Sage Journals: Discover world-class research

Abstract

Encryption is one of the best methods to safeguard the security and privacy of an image. However, looking through encrypted data is difficult. A number of techniques for searching encrypted data have been devised. However, certain security solutions may not be used in smart devices in IoT-cloud because such solutions are not lightweight. In this article, we present a lightweight scheme that can enable a content-based search through encrypted images. In particular, images are represented using local features. We develop and validate a secure scheme for measuring the Euclidean distance between two feature vectors. In addition, we use a hashing method, namely, locality-sensitive hashing, to devise the searchable index. The use of an locality-sensitive hashing index increases the proficiency and effectiveness of a system, thereby allowing the retrieval of only relevant images with a minimum number of distance evaluations. Refining vector techniques are used to refine relevant results efficiently and securely. Our index construction process ensures that stored data and trapdoors are kept private. Our system also efficiently supports multi-user authentication by avoiding the expensive traditional method, which enables data owners to define who can search for a specific image. Compared with other similarity-based encryption methods predicated upon searchability, the option presented in this study offers superior search speed and storage efficiency.

Keywords

Searchable encryption secure image retrieval IoT-cloud locality-sensitive hashing local feature smart devices multi-user authentication

Introduction

The need to conduct searches within extensive datasets using smart mobile devices has become increasingly vital in a number of different disciplines.¹ Practical applications that require this process include medical diagnosis, criminal identification, and Internet retail and advertising. In the case of third- and fourth-generation smart devices, users can connect rapidly to the Internet and easily relay, send, and acquire images while simultaneously collecting a number of images from various sources. However, the management and retention of these images make significant demands in terms of storage, its associated costs, and computing power.¹ Such facilities may be unavailable to all smartphone users, particularly those who use lightweight smart devices such as the iPhone.^1,2

With the significant advances in cloud computing technologies, several companies, including Apple, Google, Microsoft, and Amazon, have adopted cloud computing technology to support users of smart devices with services such as mass storage and large-scale data management at an efficient cost.^1,3 Despite the technical and economic benefits of cloud computing technology, transferring particularly vulnerable or important images to insecure cloud servers (CSs) presents difficulties in safeguarding the private images of users.¹ To prevent unsolicited access attempts, users generally encrypt such images prior to outsourcing them on a cloud.¹ However, this process presents a barrier when traditional encryption services are used and when searching for and through encrypted images.¹ In addition, despite the increasing computing power of smart devices, they are currently still unable to achieve the capacity of personal computers.¹

In recent years, a number of searchable encryption (SE) methodologies, which facilitate the selective retrieval of encrypted documents by means of keyword searches, have been developed.^4–12 In such systems, a user has to send a secured keyword to look for specific encrypted text documents. Other modern informational retrieval systems have also introduced original technologies. For example, Google Goggles permits clients to send an image as a query and then search through the images in the database, where images with a comparable visual content are identified.¹ Original technological processes similar to this approach are referred to as content-based image retrieval (CBIR). Consequently, the development of an SE scheme that can manage image-based searches proficiently and precisely is necessary.

Most image matching (IM) approaches define an image representation and a distance metric that reduce the amount of data stored per image and the time cost of database search. Feature vectors (descriptors) of each image in the database are extracted and stored. During the matching, the descriptors of the query image are compared against their counterparts in the database to determine the most relevant image. However, keeping descriptors in their clear text may reveal information on some objects in the image. Thus, such descriptors should be encrypted in such a way that their distances are preserved without decryption.

In particular, attention has recently shifted to issues concerning privacy in the context of searching groups of encrypted images.^1,13–18 These issues primarily focus on global features and are critically not lightweight.¹ Consequently, global feature-based CBIR techniques are unsuitable for smart portable applications and other instances where available computing power is comparatively low.¹ To our knowledge, the only local feature-based CBIR available thus far is the approach described in Abduljabbar et al.¹ and Xia et al.¹⁹ In contrast with global feature approaches, local feature-based CBIR achieves enhanced accuracy in terms of retrieval but requires comparatively complex metrics related to distance, for example, earth mover’s distance (EMD).¹

Accordingly, a lightweight IM and retrieval scheme is required for applications that use IoT-cloud. Furthermore, preserving the privacy of images is among the most important of all security services provided by security applications and security systems.²⁰ Nevertheless, interest and the provision of security services are not imminent in smart mobile devices communicating in the IoT-cloud environment.

In summary, protecting the privacy of images during the matching process is necessary in some cases. The following example illustrates the importance of image security in the IoT-cloud real-time application. Imagine a security agency that has outsourced a number of sensitive images related to a potential terrorist suspect to CSs in accordance with its policy of fully utilizing the benefits of cloud technology. The security agency’s agents may wish to check whether images related to the suspect can be found in the databases of the CSs. In particular, such agents may use mostly restricted devices (smart devices) during the course of their work to remain mobile while attempting to identify and apprehend the suspect. For security reasons, however, neither the agency nor its agents want to reveal the images they hold and their queries to unauthorized entities, unless authorized agents need to access this information. One way to identify such a need is to detect similarities between the query of the agents (in the form of a bio-image) and the cloud database. When the need for matching is verified, the CS can send only similar images. In the process of identifying similar images, the security agency and its agents should not disclose the query image and the identity of the database. They should allow the latter to learn only of the existence of any commonality between images. Hence, the success of the security agency is depend on the efficiency and precision of the IM process.

To the best our knowledge, a lightweight and efficient scheme is yet to be developed for searching images over encrypted large-scale datasets through IoT-cloud with privacy-preserving when compared with other popular secure image search methodologies on powerful devices (laptops).

The contributions of this article are as follows. First, we shall address the question of how to search for and retrieve similar images between smart device users and CSs in a manner that preserves privacy without losing image confidentiality through lightweight multi-user authentication.¹ Second, distance metric techniques are designed to evaluate the plaintext data. In our method, we propose an efficient secure distance metric to achieve similarity comparison between encrypted vectors in the CS without revealing sensitive information. Third, our scheme will adopt local speeded-up robust feature (SURF)-based CBIR, which has the benefits of being lightweight, using the Euclidean distance, a well-known metric for scoring matching images and speeding up the search process. In addition, locality-sensitive hashing (LSH) is applied to achieve high search index efficiency and reducing storage requirements. The primary benefit of indexing in this approach is the accomplishment of similarity queries using as few distance evaluations as possible, in contrast with the alternative sequence-predicted searching of the entire index. Fourth, a simple solution for achieving secure matching shall be adopted using a trusted third party (TTP). For example, if Bob sends images (Bob’s collection) to the TTP and Alice sends a query I to the TTP, then the TTP shall subsequently assess the query and inform Alice whether the images she sought are located in Bob’s collection and are similar. In real-world scenarios, the identification of a totally trustworthy third party is a particular challenge, and our work does not require the involvement of a third party. Fifth, our proposed scheme manages the problem of similar image searching to achieve flexible searching. Finally, our scheme marks a considerable step toward the practical deployment of data hosting that preserves privacy in an IoT-cloud environment.¹

The remainder of this article is structured as follows. Section “Related works” presents a review of relevant literature. Section “Scheme overview” explicates the research problem and security exigencies. Section “Proposed scheme” describes the proposed scheme, while section “Scheme details” presents the scheme in detail and considers its preliminary concerns. Section “System evaluation” provides an analysis of security and presents the results of performance tests and investigations in relation to our scheme. Finally, section “Conclusion” makes recommendations for further research and draws the findings of our work with a summary and conclusion.

Related works

A number of authors have proposed different SE solutions based on text-based searches within the cloud environment. These processes imply that searching for encrypted data involves retrieving encrypted data in the form of text documents, where the owner of the data is allowed to outsource his or her data in a different server, and thus, provide it with the means to selectively recover a document through the use of a keyword-based search; consequently, data do not require decryption through searching.^4–12 This process, which is based on searches for a single unique keyword, was initially suggested by Song et al.⁴ However, this method does not facilitate similarity searching, although the search performed is characterized by precision. To enhance search efficiency and avoid scanning the whole document to search for a keyword, such as that in Song et al.⁴ and Boneh et al.,⁵ the authors of Wang et al.⁶ designed SE schemes based on various index constructions. Subsequently, SE schemes that use only a single keyword have been extended, such that these schemes can now work with multiple and conjunctive keywords.^7–9 Through the aforementioned methods, these schemes have become more precise and flexible. However, such schemes may be unable to determine and recover typing errors within the data, which are common in real-life applications. To address this issue, several SE schemes that support fuzzy keyword searches have been suggested to manage any misspellings encountered within the search process.^10–12

Although SE schemes that use keywords exhibit a number of interesting features, they remain unsuitable for use in secure image searches over decrypted datasets. Furthermore, they are limited to extant keyword sets, and keyword searching demands precise text descriptions of content that has already been made available. By contrast, no predefined search scope for use within a content-based image search is currently available.

