Open Access

Encrypted Domain DCT Based on Homomorphic Cryptosystems

EURASIP Journal on Information Security20092009:716357

DOI: 10.1155/2009/716357

Received: 30 March 2009

Accepted: 29 September 2009

Published: 27 December 2009

Abstract

Signal processing in the encrypted domain (s.p.e.d.) appears an elegant solution in application scenarios, where valuable signals must be protected from a possibly malicious processing device. In this paper, we consider the application of the Discrete Cosine Transform (DCT) to images encrypted by using an appropriate homomorphic cryptosystem. An s.p.e.d. 1-dimensional DCT is obtained by defining a convenient signal model and is extended to the 2-dimensional case by using separable processing of rows and columns. The bounds imposed by the cryptosystem on the size of the DCT and the arithmetic precision are derived, considering both the direct DCT algorithm and its fast version. Particular attention is given to block-based DCT (BDCT), with emphasis on the possibility of lowering the computational burden by parallel application of the s.p.e.d. DCT to different image blocks. The application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images is analyzed; whereas a case study demonstrates the feasibility of the s.p.e.d. DCT in a practical scenario.

1. Introduction

The availability of signal processing modules that work directly on encrypted data would be of great help to satisfy the security requirements stemming from applications wherein valuable or sensible signals have to be processed by a nontrusted party [1, 2]. In the image processing field, there are two recent examples regarding buyer-seller watermarking protocols [3] which prevent the seller from obtaining a plaintext of the watermarked copy, so that the image containing the buyer's watermark cannot be illegally distributed to third parties by the seller, and the access to image databases by means of encrypted queries [4], in order to avoid the disclosure of the content of the query image.

Signal processing in the encrypted domain (s.p.e.d.) is a new field of research aiming at developing a set of specific tools for processing encrypted data to be used as building blocks in a large class of applications. In image processing, one of such tools is the discrete cosine transform (DCT). The availability of an efficient s.p.e.d. DCT would allow a large number of processing tasks to be carried out on encrypted images, like the extraction of encrypted features from an encrypted image, or watermark embedding in encrypted images. As a simple example, let us consider a scenario where a party https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq1_HTML.gif needs to process an image by means of a signal processing system known by another party https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq2_HTML.gif . Let us assume that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq3_HTML.gif is concerned about the privacy of his image, so that not to reveal the image content to the service provider https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq4_HTML.gif , he will send the image in encrypted form. In the processing chain, it is possible that there is the need to apply a DCT to the image, for example, to apply a watermark in such a domain, or to reduce to zero some coefficients in order to reduce the image bit rate. After this step, an Inverse DCT (IDCT) will be needed; in such a scenario, both DCT and IDCT will need to be performed in the encrypted domain.

In [5, 6], we considered the similar problem of implementing a discrete Fourier transform on encrypted data. Here, we will extend the previous results by considering an s.p.e.d. implementation of the DCT. In the following we will concentrate on images, however we point out that a similar approach can be applied to 1-dimensional signals as well, like digitized audio. We will assume that an image is encrypted pixelwise by means of a cryptosystem homomorphic with respect to the addition that is, there exists an operator https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq5_HTML.gif such that

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ1_HTML.gif
(1)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq6_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq7_HTML.gif denote the encryption and decryption operators. With such a cryptosystem it is indeed possible to add two encrypted values without first decrypting them and it is possible to multiply an encrypted value by a public integer value by repeatedly applying the operator https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq8_HTML.gif . Moreover, we will assume that the cryptosystem is probabilistic, that is, given two encrypted values it is not possible to decide whether they conceal the same value or not. This is fundamental, since the alphabet to which the input pixels belong usually has a limited size. As it will be detailed in the following section, a widely known example of a cryptosystem fulfilling both the above requirements is the Paillier cryptosystem [7], for which the operator https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq9_HTML.gif is a modular multiplication. Apart from [5, 6], previous examples of the use of homomorphic cryptosystems for performing encrypted computations can be found in buyer-seller protocols [3, 8], zero-knowledge watermark detection [9], and private scalar product computation [10].

