote the embedded shares of as and .Step 5. and send and to IU after they are divided into , respectively.

The detailed algorithm is given in Algorithm 1.

Input: Encrypted shares of the image: and of size ; pseudorandom vectors and of length ; authentication information of size ; embedding intensity indicator .
Output: Encrypted shares of the image with authentication information and .

After the embedding phase, we obtain an encrypted DCT image with authentication information in it. Note that the information embedding phase is performed on both of the edge servers, respectively, and each server embeds its own part of . When IU receives the two shares of the image, he only needs to add up these two shares and use IDCT to convert the image into spatial domain, and then the embedded image with authentication information will be obtained. There are two main purposes for this design. First, the robustness of LPIS against attackers is improved. In this scheme, the authentication information is not embedded in a fixed pixel with original value, but with two random vectors instead, so IU cannot easily extract the embedded data while knowing the embedding locations. Second, the quality of the image is maintained. After IDCT transformation, the embedded information will be mapped to the overall brightness information of the block. Because the same intensity indicator is used and only a few coefficients are modified, the brightness information changes in the same extent and the visual quality of the image is maintained.

3.3. Illegal Distributor Detection

When there occurs a suspicious image , IO will identify the illegal distributor with the help of and . The following are detailed steps:Step 1. IO transforms from spatial domain into frequency domain by using DCT transformation and sends it to and .Step 2. and share their private random vectors and with each other and calculate the correlation coefficient between each block’s diagonal elements and two pseudorandom vectors, respectively. Subsequently, they can extract the authentication information . As the block has the size , we first extract diagonal elements from each block, denoted as , and then use the following formulation to calculate Pearson correlation between and .where and .Step 3. IO identifies illegal distributor’s identity according to .

Through the three aforementioned processes, LPIS can be established securely under the defined security model (Section 4.1). The embedding location of each block is set as intermediate frequency coefficient. Moreover, the embedding phase is operated in the encrypted domain by additive secret sharing technique, which proved to be lightweight and efficient in SIoT.

4. System Evaluation

4.1. Security Analysis

In LPIS, we set and to be honest-but-curious and noncollusive entities. Based on this assumption, we need to prove that LPIS is secure under the threats defined in Section 2.2. Lemma 1 shows that the additive secret sharing technique is secure.

Lemma 1. (see [35]). If a random element is uniformly distributed on and independent from any variable , then is also uniformly random and independent from .

Proof of Lemma 1 is shown in [36]. Because the embedding of authentication information is independent of each edge server, the attacker cannot obtain the embedding information of the other edge server under the assumption that he can only collude with one edge server. To prove that LPIS is secure under outside attacks and the threat of illegal distribution, we use the definition in [37].

Definition 1. (see [37]). We say that a protocol is secure if there exists a probabilistic polynomial-time simulator that can generate a view for the adversary in the real world and the view is computationally indistinguishable from its real view.

As shown in Section 2.2, we defined two kinds of attackers: external attackers who can collude with only one of the edge servers; illegal distributors who are authorized users but illegally distribute the obtained image.

Theorem 1. LPIS is secure under threats of external attackers .

Proof. Since the embedding is operated by and locally without any interactions, they can be perfectly simulated. If compromise or , they can pass only one edge server’s verification and obtain one share of the image and one of the random vectors. In LPIS, only those who can pass the verifications of both of and can obtain the shares of the image. Additionally, the one who compromises only one edge server can do nothing with the information he obtained.

Theorem 2. LPIS is secure under threats of illegal distributors who are authorized users.

Proof. are special attackers who are authorized users but destroy the privacy of IO for their own benefits. They will try to destroy the embedded information and distribute the image mainly by two ways. Firstly, they may try various attacks to destroy the embedded authentication information without severely damage the visual quality of embedded image. LPIS is robust to LSB replacement attack, JPEG compression attack, and other attacks which will be shown in Section 4.2.3. Secondly, they may collude with either or to eliminate the embedded information and obtain the plaintext of the image. Because of the defined large interval, the pixel values are uniformly split into that interval, so the image content is well protected from statistical analysis. The plaintext of the image is not obtainable by only colluding with one server. In addition, when obtain the share of , they will know the secret embedded vector and the plaintext of embedded information from , while they cannot obtain the other part because it is not allowed to collude with the other server . As a result, it is a hard problem to guess that is the same as to destroy the whole embedded information. Therefore, LPIS is secure under .
The above proofs show that our system is secure when there exist external attackers and semihonest entities. Especially for illegal distributors, our solution has countermeasures against them. Therefore, our scheme is secure. Specifically, when are authorized users yet illegally distributing the image, IO can easily identify them by extracting their authentication information with the help of and . The authentication information of IUs is always unique and has one-to-one correlation with authorized users.

4.2. System Performance

In this section, we evaluate the performance of LPIS and the performance of resistance against attacks.

To evaluate the visual quality of the embedded image, we use the peak signal to noise ratio (PSNR) and the structural similarity index (SSIM) as the evaluation indicators. Usually, the higher the PSNR value, the better the image quality, the closer the SSIM to 1, and the better the image structure.

For an image and a compared noisy image , the definitions of PSNR and SSIM are as follows:where is the max gray value of .where and are the means of and , and are the variances, is the covariance between and , , and . is the dynamic range of pixel values, and and are always set to 0.01 and 0.03, respectively.