Furthermore, the application of image-based searching has been undertaken within the context of encrypted image databases. The extraction of visual words from images, and the subsequent construction of indexes based on these visual words, was suggested by Lu et al.,¹³ who utilized a series of cryptographic approaches, such as order-preserving encryption (OPE), to achieve this objective.²¹ Moreover, randomized hash functions are used to increase privacy protection and rank-ordered capability. Undoubtedly, large amounts of data can be leaked to an untrusted server via OPE, which may result in successful attacks. In addition, this scheme is applicable only to bag-of-features (BOF) image search, which exhibits an inferior search precision of up to 20% compared with the image search algorithms based on Fisher’s vector.^7,22,23 By contrast, the empirical test results show that the scheme proposed in our work does not leak any data to untrusted servers.

Through the use of homomorphic encryption, other researchers have proposed an alternative secure BOF technique based on an image search scheme that applies superior security.¹⁵ However, the efficiency of this scheme is significantly reduced as observed when Lu et al.¹⁵ is compared with Lu et al.¹³ A privacy-preserving image search engine scheme, along with the use of homomorphic encryption, was proposed by Abduljabbar et al.¹ and Hsu et al.¹⁴ Although this scheme achieved high accuracy in recognizing images, it was two to four orders of magnitude more expensive than other schemes and demanded the regular involvement of the user throughout the searching process.¹

Other works have described the use of image feature protection in the areas of bit plane randomization, random projection, and randomized unary encoding.^1,16 Features subjected to encryption using bit plane randomization and randomized unary encoding can be used to calculate Hamming distance within the encryption domain.¹ Meanwhile, features subjected to encryption using random projection can be used to calculate L1 distance within the encryption domain. Cheng et al.¹⁷ developed a CBIR system that applied bit plane randomization and random projection similar to that adopted in Lu et al.¹⁶ Ferreira et al.¹⁸ suggested an image encryption approach that would be compatible with privacy-preserving image retrieval that encrypts colors by means of a deterministic algorithm that supports the retrieval of images that is contingent upon content.¹ In this instance, the details of texture are encrypted with a probabilistic algorithm to enhance security. The searchable index may then be developed using the details of the encrypted colors.

The aforementioned privacy-preserving CBIR methods are primarily predicated upon global feature-based techniques that are not lightweight,¹ and consequently, are incompatible with devices with comparatively low computational power such as smart devices. Compared with global feature-based CBIR, local feature-based CBIR characteristically acquires more accurate results.¹ However, locally based options require complex distance metrics, such as those that involve EMD.¹ We believe that the only currently available technique that supports local feature-based CBIR is the one proposed by Abduljabbar et al.¹ and Xia et al.¹⁹ These authors essentially posited a CBIR scheme that maintains privacy and facilitates the outsourcing of an image database and CBIR service to the cloud by the data owner without disclosing the images stored in the database to the CS.¹Scale-invariant feature transform (SIFT) and clustering algorithms are used to determine features that represent images, whereas EMD applied an evaluation process that assessed the similarity of images. Xia et al.¹⁹ asserted that this approach is notable for its efficiency.¹ However, SIFT, clustering algorithms, and EMD are costly in terms of processing speed, and yet, they exhibit minimal efficiency in this respect.¹ This issue is further discussed in section “System evaluation.”

In this article, we present a practically achievable methodology where CBIR cloud outsourcing via IoT may be accomplished while maintaining privacy. The methodology is compatible with devices with low computing power such as smart devices. In addition, we use CBIR that is contingent on local feature SURF with appealing lightweight aspects through the use of the Euclidean distance, which is a well-known metric for scoring matching images.¹ In practical terms, this metric is based on secure matrix multiplication and randomization to protect the confidentiality of descriptors and to evaluate the similarity of images.¹ We use this method because of its efficiency and because it does not require massive encryption operations. LSH is also applied to enhance searching efficiency. This article reports the results of the empirical research using actual collections of images to establish the veracity of the claims made in our scheme.

Scheme overview

Notations

DB and DV: large-scale image database and dictionary of feature vectors, respectively¹

kdata: secret key used in encrypting and decrypting images

$s k_{1}$ and $s k_{2}$ : secret keys used in index construction

$M$ and $M^{- 1}$ : secret keys used in creating the feature vectors of the query and of dictionary encryption, respectively

SDV and C: secure dictionary of the feature vectors and ciphertext, respectively, of a large-scale image database

$g (.)$ : sensitive hash function set from locality $L$

$β (.)$ : one-way hash function

BID and Bcon: bucket identifier and bucket content, respectively

QSV: refining vector of query image $q$

$I$ and $S T_{q}$ : secure searchable index and trapdoor for query image $q$ , respectively

$ID (.)$ : image identity in a database

$Relevant$ and $SI$ : set of retrieved similar encrypted images and set of retrieved similar plaintext images to query image $q$ , respectively

Problem definition

Assume that the data owner DO (Bob) possesses a large-scale database $D B = {I m g_{1}, I m g_{2}, \dots, I m g_{n}}$ of number of sensitive images that he wishes to outsource to a CS.¹ A feature vector $v_{i}$ is then extracted by the DO from each image, $Im g_{i} \in DB$ subsequently constructs the dictionary $DV = {v_{1}, v_{2}, . . ., v_{n}}$ from the extracted features.¹ After the construction of the dictionary $DV$ , the user of a smart device can use it to build a searchable index $I$ .¹ To ensure safety, the DO encrypts collection DB, dictionary DV, and index prior to uploading them to the CS.¹

The CS is prevented from acquiring useful information regarding the outsourced data due to its encryption. However, this does not include DO, which is allowed to leak.¹ The encrypted data index should facilitate a search through it within an acceptable period before returning items that are most similar to those requested by the user.¹ To search a remotely stored image database DB with an image query $q$ , the authorized smart device user (Alice) generates a secure trapdoor $STq$ from $q$ .¹Alice then sends $STq$ to the CS.¹ The CS then searches its secure index $I$ after the $STq$ has been received.¹ The trapdoor retrieves the candidate list of all available images. This list includes the most similar images.¹ The server then refines the candidate list by completing the Euclidean distance between the dictionary subset that corresponds to the candidate list and the secure feature vector (refining vector) of the provided query.¹ Finally, the top-t image $IDs$ are selected by the CS, and the encrypted images that correspond to these image $IDs$ are sent back to the smart device belonging to the authorized user (Alice).¹ The structure of the proposed scheme is illustrated in Figure 1.¹

Figure 1.

Proposed scheme.

Security definition

To facilitate the achievement of practical solutions, all presented SE scheme definitions allow the revelation of certain important information to the adversary server.¹ Such information includes access patterns (relevant images’ identifiers) and searching patterns (i.e. the extent to which queries have been repeated).¹ Our proposed scheme enhances security by not allowing the CS to acquire the access pattern. We present the required enhanced security features that should characterize our proposed SE scheme as follows:¹

Image security: The proposed encryption scheme should not leak any data that pertain to the stored images, except for their numbers and image $IDs$ , to the CS.¹

Trapdoor security: Without learning the secret key, the CS should be unable to generate a valid trapdoor.¹

Index security: The secure index should not leak any data regarding its contents.¹

Access pattern: The association between the search index and its corresponding image identifiers should remain unknown to the CS.¹

Our scheme uses a symmetric key SE to scale efficiency for large datasets. The “honest-but-curious” server is focused upon by the proposed scheme to maintain the majority of existing SE schemes.¹ On the basis of this assumption, the CS is operating honestly and the designed protocol specification is adhered to correctly.¹ Nevertheless, the server shall remain “curious” when inferring and assessing message-flow collected throughout the protocol, such that additional information can be acquired and retained.¹

Proposed scheme

In this section, we describe the design framework of our privacy-preserving CBIR scheme. A collection of seven polynomial-time algorithms constitutes the index-based SE schemes, that is, $SE = (KeyGen, DataEnc, DGen, IndexBuild, TrpdrGen, SearchIndex, and DataDec)$ .¹ Moreover, two stages are involved in the SE process, namely, configuration and secure image retrieval.¹ The technical detail of the proposed scheme is illustrated in Figure 2.

Figure 2.