Adopting such a cryptosystem, the DCT can be computed on the encrypted pixel values by relying on the homomorphic properties and the fact that the DCT coefficients are public. However, this requires several issues to be solved. The first one is that we must represent the pixel values, the DCT coefficients, and the transformed values in the domain of the cryptosystem, that is, as integers on a finite field/ring. Another problem is that encrypted values cannot be scaled or truncated by relying on homomorphic computations only. In general, for scaling the intermediate values of the computation we should allow two or more parties to interact [11, 12]. However, since we would keep the s.p.e.d. DCT as simple as possible, it is preferable to avoid the use of interactive protocols. A final problem is that encrypting each pixel separately increases the size of the encrypted image and affects the complexity.

1.1. Our Contributions

Solutions to the above issues will be provided in this paper, whose rest is organized as follows. In Section 2 a brief review of homomorphic cryptosystems, with particular attention to the Paillier scheme, is given. In order to properly represent the pixel values, the DCT coefficients and the transformed values in the encrypted domain, a convenient s.p.e.d. signal model is proposed in Section 3. Such a model allows us to define in Section 4 both an s.p.e.d. DCT and an s.p.e.d. fast DCT and to extend them to the 2D case. The proposed representation permits also to avoid the use of interactive protocols, by letting the magnitude of the intermediate results propagates to the end of the processing chain. A solution to the problem of encrypting each pixel separately is proposed in Section 5. A block-based s.p.e.d. DCT, relying on a suitable composite representation of the encrypted pixels, permits the parallel application of the s.p.e.d. DCT algorithm to different image blocks, thus lowering both the bandwidth usage and the computational burden. In Section 6 we consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. Section 7 describes a case study where the feasibility of the s.p.e.d. DCT in a practical scenario is analyzed. Finally, conclusions are drawn in Section 8.

2. Probabilistic Homomorphic Encryption

As already defined in the previous section, a homomorphic cryptosystem allows to carry out some basic algebraic operations on encrypted data by translating them into corresponding operations in the plaintext domain. The concept of privacy homomorphism was first introduced by Rivest et al. [13] that defined privacy homomorphisms as encryption functions which permit encrypted data to be operated on without preliminary decryption of the operands.

According to the correspondence between the operation in the ciphertext domain and the operation in the plaintext domain, a cryptosystem can be additively homomorphic or multiplicatively homomorphic. In this paper we are interested in the former. Additively homomorphic cryptosystems allow, in fact, to perform additions, subtractions and multiplications with a known (nonencrypted) factor in the encrypted domain. More extensive processing would be allowed by the availability of an algebraically homomorphic encryption scheme, that is, a scheme that is additive and multiplicative homomorphic. Very recently, a fully homomorphic scheme has been proposed in [14], but its complexity seems too high for practical applications.

Another crucial concept for the s.p.e.d. framework is probabilistic encryption. As a matter of fact, many of the most popular cryptosystems are deterministic, that is, given an encryption key and a plaintext, the ciphertext is univocally determined. The main drawback of these schemes for s.p.e.d. applications is that it is easy for an attacker to detect if the same plaintext message is encrypted twice. Indeed, since usually signal samples assume only a limited range of values, an attacker will be easily able to decrypt the ciphertexts, or at least to derive meaningful information about them. In [15] the concept of probabilistic or semantically secure cryptosystem has been proposed. In such schemes, the encryption function https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq10_HTML.gif is a function of both the secret message https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq11_HTML.gif and a random parameter https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq12_HTML.gif that is changed at any new encryption. Specifically, two subsequent encryptions of the same message https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq13_HTML.gif result in two different encrypted messages https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq14_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq15_HTML.gif . Of course, the scheme has to be designed in such a way that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq16_HTML.gif , that is, the decryption phase is deterministic and does not depend on the random parameter https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq17_HTML.gif . Luckily, encryption schemes that satisfy both the homomorphic and probabilistic properties detailed above do exist. One of the most known examples is the scheme presented by Paillier in [7], and later modified by Damgård and Jurik in [16]. It should be pointed out that homomorphic cryptosystems are usually more computationally demanding than symmetric ciphers, like AES, and require longer keys to achieve a comparable level of security. Furthermore, probabilistic cryptosystems cause an intrinsic data expansion due to the adoption of randomizing parameters in the encryption function.