In experiments, we take “Lena,” which is of size , as the cover image (Figure 3(a)) and denote the signature image “Alice,” which is resized to , as IU’s authentication information () (Figure 3(d)). When outsourcing into and , the IO first transforms it into DCT domain (denoted as ) and randomly splits it into two shares, where . Then, IO sends and to and , respectively (Figures 3(b) and 3(c)).

4.2.1. Impact on Intensity Indicator

As addressed earlier, the intensity indicator will affect the intensity of the embedded vector, which in turn affects the visual quality of the embedded image. Here, we discuss the impact of , where . The random vectors to be embedded by and stay the same.

Figure 4 shows the embedded images and the extracted signature images under different values. Associated with PSNR and SSIM shown in Table 1, with the increase of , the embedded image’s quality is affected more intensively, but the quality of extracted signature images becomes better. The greater the embedded value is, the greater the proportion in this DCT block will be; thus, the more the brightness of this block will then be affected after IDCT. For this reason, we make a trade-off between the quality of the image with embedded information and the quality of the extracted signature image, where is used as the embedding intensity in our following experiments. When using , PSNR is greater than 30, which means that the image quality is not seriously affected (Figure 4(i)), but the quality of the extracted is maintained at a high level, and the SSIM value between the original and extracted reaches 1 (Figure 4(j)).

4.2.2. Computational Time Cost of LPIS

Since IoT devices are usually resource constrained, we try to make LPIS as lightweight as possible. One manifestation of lightweight is that the computational time cost of all operations should be low. We analyze the time cost of each operation step. As shown in Table 2, the total computational cost of LPIS is less than 0.2 s for an image of size without considering the communication delay. The DCT transformation and encryption are operated by IO, and the time cost of these two operations is less than 0.1 s. The embedding operation is carried out in the cloud, and the average time cost of embedding 1 bit for each server is 11 μs.

Moreover, we compare LPIS with other algorithms [30, 3843] in terms of the embedding time cost. As the embedding capacities of each algorithm are different, we compare the average computational time cost of embedding 1 bit as criteria. Table 3 shows the comparison results among these algorithms, in which LPIS reaches a low computational time cost compared to current methods. Spatial domain embedding is the most direct way for hiding secret data, such as LSB flipping [30, 38] and LSB replacement [40]. Compared to existing spatial embedding methods in encryption domain, LPIS reaches high embedding efficiency. The efficiency of LPIS is similar to [41], but LPIS is more robust against JPEG attack because of the transformed domain embedding. Meanwhile, additive secret sharing technique is more efficient than the homomorphic encryption scheme [42], which meets the goal of lightweight for LPIS. Although [39] also used additive embedding as the embedding operation, it first calculated and retained the mean value of pixels in each set before embedding, which increased the computational embedding cost.

4.2.3. Performance under Attack

LPIS mainly aims at the scenario where there exist illegal distributors who try to remove the embedded data and distribute the image without IO’s permission. Therefore, LPIS is robust against various attacks such as LSBs replacement attacks and JPEG attack. In many existing approaches, data is embedded in the LSB or the three LSBs [29, 30], which are not appropriate for illegal distributor detection in the cloud environment. Besides, IU can easily erase the embedded information (Figure 5(a)) while the visual quality of the image is not severely affected. However, setting more LSBs to zero will indeed damage the visual quality (Figures 5(b) and 5(c)). Note that the higher the bit plane is, the higher the proportion of the image brightness will be. After the LSBs of the block are deleted and the block is transformed into frequency domain, the changes of the block will also be transformed into the frequency domain corresponding to the original DCT coefficient, and the influence of each pixel on the DCT coefficients will be weakened. Therefore, LPIS has superior robustness against deleting LSBs attacks; even high bit planes are removed and the visual quality is severely affected (Figures 6(a)6(c) and Figures 7(a)7(c)).

JPEG is the most common format of images used in networks, which can greatly reduce the image size and maintain the visual quality by removing redundant data of the image. Here, we use MATLAB to implement JPEG compression with its default compress rate (Figure 6(d)). The extracted authentication information under JPEG attack is shown in Figure 7(d). The SSIM between extracted under JPEG attack and original is 1, which shows that LPIS can resist JPEG attack.

Furthermore, the image may probably be polluted by the white noise through the communication. The amplitude of white noise roughly follows Gaussian distribution. Here, we set of Gaussian distribution to simulate different amplitudes of the white noise. As we can see in Figures 7(e)7(h), the higher the value of is, the more severely the visual quality will be affected and the more severely the extracted is polluted. However, with the improvement of the quality of communication channels, a low value of is more likely to appear. We can therefore draw a conclusion that LPIS is robust enough to resist white noise attacks.

5. Conclusion

In this paper, we proposed LPIS scheme to solve the problem of detecting illegal distributor in SIoT. In order to adapt to the IoT environment, we adopted the additive secret sharing technique to encrypt the shared image. LPIS can help the image owner identify illegal distributor’s identity by the embedded authentication information, and no plaintext information of the image was leaked to any of edge servers. Moreover, the design and implementation of privacy-preserving embedding improved the robustness of detection. The embedded information cannot be removed easily by illegal users through traditional attacks or JPEG compression attack. In conclusion, LPIS can effectively support privacy-preserving image sharing in SIoT with illegal distributor detection.

Data Availability

The cover image data used to support the findings of this study are included within the article.


An earlier version of this paper has been presented as a conference paper in SpaCCS: International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported by the National Natural Science Foundation of China (61872088, 61872090, and 61872086); the Natural Science Foundation of Fujian Province (2019J01276); and the Guizhou Provincial Key Laboratory of Public Big Data Research Fund (2019BDKFJJ004).