Technical details of the proposed method.

The various notations function as follows in the configuration stage:

$SK \leftarrow KeyGen (1^{γ})$ : A probabilistic key generation algorithm that the data owner runs to launch the scheme. Assume $γ$ is its security parameter.¹ It then outputs a secret key $SK \in {0, 1}^{γ}$ .¹

$C \leftarrow DataEnc (SK, DB)$ : This probabilistic algorithm is run by the data owner and it accomplishes the encryption of the image collection.¹ A secret key SK is used as an input and an image collection database, that is, $DB = {Im g_{1}, Im g_{2}, . . ., Im g_{n}}$ , for the output encrypting collection, that is, $C = {c_{1}, c_{2}, . . ., c_{n}}$ .¹

$DV \leftarrow DGen (DB)$ : A deterministic algorithm whose purpose is to create the dictionary of feature vectors $DV$ from the large-scale image database DB after running by the data owner.¹

$(I, SDV) \leftarrow IndexBuild (SK, DB, DV)$ : A deterministic algorithm whose purpose is to create the secure searchable index $I$ and the secure dictionary of feature vectors $SDV$ .¹ When the large-scale image database DB and the dictionary of feature vectors $DV$ are being used, $SK$ performs its secret key function.¹

The various notations function as follows in the secure image retrieval stage:

$S T_{q} \leftarrow TrpdrGen (SK, q)$ : A secure trapdoor is generated for a specific image at the initiation of the smart device user.¹ This deterministic algorithm requires two inputs: the secret key SK and the image query.¹ Both inputs are required to create the secret trapdoor $S T_{q}$ .¹

$Relevant \leftarrow SearchIndex (I, SDV, S T_{q})$ : This deterministic algorithm is used by the CS to search index $I$ .¹ Using the encrypted index $I$ , the secure dictionary $SDV$ , and the secure trapdoor $S T_{q}$ as its inputs, it then outputs a set Relevant of most similar images that have been encrypted, so that $dist (SDV (Revelant), v (STq)) \leq u r_{1}$ .¹ In this case, dist is a metric distance function, whereas $u r_{1}$ is a user-defined threshold.¹

$SI \leftarrow DataDec (kdata, Relevant)$ : A deterministic algorithm that is run by the smart device user to retrieve a plaintext image.¹ This algorithm uses $SK$ as its secret key input and a set of the most similar encrypted images Relevant to create an output that consists of a group of similar plaintext images $SI$ .¹

The index-based $SE$ scheme will successfully accomplish its function if, for every $SK$ output by $KeyGen (1^{γ})$ , for every $C$ output by $DataEnc (SK, DB)$ , and for every $(I, SDV)$ output by IndexBuild(SK, DB, DV)¹

\begin{array}{l} S e a r c h I n d e x (I, S D V, T r p d r G e n (S K, q)) = \\ {I m g_{j}, \forall I m g_{j} \in D B | d i s t (S D V (I m g_{j}), v (S T_{q})) \leq u r_{1} \land I m g_{j} \\ = D a t a D e c (C_{j}, k d a t a) \land C_{j} \in C} \end{array}

Scheme details

In this section, we explain the details of the proposed lightweight privacy-preserving CBIR scheme.¹ We will improve our scheme building in section “Multi-user authentication” to further provide a fine-grained multi-user authentication property for searching an image.

Configuration stage

The scheme is initiated by the data owner (DO) when calling $KeyGen (1^{γ})$ , which generates several randomized keys $s k_{1}, s k_{2}, kdata \overset{R}{\to} {0, 1}^{γ}$ .¹ In addition, the data owner randomly generates matrix $M$ and its inverse $M^{- 1}$ , each of which has size $(d + 3, d + 3)$ . In this expression, $d$ denotes the size of the feature vector.¹ The data owner outputs the secret $keySK = {s k_{1}, s k_{2}, kdata, M, M^{- 1}}$ .¹ Then, information $(kdata, s k_{1}, s k_{2}, M_{1}, g (.))$ is shared between the DO and other authorized data users.¹

Generation of vector features

Before the feature indexing process is described, the method used to accomplish image collection feature vector extraction is summarized in this section.

In our scheme, we utilize the local feature SURF algorithm,^24,25 which is a novel scale and rotation-invariant detector and descriptor.¹ SURF approximates, or even outperforms, the previously proposed patented SIFT algorithm^1,26,27 with respect to repeatability, distinctiveness, and robustness, but it can be computed and compared much faster. In general, SURF extracts the feature vectors of the provided image as follows. First, SURF selects several interest points at distinctive locations in the image, such as corners, blobs, and T-junctions. These points are selected in such a way that enables the detector to find the same physical interest points under different viewing conditions. Subsequently, the neighborhood of each interest point is represented by a feature vector. This descriptor has to be distinctive and robust to noise, detection displacements, and geometric and photometric deformations. The descriptor vectors are matched among different images. Matching is based on the distance between vectors, for example, Euclidean distance or cosine similarity. Formally, given the images $DB = {Im g_{1}, Im g_{2}, . . ., Im g_{n}}$ , we formally use the SURF algorithm to generate their feature vectors $DV = {v_{1}, v_{2}, . . ., v_{n}}$ , where $v_{i} = {i p_{1}, i p_{2}, . . ., i p_{m}}$ , where $m$ represents the number of interest points in the image. Notably, different images may vary with respect to m.¹Figure 3 shows the interest points in the image “Lena” and their counterparts in the same image after rotation. An extremely compressed feature vector should be generated for each image, such that a huge volume of images can be dealt with proficiently while simultaneously storing and processing a large percentage of the data within the main memory. Such vectors are representative of images and may facilitate an expedient and scalable search. The algorithm $DV \leftarrow DGen (DB)$ is run by the data owner DO to generate the image dictionary DV for the entire image collection.¹ To find the most similar images, the Euclidean distance between feature vectors is considered a meaningful measure of similarity.¹

Figure 3.

SURF interest points in two images.

Feature indexing

The data owner then runs the algorithm $(I, SDV) \leftarrow IndexBuild (SK, DB, DV)$ after the image dictionary is generated to build the searchable index $I$ on top of the entity.¹ A simple means of indexing each dictionary vector is to retain and store vectors directly within the index,¹ after which a brute force search approach may be performed to identify the images in the database that are similar to the image query. Nevertheless, this search approach is inefficient because of high dimensionality and data size. Furthermore, this search process is considered unsecure because feature vectors can potentially leak information regarding the content of the image.¹ Therefore, an efficient data structure is used given that it represents a superior means of rapidly searching through a large number of database features and identifying potentially similar images while protecting the security of the underlying data.¹ LSH is utilized in our scheme to construct the searching index and fulfill the requirements listed above, particularly with regard to efficacy and security.¹ The creation of the LSH index and the means by which efficient index is converted into encrypted data are explained as follows.¹

Building the LSH index

As an efficient algorithm for near-neighbor search within high-dimensional spaces,^27,28 the core concept of LSH is to “hash” items more than once in a manner that ensures that more similar items will have a greater chance of being hashed together and placed in the same bucket compared with dissimilar items.¹ To achieve this objective, LSH utilizes a series of hash functions to map items into a number of buckets, and thus, the chance of similar items sharing a single bucket is high.¹ Assume the real d-dimensional point metric spatial value $M$ , the distance $dist$ , two probabilities $P_{1}$ and $P_{2}$ , a threshold $u r_{1}$ , and the approximation factor $cr > 1$ .¹ The LSH family $H$ of functions may be defined as follows.

$h : R^{d} \leftarrow N$ so that it is a $(u r_{1}, c r_{1}, P_{1}, P_{2})$ -sensitive family if meeting conditions concerning any couple of points $p, q \in M$ as well as function h are selected uniformly and in a randomized fashion from H if¹

\begin{matrix} if dist (p, q) \leq u r_{1}, then \Pr [h (p) = h (q)] \geq P_{1} \\ if dist (p, q) \geq c r_{1}, then \Pr [h (p) = h (q)] \leq P_{2} \end{matrix}

Interestingly, LSH can be utilized in a similarity search assuming $P_{1} > P_{2}$ because smart device users wish to retrieve all images that are close to the query point along with a sensible number of dissimilar images.¹ Therefore, a definition of the hash function $h_{a, b}$ , $h_{a, b} \in H$ may be given as¹

h_{a, b} (p) = ⌊ \frac{(< a . p > + b)}{w} ⌋

where <.> is the dot product, $P$ is the vector withind-dimensional space, a is a randomly selected vector using a Gaussian distribution with components, $b$ is a real number that is selected uniformly from the range [0, w], and $w$ is the width of the bin.¹ The hash function h(p) places the feature vector p in a random direction before the bin number is returned where the projection lies.¹ Intuitively, near-neighbor items located within the same space should be located in the same bin.¹ Moreover, $a$ and $b$ are selected randomly with regard to each hash function $h_{a, b} (.)$ .¹

In addition, the hash family $H$ can be used to construct a new family $G$ of hash functions, which will be created using $g (p) = mix (h_{1} (p), h_{2} (p), . . ., h_{k} (p))$ , such that the $g (p)$ function is constructed by randomly mixing $K$ chosen hash functions $H$ .¹ In our work, the hash function $g (p)$ is representative of the bucket identifier of point p within the hash table.¹ Abduljabbar et al. demonstrates the method proposed in this article for generating a bucket identifier $g (p)$ using a set from $k$ independent hash functions $h_{j} (p)$ .