2.1. Paillier Cryptosystem

The Paillier cryptosystem [7] is based on the problem to decide whether a number is an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq18_HTML.gif th residue modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq19_HTML.gif . This problem is believed to be computationally hard in the cryptographic community, and is linked to the hardness to factorize https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq20_HTML.gif , if https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq21_HTML.gif is the product of two large primes.

Let us now explain what an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq22_HTML.gif -th residue is and how it can be used to encrypt data. Given the product of two large primes https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq23_HTML.gif , the set https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq24_HTML.gif of the integer numbers modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq25_HTML.gif , and the set https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq26_HTML.gif representing the integer numbers belonging to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq27_HTML.gif that are relatively prime with https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq28_HTML.gif , https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq29_HTML.gif is said to be a https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq30_HTML.gif -th residue modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq31_HTML.gif if there exists a number https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq32_HTML.gif such that
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ2_HTML.gif
(2)

For a complete analysis of the Paillier cryptosystem we refer to the original paper [7]. Here, we simply describe the set-up, encryption, and decryption procedures.

2.1.1. Set-Up

Select https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq33_HTML.gif big primes.The private key is the least common multiple of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq34_HTML.gif , denoted as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq35_HTML.gif . Let https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq36_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq37_HTML.gif in https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq38_HTML.gif an element of order https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq39_HTML.gif for some https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq40_HTML.gif . The order of an integer https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq41_HTML.gif modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq42_HTML.gif is the smallest positive integer https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq43_HTML.gif such that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq44_HTML.gif . In such a case, https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq45_HTML.gif is usually a convenient choice. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq46_HTML.gif is the public key.

2.1.2. Encryption

Let https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq47_HTML.gif be the plaintext, and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq48_HTML.gif a random value. The encryption https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq49_HTML.gif of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq50_HTML.gif is
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ3_HTML.gif
(3)

2.1.3. Decryption

Let https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq51_HTML.gif be the ciphertext. The plaintext https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq52_HTML.gif hidden in https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq53_HTML.gif is
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ4_HTML.gif
(4)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq54_HTML.gif . From the above equations, we can easily verify that the Paillier cryptosystem is additively homomorphic, since

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ5_HTML.gif
(5)

3. Signal Model for the Encrypted Domain

We will describe the proposed representation assuming the signals are 1D sequences. The extension to the 2D case is straightforward by using separable processing along rows and columns. Let us consider a signal https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq55_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq56_HTML.gif . In the following, we will assume that the signal has been properly scaled so that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq57_HTML.gif . In order to process https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq58_HTML.gif in the encrypted domain, its values have to be represented as integer numbers belonging to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq59_HTML.gif . This is accomplished by first defining an integer version of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq60_HTML.gif as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ6_HTML.gif
(6)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq61_HTML.gif is the rounding function, and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq62_HTML.gif is a suitable scaling factor and then encrypting the modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq63_HTML.gif representation of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq64_HTML.gif , that is, https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq65_HTML.gif (for the sake of brevity, we omit the random parameter https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq66_HTML.gif ).

As long as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq67_HTML.gif does not exceed the size of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq68_HTML.gif —that is, the difference between the maximum and minimum values of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq69_HTML.gif is less than https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq70_HTML.gif —its value can be represented in https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq71_HTML.gif without loss of information. If we assume https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq72_HTML.gif , then the original value https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq73_HTML.gif can be approximated from https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq74_HTML.gif as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ7_HTML.gif
(7)
The above representation can be used to define an integer approximation of the DCT. Let us consider the scaled DCT of type II (DCT-II) of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq75_HTML.gif , defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ8_HTML.gif
(8)

The corresponding integer DCT of type II is defined as [6]

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ9_HTML.gif
(9)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq76_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq77_HTML.gif is a suitable scaling factor for the cosine values.

A similar approach leads to the definition of the integer inverse DCT (IDCT). The scaled IDCT, also referred to as scaled DCT of type III, is defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ10_HTML.gif
(10)
where
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ11_HTML.gif
(11)
The integer IDCT or integer DCT of type III can be defined as in (9) by using in place of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq78_HTML.gif the following integer coefficients:
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ12_HTML.gif
(12)

4. s.p.e.d. DCT

Since all computations are between integers and there is no scaling, the expression in (9) can be evaluated in the encrypted domain by relying on the homomorphic properties. For instance, if the inputs are encrypted with the Paillier cryptosystem, the s.p.e.d DCT is
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ13_HTML.gif
(13)

where all computations are done modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq79_HTML.gif [7].