Furthermore, $L$ can be selected for different hash functions $g (.)$ to index point $P$ into $L$ hash tables. In this situation, each vector (point $p$ ) of the dictionary $DV$ has been indexed into a set of $L$ hash tables. A set of hash functions from each table $h_{1}, h_{2}, . . ., h_{k}$ is subsequently mixed using the function $g (.)$ to utilize the index of the bucket of the table and determine where all the features should be placed. All the features that share a hash are placed in one bucket. The identifier of the bucket is referred to as $BID$ , whereas the bucket content is referred to as $BCon$ .¹

$P_{1}$ and $P_{2}$ are amplified into $P_{1'} = 1 - (1 - P_{1}^{k})^{L}$ and $P_{2'} = 1 - (1 - P_{2}^{k})^{L}$ , respectively. Thus, our scheme is able to locate a point within the distance $c r_{1}$ from query $q$ with at least a $P'_{1}$ probability level. The values of $k$ and $L$ may be fixed, such that $P'_{2}$ is pushed closer to 0 and $P'_{1}$ is pushed closer to 1, that is

k = \frac{\log n}{\log (1 / p_{2})}

and

L = N^{P}

In this case, the number of indexed points is $n$ , and

p = \frac{\log P_{1}}{\log p_{2}}

LSH index protection

The number of buckets and the contents of each bucket are revealed to the CS through the LSH index.¹ Such leakages may be potentially utilized by the CS to construct the whole image by inference. Therefore, the encryption of the LSH index should be completed before it is transferred to the CS.¹ In such situation, only the $DO$ who generates the secret key, or alternatively, the smart device users who are authorized to use the secret key can generate a valid query and then search through the encrypted data to determine what is stored within the database.¹ The method used by our scheme to generate a secure LSH index is described in the following steps.¹

Bucket identifier protection: $β_{s k_{1}} (.)$ may be assumed to be a collision-resistant hash function with parameters $β : 0, 1^{γ} \times 0, 1^{*} \to 0, 1^{p}$ , where $p > \log n$ .¹ In practice, the instantiation of $β (.)$ shall occur with an off-the-shelf hash function, such as SHA-1, where case $p$ is 160 bits.¹ The bucket identifier $BID$ of each hash table is replaced with $β_{sk 1} (.)$ before they are outsourced to the CS.¹ If the secret key $sk 1$ is unknown, then valid bucket identifiers cannot be generated by the cloud.¹

Bucket content protection: $Ma x_{b}$ may be assumed to be the highest possible length of a bucket in LSH.¹ The elements of all the buckets under the secret key $f_{sk 2} (BID)$ are then encrypted.¹ In this case, $BID$ is the bucket identifier that corresponds to the bucket to be encrypted, whereas $f (.)$ is a pseudo-random function that is written as $f : 0, 1^{γ} \times 0, 1^{*} \to 0, 1$ .¹ To hide the length of all the buckets, each bucket is padded with $Ma x_{b} - N_{j}$ using random values of the same size of encrypted data.²⁸ In this case, $N_{j}$ is the current length of bucket $j$ .¹

Hash table protection: $Ma x_{t}$ may be assumed to be the length of the longest hash table.¹ All lengths of the $L$ hash tables are then unified by padding $Ma x_{t} - L t_{i}$ fake records. In this case, $L t_{i}$ is the current length of $i$ hash table.¹

Dictionary encryption

In addition to the secure index, the dictionary DV of the feature vectors is outsourced to prune the candidate list. Notably, the additional bytes of the stored data do not present a significant problem due to the low cost of storage that characterizes CSs.¹ Nevertheless, the transfer of feature vectors in plaintext format to a CS can disclose private information.¹ The best approach to ensure data security is through encryption, although the traditional schemes used for this purpose are unable to provide the means to assess the distance function over the data to be encrypted.¹ To resolve this issue, we utilize the secure Euclidean distance to calculate the distances between the stored dictionary vectors and the query without knowing the contents of the dictionary or the query.¹ This approach enables the execution of the relevant Euclidean distance function with regard to all the encrypted vectors without necessitating decryption.¹ Furthermore, an illustrative example is presented as follows.¹ Assume that $v$ and $q$ constitute the data and query points, respectively.¹ Each point may be represented as d-dimensional vectors.¹ The premise of this concept is based on $v . q^{T} = (v M^{- 1}) \times (M q^{T})$ , where $M^{- 1}$ is an invertible matrix.¹ Thus, the $DO$ can store $v M^{- 1}$ rather than $v$ on the CS site, which ensures that $M$ remains hidden from the CS.¹ The $DO$ or the smart device user sends $M q^{T}$ to the server every time they wish to send a query $q$ . Thus, the CS can compute without knowing $v$ and $q$ .¹ If can be utilized to represent $\sum_{j = 1}^{d} (v_{j} - q_{j})^{2}$ , then the $CS$ can potentially calculate an approximate distance.¹ We suggest that the original representations of these points be augmented to the $d + 3$ dimensions as follows

v^{''} = (\sum_{j = 1}^{d} v_{j}^{2} + R - R_{i}, v_{1}, v_{2}, . . ., v_{d}, 1, R_{i})

(1)

q^{″} = (1, - 2 q_{1}, - 2 q_{2}, . . ., - 2 q_{d}, Ra, 1)

(2)

All these points are then encrypted; thus

v^{'} = E_{v} (v^{″}, M^{- 1}) = v^{″} M^{- 1}

(3)

q^{'} = E_{q} (q^{″}, M) = M^{″} q^{T}

(4)

The exact distance between the encrypted vectors is explained by Theorem 1.

Proof of Theorem 1

\begin{matrix} (q^{'} . v^{'}) = (v^{″})^{T} \cdot q^{″} \\ = (\sum_{j = 1}^{d} v_{j}^{2} + R - R_{i}, v_{1}, v_{2}, . . ., v_{d}, 1, R_{i}) \\ (1, - 2 q_{1}, - 2 q_{2}, . . ., - 2 q_{d}, Ra, 1)^{T} \\ = \sum_{j = 1}^{d} v_{j}^{2} - 2 \sum_{j = 1}^{d} v_{j} q_{j} + R + Ra \\ = v . q^{T} + (\sum_{j = 1}^{d} q_{j}^{2} - R - Ra) \end{matrix}

(5)

Therefore, the Euclidean distance will be equivalent to $v . q^{T} + (\sum_{j = 1}^{d} q_{j}^{2} - R - Ra)$ .¹ Nevertheless, given that $(\sum_{j = 1}^{d} q_{j}^{2} - R - Ra)$ is a constant, it may be removed because it has no effect on the final result.¹ Consequently, the CS can utilize $v . q$ to compute the closest match.¹ Furthermore, the computation in equation (4) does not reveal the secret $M$ and $Ra$ of the user to the $CS$ .¹ The random numbers $R$ , $Ra$ , and $R_{i}$ for $i = 1, . . ., n$ have been introduced in our scheme. The role of $R$ is to prevent the CS from acquiring the actual distance between $q$ and the items in the database. Ra stops the server from acquiring the relationship between two different queries. $R_{i}$ prevents the server from acquiring the relationships among items within the database.¹ Thus, the outcome of this method is the set of secure vectors $SDV = {S v_{1}, S v_{2}, . . ., S v_{n}}$ .¹ Feature vector encryption is conducted on only one occasion on the side of the DO.¹ This method should be recalled because it has no effect on the performance of the search. Abduljabbar et al. shows our proposed method for generating the secure dictionary SDV.¹