The computation of the DCT using (9) requires two problems to be tackled with. The first one is that there will be a scaling factor between https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq80_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq81_HTML.gif . The second one is that, if the cryptosystem encrypts integers modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq82_HTML.gif , one must ensure that there is a one-to-one mapping between https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq83_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq84_HTML.gif . A solution is to find an upper bound on https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq85_HTML.gif such that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq86_HTML.gif and verify that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq87_HTML.gif . We will show that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq88_HTML.gif can be expressed in general as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ14_HTML.gif
(14)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq89_HTML.gif is a suitable scaling factor and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq90_HTML.gif models the quantization error. Based on the above equation, the desired DCT output can be estimated as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq91_HTML.gif , and the upper bound is
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ15_HTML.gif
(15)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq92_HTML.gif is an upper bound on https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq93_HTML.gif . The value of both https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq94_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq95_HTML.gif will depend on the particular implementation of the DCT. In the following, we will add to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq96_HTML.gif , https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq97_HTML.gif , and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq98_HTML.gif the additional subscripts https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq99_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq100_HTML.gif to denote direct and fast DCT, respectively whereas the superscript https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq101_HTML.gif will denote the 2-dimensional versions.

4.1. Direct Computation

Let us express https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq102_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq103_HTML.gif . If the DCT is directly computed by applying (9), then we have
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ16_HTML.gif
(16)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq104_HTML.gif . The scaling factor is https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq105_HTML.gif . As to the quantization error, we obtain the following upper bound:
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ17_HTML.gif
(17)

from which https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq106_HTML.gif .

4.2. Fast DCT

In order to obtain an s.p.e.d. version of the fast DCT, we will refer to the recursive matrix representation in [17]. Given https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq107_HTML.gif , we have

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ18_HTML.gif
(18)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq108_HTML.gif ,

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ19_HTML.gif
(19)

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq109_HTML.gif is obtained by the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq110_HTML.gif identity matrix by reversing the column order, and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq111_HTML.gif is a permutation matrix given as

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ20_HTML.gif
(20)
Since the only noninteger matrix in (18) is https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq112_HTML.gif , the corresponding s.p.e.d. structure can be recursively defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ21_HTML.gif
(21)

where we define https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq113_HTML.gif .

The s.p.e.d. fast DCT can be implemented according to the block diagram in Figure 1. If we define https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq114_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq115_HTML.gif , and we denote as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq116_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq117_HTML.gif , the results of the intermediate computations in one recursion of the s.p.e.d. fast DCT structure, the different blocks can be defined as follows. The butterfly block performs the following s.p.e.d. computations
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ22_HTML.gif
(22)
whereas the scale block can be defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Fig1_HTML.jpg
Figure 1

Block diagram of s. p.e.d. fast DCT.

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ23_HTML.gif
(23)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq118_HTML.gif is the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq119_HTML.gif th element on the diagonal of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq120_HTML.gif . The output of the scale block is split in two halves, which are recursively processed by two half size fast DCT. The lower half is further processed by the add block, which can be defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ24_HTML.gif
(24)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ25_HTML.gif
(25)

Lastly, the two halves are combined and permuted according to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq121_HTML.gif in order to yield the DCT outputs in the right order.

As to the upper bound analysis, let us consider the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq122_HTML.gif th stage of the recursion and express the quantized matrices as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq123_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq124_HTML.gif , where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq125_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq126_HTML.gif denote the quantization errors on the corresponding matrix entries. We can rewrite (21) as