Database encryption

The algorithm $C \leftarrow DataEnc (kdata, DB)$ is run by the DO to protect the privacy of the images.¹ The DO uses pseudo-randomness against the selected plaintext attack encryption $En c_{kdata} (.)$ for encrypting the image collection database (DB) prior to its uploading to the CS, where $kdata \in SK$ represents the secret key.¹ Given image $Im g_{i}$ and its identifier $ID (Im g_{i})$ , the image collection, which is now encrypted, is $C \leftarrow {(ID (Im g_{i}), En c_{kdata} (Im g_{i})} \forall Im g_{i} \in DB$ . Image encryption may be performed by directly utilizing modern lightweight ciphers, such as the Advanced Encryption Standard (AES), which regards images as ordinary data. In particular, we utilize AES with counter-mode encryption (CTR mode)²⁹ as an instance of $En c_{kdata} (.)$ and a 128-bit length secret key, as shown in Figure 4.¹ We pad the image files with fake data to conceal their actual size.¹ The padding is performed after creating the secure index to avoid placing the new random buckets, that is, keywords, in the searchable index. The process of database encryption with fake data padding is explained in Abduljabbar et al.¹ AES is a 16-byte block cipher encryption that generates outputs with a magnitude that is several times that of the block size. When required, the input may be padded to equate its size to modulo 16 bytes. AES encryption is typically efficiently incorporated into IoT smart devices through hardware.^1,20 IoT data are generally smaller than the blocks used by AES; therefore, the alternative Blowfish 8-byte block encryption,³⁰ which represents a viable option that generates smaller ciphers, is worthy of consideration. Although Rijndael was selected due to the difficulty of using Blowfish in managing large files as a result of its 8-byte block size, Blowfish was consequently considered in the context of AES. Ultimately, we selected AES from among several 16-byte block ciphers, including Skipjack and RC5, due to its superior image encryption capabilities.³¹

Figure 4.

Encryption results obtained using AES on the image “Lena.” The original image is on the left, whereas the encrypted image is on the right.

Secure retrieval stage

After outsourcing the secured $LSH$ index $I$ , the CipherData, the encrypted database, and the secure dictionary $SDV$ to the $CS$ , authorized smart device users may select from among the retrieved images available on the remote server.¹ Authorized smart device users initially generate the feature vector $v$ from q after being provided with the image query $q$ and the secret keys.¹ Subsequently, the resulting vector is extended and expanded using equations (2) and (4), respectively, to obtain the QSV (refining vector).¹ Finally, authorized smart device users execute the trapdoor algorithm $S T_{q} \leftarrow TrpdrGen (SK, q)$ to hash $q$ into $L$ bucket identifiers using the same settings as those of the index setup.¹ The secure trapdoor $S T_{q}$ is then constructed as $S T_{q} = {β_{sk 1} (BI D_{1}), f_{k 2} (BI D_{1}), β_{sk 1} (BI D_{2}), f_{(} k 2) (BI D_{2}), . . .,$ $β_{(} sk 1) (BI D_{L}), f_{(} k 2) (BI D_{L}), QSV, t}$ .¹ Here, $t$ is a user-defined parameter that determines the number of images retrieved by controlling the perimeter.¹ Subsequently, trapdoor $STq$ is sent to the $CS$ .¹

Secure search and retrieval

Trapdoor $S T_{q}$ is accepted by the $CS$ from authorized smart device users.¹ Then, the $CS$ utilizes the secure element $β_{sk 1} (BI D_{i})$ to scan hash table $i$ for each $1 \leq i \leq L$ .¹ Subsequently, the bucket content $BCo n_{i}$ is retrieved in correspondence with the bucket $BI D_{i}$ .¹ The key $f_{k 2} (BI D_{i})$ is then utilized by the $CS$ to decrypt bucket $j$ .¹ Thereafter, the random fake values are removed.¹ All the image identifiers $ID (Img)$ resulting from the decryption of the contents of the buckets merge to constitute one list, which is referred to as the candidate list.¹ Subsequently, the duplicate elements are removed by the $CS$ .¹ The next stage involves refining the candidate list.¹ To fulfill the aforementioned requirements, the $CS$ quantifies the Euclidean distance between the provided refining vector $QSV$ and the vectors $Svi$ that pertain to the image identifiers located in the candidate list.¹ Theorem 1 explicates how this method is accomplished while protecting security.¹ Finally, the $CS$ returns similar encrypted images Relevant with $t$ lower distance and sends them to the authorized smart device user.¹ Our suggested protocol for retrieving top-t images from the remote $CS$ is explained in Abduljabbar et al.¹

Image decryption

After receiving the set of top-t encrypted images, the algorithm $SI \leftarrow DataDec (kdata, Relevant)$ is executed by the authorized smart device users to decrypt the encrypted images that correspond to their search requests, thereby acquiring similar images $SI$ .¹

Multi-user authentication

In this section, we enhance our scheme construction to efficiently support multi-user authentication. The $DO$ shares his or her secret keys with authorized smart device users to support multi-user search.^28,29 Nevertheless, this traditional method makes user revocation an expensive process because revocation frequently requires an additional round to distribute the new secret keys to authorized smart device users and necessitates the reconstruction of the searchable index tree after each user revocation. Therefore, such procedure is impractical for dynamic and large-scale systems where user revocation may occur repeatedly. The following is a summary of our proposed method. Let the set of authorized smart device users be Aus. The $DO$ register each user $us \in Aus$ by generating a secret key xus. Then, he or she sends the pairs $[u s_{j}, xu s_{j}] (\forall u s_{j} \in Aus)$ to the $CS$ , which keeps the received pairs in the user list $U S_{list}$ . To search for the query image $q$ , the user us first generates the secure request $STq$ for $q$ and then computes $ESTq = E_{xu s_{j}} (STq)$ , where $E$ is a semantically secure encryption function. Finally, us sends his or her search request as $(us, ESTq)$ to the CS.

Upon receiving a search request from a user, the $CS$ searches $U S_{list}$ to retrieve the secret key $xus$ that corresponds to the smart device user us. If it is not found, then the output is ⊥. Otherwise, $xus$ is used to decrypt $ESTq$ and obtain the original search request $STq$ . To revoke user $usj$ from the set of authorized smart device users Aus, the $DO$ simply informs the $CS$ to remove the record $[u s_{j}, xu s_{j}]$ from $U S_{list}$ . Our work does not require distributing new keys or reconstructing the searchable index tree. Evidently, the revoked smart device users can no longer search for encrypted images, whereas the revocation process does not affect the authorized smart device users.

Discussion

Security measures that are common in the majority of computing scenarios are unsuitable for smart IoT-cloud-mediated devices. The lightweight approach to image search and acquisition posited in our work is suitable for CS secure image applications where directly dishonest behavior is not a feature, but curiosity may be an issue. The lightweight approach described in this article involves secure index construction and image search that are compatible with smart devices that operate within the IoT-cloud. Query submission is also characterized by security. This approach represents a new means by which images may be securely transmitted in the IoT-cloud scenario. The benefits of lightweight encrypted image search include compatibility with smart portable devices that characteristically lack high-level computing power. The method posited here can prevent queries and image database contents from becoming known to the CS, as described in the security considerations in the previous subsection of this article, namely, those concerning LSH index protection, dictionary encryption, database encryption, and search and retrieval. Of equal relevance in this respect are issues considered in the following subsection of this article, namely, those concerning security analysis. On the basis of these conditions, the lightweight approach is asserted to have the potential to address security needs related to communication between smart devices and the CS, as well as secure image acquisition.