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ26_HTML.gif
(26)
From the previous equation, we have both a recursive relation on the scaling factor and a recursive relation on the quantization error. Let us consider the vector of quantized inputs https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq127_HTML.gif . With a notation similar to the scalar case, we can express https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq128_HTML.gif , where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq129_HTML.gif is vector containing the input values and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq130_HTML.gif is a vector of quantization errors. Hence, the s.p.e.d. fast DCT is given by
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ27_HTML.gif
(27)
As to the scaling factor, we have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq131_HTML.gif . Since https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq132_HTML.gif , it is easy to derive the final scaling factor as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq133_HTML.gif . As to the quantization error, we have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq134_HTML.gif , where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq135_HTML.gif denotes the maximum absolute row sum norm of a matrix. Based on (26), we can give an equivalent recursive relation on https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq136_HTML.gif as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ28_HTML.gif
(28)
where we used https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq137_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq138_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq139_HTML.gif , and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq140_HTML.gif . At the start of the recursion we have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq141_HTML.gif , since https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq142_HTML.gif and there is no quantization error. Hence, an upper bound on https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq143_HTML.gif can be derived as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ29_HTML.gif
(29)

from which we derive the upper bound on the quantization error as

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ30_HTML.gif
(30)

Finally, the upper bound on https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq144_HTML.gif is https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq145_HTML.gif .

The above analysis can be extended also to the fast IDCT. It suffices to consider https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq146_HTML.gif and, thanks to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq147_HTML.gif ,

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ31_HTML.gif
(31)

It is easy to show that the model in (27) can be applied also to the integer IDCT, so that the upper bound in (30) holds for the IDCT as well.

4.3. Extension to 2D-DCT

In the case of separable processing of the rows and the columns of an image, the expressions derived in the preceding section can be extended to the 2D case in an easy way. Let us assume that the 2D-DCT processes first the rows and then the columns. After the processing of the rows, the input to the next DCT will be expressed as in (14). Hence, the scaling factor can be obtained by substituting https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq148_HTML.gif with https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq149_HTML.gif ; whereas the upper bound on the quantization error can be derived by noting that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq150_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq151_HTML.gif .

In the case of the direct DCT implementation, this leads to
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ32_HTML.gif
(32)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ33_HTML.gif
(33)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ34_HTML.gif
(34)
whereas in the case of the fast DCT we obtain
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ35_HTML.gif
(35)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ36_HTML.gif
(36)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ37_HTML.gif
(37)

In the case of nonseparable processing, the upper bound on the output of the s.p.e.d. DCT can be derived in the same way as in the one-dimensional case. For instance, a direct nonseparable 2D-DCT will lead to the same upper bound as in (17). Even if this will reduce the upper bound with respect to the separable case, a nonseparable implementation will have a greater complexity. In the following, only the separable case will be considered.

4.4. Security

Concerning the security of the s.p.e.d. DCT, if we work with a semantically secure cryptosystem, the security is automatically achieved that is, the output of the s.p.e.d. DCT does not reveal anything about the DCT inputs. Under the assumption that deciding https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq152_HTML.gif -residuosity classes in https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq153_HTML.gif is hard, that is, given https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq154_HTML.gif it is not possible to decide in polynomial time whether https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq155_HTML.gif is an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq156_HTML.gif -residue or not, the Paillier cryptosystem can be proved to be semantically secure [7]. If the assumption is relaxed to the hardness of computing https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq157_HTML.gif -residuosity classes, the security of the plaintext bits of a Paillier encryption, and hence of the proposed scheme, depends on the knowledge of the size of the plaintext. The interested reader can find a discussion on such topics in [18].

5. s.p.e.d. Block-Based DCT

Several image processing algorithms, instead of applying the DCT to the whole image, subdivide it into equal sized (usually square) blocks and compute the DCT of each block. The size of such blocks is usually quite small: typically https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq158_HTML.gif blocks or https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq159_HTML.gif blocks are used in most of the applications.

From the s.p.e.d. perspective, this suggests two things. Firstly, even if rescaling is not applied, in the case of a block based s.p.e.d. DCT the maximum value of the DCT outputs will not be very high. However, the size of the encrypted word, that is, https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq160_HTML.gif , is fixed by the security requirements. Minimum security requirements for the Paillier cryptosystem impose the use of at least 1024 bits for https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq161_HTML.gif . This means that, irrespective of the size of the plaintext pixels, each encrypted pixel will be represented as an encrypted word of at least 1024 bits. The result is that the outputs of the block-based s.p.e.d. DCT will be far from exploiting the full bandwidth of the modulus https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq162_HTML.gif . Secondly, each block undergoes exactly the same processing. Hence, this could permit a parallel processing of several blocks by simply packing the pixels having the same position within the blocks in a single word.