System evaluation

Security analysis

Our scheme posits that the encrypted database, secure searchable index, encrypted query, and encrypted dictionary will not disclose information to the CS. The assertion that the image database will be rendered secure through $AES$ with $CTR$ mode is not contentious.¹ However, several problems should still be solved.¹ Encrypted files may reveal information that is useful to a $CS$ by virtue of their size.¹ To address this issue, we recommend supplementing the stored images with padding of further data to make their original size not readily detectable.¹ Padding is applied after creating the secure index such that random $BCon$ and $BID$ elements may not be added subsequently.¹ Similarly, protection is afforded to the access pattern in the approach presented in our paper because the $CS$ stores encrypted IDs of images and no unsecured plaintext.¹ To construct a secure index that consists of a bucket identifier and content, we use a cryptographic scheme to ensure the security of the buckets.¹ The bucket elements in each hash table are unique to each table, and each hash table has a different key $f_{sk 2} (BI D_{i})$ encryption; hence, assigning the same key more than once is impossible.¹ Consequently, the encryption of buckets exhibits all the characteristics of being authentically random.¹ Security, with respect to the length of each bucket, is well preserved due to the padding with random values that are equal to that of the encrypted data.¹ Moreover, all the lengths of the $L$ hash tables are padded with fake records.¹ The two operations hide the actual length of the hash tables and buckets.¹ Similarly, we suggest adding fake buckets to hide the actual number of stored buckets in the search index and prevent statistical attacks.¹ The encrypted query is also afforded protection using means similar to those applied to the secure searchable index.¹

Security of dictionary

The feature vectors that pertain to the dictionary are similarly secured through the randomization and permutation protocols described in section “Building the LSH index.”¹ To quantify the amount of information that is leaked to the CS from a secure dictionary $SDV$ , we measure the dependency between secure vectors $SDV$ ¹ and their corresponding images DB. The rationale behind this method is that low dependency translates into low information leakage. We use mutual information $(MI)$ entropy³¹ to measure the dependency between two entities. $MI$ is defined as follows

MI (X, Y) = H (X) + H (Y) - H (X, Y)

(6)

where $H (X)$ and $H (Y)$ are the entropy of the one-way hash function SHA-1 of the original image $X$ and the secure vector $Y$ , respectively. The entropy of the random variable $Z$ is defined as

H (Z) = \sum_{i = 1}^{n} - P (z_{i}) \log P (z_{i})

(7)

and $H (X, Y)$ is the joint entropy between two variables $X$ and $Y$ , which is defined as

H (X, Y) = \sum_{i = 1}^{n} \sum_{j = 1}^{m} - P (x_{i}, y_{i}) \log P (x_{i}, y_{i})

(8)

where $P (x)$ and $P (x, y)$ are the probabilities of occurrence of outcome $x$ and pair $(x, y)$ , respectively. The secure vectors yielded a low MI value of 0.0019 throughout our experiments.

Search unlinkability

In our designed method, each search query $q$ is randomized by adding (d + 3)-dimensional random items, as shown in equation (2), and then encrypted as shown in equation (3) for each search request. Consequently, two search queries have different encrypted search vectors $q'$ even if they are from the same query image $q$ , which guarantees the unlinkability of different search queries.

Experimental evaluation

This subsection describes the experiments used to assess and evaluate our proposed scheme. The symbols used in this subsection are explained in Table 1. We report the experimental results of the proposed scheme on a real-image database that contains 1000 images from the Corel dataset,³² all of which are in a colored format. Image sizes are either $256 \times 384 or 384 \times 256$ . The images are grouped by content into 10 categories. Each category contains 100 images. These categories are African, Beach, Architecture, Buses, Dinosaurs, Elephants, Flowers, Horses, Mountains, and Food. The size of each SURF descriptor is 64 elements, that is, $d = 64$ . The normalized vectors are scaled via a user-specific factor to convert the normalization (between 0 and 1) into integer numbers because the encryption function is based on integer values. The SURF vectors are already normalized to vector units and thus do not require normalization. A secure LSH index is built based on the dictionary of feature vectors. The performance of our scheme is evaluated in terms of efficiency, retrieval capability, and precision capability, in addition to consideration of the impact of the LSH index parameters.¹ The default values used are $k = 10, L = 10, w = 4, n = 1000$ , and $d = 64$ .¹ The experiments undertaken to assess and evaluate our scheme are performed using an Intel Core I3 M380 2.5 GHz PC with Windows 7 operating system and 2 GB RAM.¹ MATLAB R2008a application is used to implement the experiments.¹ Moreover, we use Java class to implement the LSH cryptosystem.¹ In conducting the experiments, the operating parameters used are not the optimum ones.¹ Evidently, a small $L$ , a large $k$ , or a small $w$ will improve the search efficiency but precludes search precision.¹

Table 1.

Symbols used in the experiments.

Symbol	Meaning
n	Number of indexed images
m	Number of queries
D	Size of feature vector
K	Number of hash functions to generate bucketidentifier
T	Number of top retrieved images
L	Number of hash tables

Efficiency

LSH index

In this subsection, the efficiency of the LSH index is analyzed to identify the means to improve search speed. The LSH index and the linear scan index are comparatively appraised using a brute force approach to discern the closest similarities in image queries.¹Figure 5 illustrates that the index posited in this work achieves superior speed compared with that achieved by the scan index. As shown in Figure 5, the time consumed in searching the LSH index is short, even when the number of queries increases.¹ On one hand, LSH uses various hash functions to assign images to the appropriate buckets. Through this action, the likelihood that similar images will be assigned to the same bucket is enhanced.¹ On the other hand, our experiments evaluate the approximate distance of the candidate list, which has been found to be considerably smaller than the overall number of stored images.

Figure 5.

Linear scan and LSH index.

Index generation

We extract SURF local features to represent images.¹ This extraction process is conceptualized as the process that precedes the creation of the index. Index creation will then be primarily consisted of LSH calculation.¹ Feature extraction is a considerably slower process than index construction.¹ These speeds are of particular relevance to data owners; however, they are one-time functions that take place prior to the outsourcing of data and are, therefore, affordable for the data owner.¹ Apart from analyzing the aspect of speed, the need for index storage capacity is considered.¹ This requirement has also been determined as not being unacceptably onerous for the CS. Time consumption issues that concerned feature extraction and index construction, as well as the index storage capacity issue, are presented in Table 2. In this respect, comparisons are drawn with the data recorded in Xia et al.¹⁹ The required index storage capacity exhibited in Table 2 compares the results obtained from the method proposed in our work and those achieved in Xia et al.¹⁹ Compared with the performance in Shafagh et al.,²⁰ the method posited in our scheme reduces the required storage capacity. This result can be attributed to the LSH index, which is built based on feature vectors.¹ In addition, our work uses the SURF method, which produces fewer local features^24,25 compared with the SIFT method used in Abduljabbar et al.¹ and Xia et al.¹⁹ The storage cost of our indexes represents the $\sum_{i = 1}^{L} \sum_{i = 1}^{k} β_{s k_{i}} (BI D_{i}) + f_{k_{i}} (BI D_{i})$ .¹ Evidently, if $β$ is the hash function and SHA-1 has an a b-bit length of 160 bits and le is the length of encrypted key $f_{k_{i}} (BI D_{i})$ , then the total index storage cost is bounded as $O (k (b + le))$ .¹ Feature extraction time is also presented in Table 2, which shows the relative speeds of the proposed method and that posited in Abduljabbar et al.¹ and Xia et al.¹⁹ The latter performs favorably in this respect.¹ The solutions presented in Xia et al.¹⁹ typically rely on feature-based SIFT; however, our proposed method improves feature extraction speed using SURF.¹ As demonstrated, SURF is superior to the SIFT algorithm. The SURF algorithm exhibits strengths in terms of repeatability, distinctiveness, and robustness; it is also patented. Also, this algorithm can be improved in terms of processing speed.^24,25

Table 2.

Indexing performance.

	OurWork	Xiaet al.¹⁹	No. ofimages
Storage cost (KB)	1103	1776	1000
Feature extraction (s)	928.129	1504.591
Indexing time (s)	141.568	835.488

Table 2 illustrates the superiority of our work in terms of index construction time compared with that in Xia et al.¹⁹ In the scheme described in Xia et al.,¹⁹ SIFT extraction and clustering precede index creation. Thereafter, the index is created using methods that involve the creation of a signature and the computation of the centroid and hash elements. In our scheme, SURF feature extraction precedes index creation.¹ Then, LSH generally consumes the time used in our scheme to construct its searching index.¹ Our scheme exhibits superior index construction time compared with that in Xia et al.¹⁹ because it does not use time-consuming clustering and signature creation processes.¹ In addition, the need for centroid computation is precluded. Clustering becomes unnecessary because the time taken to complete the search index is extremely short, such that it is negligible when increasing query numbers, as shown in Figure 5.

Trapdoor construction

This subsection examines the performance of the trapdoor creation process in our scheme. Particular attention is given to the time required to create the trapdoor and the involved data traffic cost. For each query, trapdoor construction time consists of feature extraction, $QSV$ (refining vector), and LSH calculation. Similar to index construction, feature extraction consumes most of the time. In 100 experimental repetitions, trapdoor generation is accomplished within an average time of 1.127 s. By contrast, the trapdoor generation time of the scheme described in Xia et al.¹⁹ is 2.240 s.

Our scheme generates the trapdoor as two vectors: the vector of buckets (keyword set) and the refining vector $QSV$ . Evidently, the communication cost of the bucket vector is equal to the index storage cost expressed as $O (b (k) + k . le)$ . For $QSV$ communication cost, the storage complexity of $QSV$ is $O (d + | \sum |)$ given that |∑| is the size of the encrypted query vector and d + 3 is the length of the query vector (after augmenting). Consequently, the total communication cost of trapdoor generation is $O (k (b + le) + d + | \sum |)$ . The additional communication cost of $QSV$ can be deemed as reasonable in light of improvements in search time. The low cost of communication for trapdoor creation inherent in our scheme is a significant advantage that is beneficial to applications with comparatively low computing capacity, such as mobile smart devices.

Time of search operation

When queries are submitted to the scheme presented in this work, CS speed includes the time taken to accomplish index searching (Figure 5) to generate the candidate list and the time cost of the approach based on the secure Euclidean distance.¹ This approach facilitates the efficient calculation of the Euclidean distance with respect to all the encrypted vectors without requiring decryption.¹ In particular, the CS calculates the Euclidean distance between the refining vector $QSV$ and the candidate list image identification vectors $S v_{i}$ . This process offers a marked improvement on methods that rely on the significantly large quantity of stored images.

As shown in Table 3, the CS in our scheme takes less time to process queries than that in Abduljabbar et al.¹ and Xia et al.¹⁹ In particular, the secure Euclidean distance metric is significantly faster than the EMD distance metric used in Abduljabbar et al.¹ and Xia et al.¹⁹ Unlike the EMD method, our distance metric method does not require excessive time-consuming operations (equation (5)).¹ Evidently, the distance metric operation is of greater significance compared with index searching.¹ This operation takes over 95% of the total time consumed in the query process, whereas the remaining time percentage, which is low and semi-stable, is dedicated to searching the index (Figure 5).¹ EMD has the disadvantage of producing time complexity that is proportional to image group cardinality. This disadvantage will be impractical in view of the number of images typically handled in the considered scenarios. On the user side, speed is partly determined by the time taken to generate the trapdoor.¹Table 3 shows how the proposed scheme performs significantly better in terms of query user generation time than the scheme in Abduljabbar et al.¹ and Xia et al.¹⁹ For our scheme and that presented in Xia et al.,¹⁹ the same settings were used to create the secure LSH index for trapdoor generation.¹

Table 3.

Times processing per trapdoor query.

	Time consumptionof cloud (s)	Times consumptionof smart deviceuser (s)	No. ofimages
Our scheme	0.0504	1.1289	1000
Xia et al.¹⁹	0.6803	1.9151	1000

Retrieval evaluation

Precision

Precision–recall curves are utilized to evaluate retrieval performance. In our scheme, the precision and recall of the image query q are defined as

Precision (q) = \frac{| R ⋂ A |}{| A |}, recall (q) = \frac{| R ⋂ A |}{| R |}

where $A$ denotes the set of all retrieved images throughout the proposed protocol, whereas $R$ indicates the set of relevant images. Assume the set $Q = {q_{1}, q_{2}, . . ., q_{m}}$ of m queries. The computational average of precision and recall can be determined as

Average (Precision) = \frac{(\sum_{i = 1}^{m} precision (q_{i}))}{m}

Average (Recall) = \frac{(\sum_{i = 1}^{m} recall (q_{i}))}{m}

After a query has been issued, the retired images are ranked according to their distance. Subsequently, the images with top $t$ low distances are requested from the CS. The average precision and recall for a total of 1000 queries can be seen in Figure 6. As predicted, less similar items can be retrieved with increasing $t$ . In addition, an experiment is conducted on the accuracy that an adversary will be able to achieve using the incorrect trapdoor key to examine the repository.¹ The relevance of this exercise lies in the inability of a CS or an adversary to access stored images in this manner, and consequently, the privacy of users is protected. The submitted queries and their effects are shown in Figure 6.

Figure 6.

Evaluation of image retrieval.

Effectiveness

In testing the retrieval of similar images, the effectiveness of our proposed scheme is appraised with respect to its efficacy in retrieving the most similar images to the trapdoor queries. Figure 7 presents samples of our results. The first column shows the provided image trapdoor queries. The remaining columns show the returned images arranged according to their similarity to the corresponding query. As shown in the figure, our scheme typically retrieves images that are in the same category as the query image.

Figure 7.

Selected results of retrieved images.

Protection against adversaries

To protect stored images from adversaries, a user applies the trapdoor algorithm $TrpdrGen (SK, q)$ with a relevant trapdoor key to construct a secure trapdoor $STq$ . No adversary, therefore, including CS, can obtain the correct matching results if they have no knowledge of the trapdoor key. In this experiment, we intend to determine how difficult it will be for the CS to attempt to acquire matching results using a set of invalid trapdoors keys. The first row in Figure 8 shows the queried image (first column) and the images retrieved using a valid trapdoor key. The remaining rows show the queried image (first column) and the images retrieved using invalid keys.

Figure 8.

Effect of private key on secured image matching.

Impact of the LSH index parameters

In this subsection, we assess the performance efficacy of the proposed index. The impacts of the LSH index parameters ( $k$ and $L$ ), as well as the number of images that have been indexed n upon the indexing and search times, are evaluated. To achieve this objective, the average indexing and search times for 1000 queries under distinct settings should be measured. The search time may be defined as the time between the initial search request and the identification of the image, including the times spent in searching the index, creating the candidate list, and computing the secure Euclidean distance metric. A single perimeter is amended at a certain point in time and then utilized with the default values for others to demonstrate the impact of distance settings. The default values used are $k = 10, L = 10, w = 4, n = 1000$ , and $d = 64$ .¹ Recall that low values for $L$ and high values for $k$ will provide optimal efficiency, but precision in the searching operation is compromised.

Number of hash functions

The impact of altering the value of $k$ on search and indexing times is shown in Figure 9. As expected, an increase in this value results in a long indexing time due to the hashing operations, which are costly in time and are undertaken if large $k$ values are used. By contrast, search time decreases as the value of $k$ increases due to the use of a small $k$ value, which yields a low number of buckets for every table, and consequently, several huge buckets are generated, as well as a short search time, which cancels the LSH index effect. The experiment described in the next subsection explains the effect of the value of $k$ on the assignment of images to buckets.

Figure 9.

Effect of $k$ on search and indexing times.

Number of hash tables

The effects of adjustments on L are illustrated in Figure 10. As predicted, indexing time increases as the value of $L$ increases due to the need to evaluate time-consuming hash functions. Furthermore, search time also increases as $L$ increases. An increase in the value of $L$ also results in a larger, more time-consuming trapdoor. The effect of $L$ on search time is depicted in Figure 10.

Figure 10.

Effect of $L$ on search and indexing times.

LSH distribution

The impact of the value of $k$ on the distribution of stored items in the buckets of individual hash tables is assessed in this experiment. A high $k$ value increases the number of buckets in each hash table, as shown in Figure 11. Consequently, the distribution of stored item occurs when the number of buckets increases. This finding is a significant phenomenon that results from small buckets leading to a small candidate list and offers opportunities to enhance search times.

Figure 11.

LSH bucket distribution.

Conclusion

In this article, we intended to resolve the issue of supporting proficient CBIR for smart devices in IoT-cloud computing systems using encrypted data.¹ In addition, we designed a lightweight multi-user authentication property to allow the users of authorized smart devices to flexibly search for each image without influencing the searchable index tree. In this context, the preservation of privacy when outsourcing data are crucial and must be achieved without reducing functionality.¹ LSH, which is a commonly used process, is applied to achieve expedient similarity searches in high-dimensional spaces related to plain data.¹ The LSH secured index scheme is propounded by our scheme in producing a more efficacious search time in the context of encrypted data.¹ We designed a simple cryptographic primitive to protect the feature vectors and their corresponding indexes while enabling the CS to measure the similarity of the encrypted vectors without the need for a third party.¹ The similarity search is separated into two stages in our scheme.¹ First, a secure trapdoor is used to establish a candidate list.¹ Then, the candidate list is refined using a vector designed for such purpose, which also identifies the images with the most similarity.¹ The results of the security analysis and experiments demonstrate the superior security and efficiency of our proposed scheme.

The research described in this article will be continued. In the future, we will have opportunities to focus on questions regarding the ranking of images that are searched for within an encrypted image scenario. Among the proposed research opportunities, the most productive is likely to involve the extraction of features on the CS to reduce demands placed on smart device users and DOs. The initialization of the bag-of-words approach to generate visual words from feature vectors also has potential. The inverted index³³ or min hash³⁴ data structures may be used to develop expedient visual feature search techniques.

Footnotes

Acknowledgements

This article is an extended version of our paper entitled “Privacy-preserving image retrieval in IoT-cloud” that is published in the 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom’16), Tianjin, China, 23–26 August 2016.

Handling Editor: Geng Yang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The Natural Science Foundation of Hubei Province under grant no. 2016CFB541 and the Applied Basic Research Program of Wuhan Science and Technology Bureau under grant no. 2016010101010003.

References

Abduljabbar

Jin

Ibrahim

et al . Privacy-preserving image retrieval in IoT-cloud. In: Proceedings of the 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 23–26 August 2016, pp.799–806. New York: IEEE.

Chen

You

Weng

et al . A security gateway application for End-to-End M2M communications. Comp Stand Inter 2016; 44: 85–93.

Zheng

et al . Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE T Parall Distr 2013; 24(1): 131–143.

Song

Wagner

Perrig

. Practical techniques for searches on encrypted data. In: Proceedings of the 2000 IEEE symposium on security and privacy (S&P 2000), Berkeley, CA, 14–17 May 2000, pp.44–55. Washington, DC: IEEE.

Boneh

Di Crescenzo

Ostrovsky

et al . Public key encryption with keyword search. In: Cachin

Camenisch

(eds) Advances in cryptology—EUROCRYPT 2004. Berlin; Heidelberg: Springer, 2004, pp.506–522.

Wang

Cao

et al . Secure ranked keyword search over encrypted cloud data. In: Proceedings of the 2010 IEEE 30th international conference on distributed computing systems, Genova, 21–25 June 2010, pp.253–262. Washington, DC: IEEE.

Golle

Staddon

Waters

Secure conjunctive keyword search over encrypted data. In: Jakobsson

Yung

Zhou

(eds) Applied cryptography and network security. Berlin; Heidelberg: Springer, 2004, pp.31–45.

Sun

Wang

Cao

et al . Privacy-preserving multi-keyword text search in the cloud supporting similarity-based ranking. In: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security (ASIA CCS’13), Hangzhou, China, 8–10 May 2013. New York: ACM.

Cao

Wang

et al . Privacy-preserving multi-keyword ranked search over encrypted cloud data. IEEE T Parall Distr 2014; 25(1): 222–233.

10.

Wang

et al . Fuzzy keyword search over encrypted data in cloud computing. In: Proceedings of the 2010 IEEE INFOCOM, San Diego, CA, 14–19 March 2010, pp.1–5. New York: IEEE.

11.

Liu

Zhu

et al . Fuzzy keyword search on encrypted cloud storage data with small index. In: Proceedings of the 2011 IEEE international conference on cloud computing and intelligence systems, Beijing, China, 15–17 September 2011, pp.269–273. New York: IEEE.

12.

Wang

Lou

et al . Privacy-preserving multi-keyword fuzzy search over encrypted data in the cloud. In: Proceedings of the 2014 IEEE INFOCOM, Toronto, ON, Canada, 27 April–2 May 2014, pp.2112–2120. New York: IEEE.

13.

Swaminathan

Varna

et al . Enabling search over encrypted multimedia databases. In: Proceedings of the SPIE media forensics and security: IS&T/SPIE electronic imaging, vol. 7254, San Jose, CA, 18–22 January 2009, pp.725418-1–725418-11. Bellingham, WA: SPIE.

14.

Hsu

Pei

SC.

Image feature extraction in encrypted domain with privacy-preserving SIFT. IEEE T Image Process 2012; 21(11): 4593–4607.

15.

Varna

Confidentiality-preserving image search: a comparative study between homomorphic encryption and distance-preserving randomization. IEEE Access 2014; 2: 125–141.

16.

Varna

Swaminathan

et al . Secure image retrieval through feature protection. In: Proceedings of the international conference on acoustics, speech and signal processing, Taipei, Taiwan, 19–24 April 2009, pp.1533–1536. New York: IEEE.

17.

Cheng

Zhuo

Bai

et al . Secure index construction for privacy-preserving large-scale image retrieval. In: Proceedings of the 2014 IEEE 4th international conference on big data and cloud computing (BdCloud’14), Sydney, NSW, Australia, 3–5 December 2014, pp.116–120. New York: IEEE.

18.

Ferreira

Rodrigues

Leitao

et al . Privacy-preserving content-based image retrieval in the cloud. In: Proceedings of the 2015 IEEE 34th symposium on reliable distributed systems (SRDS’15), Montreal, QC, Canada, 28 September–1 October 2015, pp.11–20. New York: IEEE.

19.

Xia

Zhu

Sun

et al . Towards privacy-preserving content-based image retrieval in cloud computing. IEEE T Cloud Comput. Epub ahead of print 16 October 2015. DOI: 10.1109/TCC.2015.2491933.

20.

Shafagh

Hithnawi

Droescher

et al . Talos: encrypted query processing for the internet of things. In: Proceedings of the 13th ACM conference on embedded networked sensor systems (SenSys’15), Seoul, South Korea, 1–4 November 2015, pp.197–210. New York: ACM.

21.

Agrawal

Kiernan

Srikant

et al . Order preserving encryption for numeric data. In: Proceedings of the 2004 ACM SIGMOD international conference on management of data (SIGMOD’04), Paris, 13–18 June 2004, pp.563–574. New York: ACM.

22.

Perronnin

Liu

Sanchez

et al . Large-scale image retrieval with compressed fisher vectors. In: Proceedings of the 2010 IEEE conference on computer vision and pattern recognition, San Francisco, CA, 13–18 June 2010, pp.3384–3391. New York: IEEE.

23.

Douze

Ramisa

Schmid

. Combining attributes and fisher vectors for efficient image retrieval. In: Proceedings of the 2011 IEEE conference on computer vision and pattern recognition (CVPR’2011), Colorado Springs, CO, 20–25 June 2011, pp.745–752. New York: IEEE.

24.

Bay

Ess

Tuytelaars

et al . Speeded-up robust features (SURF). Comput Vis Image Und 2008; 110(3): 346–359.

25.

Truong

Ngoc

CSN

Nguyen

et al . Local descriptors without orientation normalization to enhance landmark recognition. In: Proceedings of the 5th international conference on knowledge and systems engineering, Hanoi, Vietnam, 17–19 October 2013, pp.401–413. Cham: Springer.

26.

Chao

Huitl

Steinbach

et al . A novel rate control framework for SIFT/SURF feature preservation in H.264/AVC video compression. IEEE T Circ Syst Vid 2015; 25(6): 958–972.

27.

Indyk

Motwani

. Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the 30th annual ACM symposium on theory of computing (STOC’98), Dallas, TX, 24–26 May 1998, pp.604–613. New York: ACM.

28.

Josephson

Wang

et al . Multi-probe LSH: efficient indexing for high-dimensional similarity search. In: Proceedings of the 33rd international conference on very large data bases (VLDB’07), Vienna, 23–27 September 2007, pp.950–961. New York: ACM.

29.

Goldwasser

Bellare

Lecture notes on cryptography, 2008, https://cseweb.ucsd.edu/~mihir/papers/gb.pdf

30.

Schneier

. Description of a new variable-length key,64-bit block cipher (Blowfish). In: Anderson

(ed.) Fast software encryption. Berlin; Heidelberg: Springer, 1994, pp.191–204.

31.

Stallings

Brown

Computer security: principles and practice. 1st ed. Upper Saddle River, NJ: Prentice Hall, 2007.

32.

Corel test set, http://wang.ist.psu.edu/~jwang/test1.tar

33.

Zobel

Moffat

Inverted files for text search engines. ACM Comput Surv 2006; 38(2): 1–6.

34.

Broder

Charikar

Frieze

et al . Min-wise independent permutations. J Comput Syst Sci 2000; 60(3): 630–659.

Efficient encrypted image retrieval in IoT-cloud with multi-user authentication

Abstract

Keywords

Introduction

Related works

Scheme overview

Notations

Problem definition

Security definition

Proposed scheme

Scheme details

Configuration stage

Generation of vector features

Feature indexing

Building the LSH index

LSH index protection

Dictionary encryption

Proof of Theorem 1

Database encryption

Secure retrieval stage

Secure search and retrieval

Image decryption

Multi-user authentication

Discussion

System evaluation

Security analysis

Security of dictionary

Search unlinkability

Experimental evaluation

Efficiency

LSH index

Index generation

Trapdoor construction

Time of search operation

Retrieval evaluation

Precision

Effectiveness

Protection against adversaries

Impact of the LSH index parameters

Number of hash functions

Number of hash tables

LSH distribution

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

References