In order to exploit the above ideas, we propose an s.p.e.d. block DCT (BDCT) based on a composite representation of the input pixels [19]. For the sake of simplicity, we can assume the image as a one-dimensional signal, since the extension to the 2D case is straightforward using separable processing. Moreover, let us assume that the input pixel values have been quantized as in Section 3, that is, they satisfy the relation https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq163_HTML.gif .

We define the composite representation of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq164_HTML.gif of order https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq165_HTML.gif and base https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq166_HTML.gif as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ38_HTML.gif
(38)

where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq167_HTML.gif ,   https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq168_HTML.gif , indicate https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq169_HTML.gif disjoint subsequences of the image pixels https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq170_HTML.gif .

The https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq171_HTML.gif th element of the composite signal https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq172_HTML.gif represents a word where we can pack https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq173_HTML.gif samples of the original signal, chosen by partitioning the original signal samples https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq174_HTML.gif into https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq175_HTML.gif sets of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq176_HTML.gif samples each. In the following, we will consider the so-called https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq177_HTML.gif -polyphase composite representation ( https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq178_HTML.gif -PCR), where the partitioning of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq179_HTML.gif is given by https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq180_HTML.gif . As shown in Figure 2, in this representation each composite word contains https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq181_HTML.gif samples which are spaced https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq182_HTML.gif samples apart in the original sequence, that is, belonging to one of the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq183_HTML.gif th order polyphase components of signal https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq184_HTML.gif .
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Fig2_HTML.jpg
Figure 2

Graphical representation of an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq185_HTML.gif -polyphase composite representation having order https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq186_HTML.gif . The values inside the small boxes indicate the indexes of the samples of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq187_HTML.gif . Identically shaded boxes indicate values belonging to the same composite word.

For the composite representation, the following theorem is valid.

Theorem 1.

Let us assume that
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ39_HTML.gif
(39)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ40_HTML.gif
(40)
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ41_HTML.gif
(41)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq188_HTML.gif is a positive integer, and let https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq189_HTML.gif be defined as in (38). Then, the following holds:
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ42_HTML.gif
(42)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq190_HTML.gif Moreover, the original pixels can be obtained from the composite representation as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ43_HTML.gif
(43)

Proof.

let us express
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ44_HTML.gif
(44)
Thanks to (39) and (40), we have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq191_HTML.gif . Hence, https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq192_HTML.gif can be considered as a positive base- https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq193_HTML.gif integer whose digits are given by https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq194_HTML.gif . Moreover, since https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq195_HTML.gif has https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq196_HTML.gif digits, it is bounded by
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ45_HTML.gif
(45)
where the last inequality comes from (41). As to the second part of the theorem, for each https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq197_HTML.gif we have
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ46_HTML.gif
(46)
Thanks to the properties of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq198_HTML.gif , we have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq199_HTML.gif . Hence
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ47_HTML.gif
(47)

from which (43) follows hence completing the proof.

When dealing with encrypted data, the first part of the previous theorem demonstrates that the composite representation can be safely encrypted by using a homomorphic cryptosystem defined on modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq200_HTML.gif arithmetic: as long as the hypotheses of the theorem hold, the composite data https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq201_HTML.gif takes no more than https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq202_HTML.gif distinct values, so the values of the composite signal can be represented modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq203_HTML.gif without loss of information. (i.e., it is possible to define a one-to-one mapping between https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq204_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq205_HTML.gif .)

We propose now an s.p.e.d. block DCT (BDCT) based on the composite representation of the input pixels. Let us consider https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq206_HTML.gif distinct blocks of an image, assumed as one-dimensional, having size https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq207_HTML.gif . Let us define the block bandwidth as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq208_HTML.gif . Moreover, let us assume that the input pixel values https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq209_HTML.gif have been quantized.

The blockwise DCT can be defined as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ48_HTML.gif
(48)
Since the transform has a repeated structure, it is suitable for a parallel implementation. If the pixels having the same position within each block are packed in a single word according to the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq210_HTML.gif -PCR representation into https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq211_HTML.gif , as in (38), we can define the equivalent parallel blockwise DCT as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ49_HTML.gif
(49)

Proposition 1.

If https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq212_HTML.gif , then https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq213_HTML.gif , https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq214_HTML.gif , can be exactly computed from the modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq215_HTML.gif representation of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq216_HTML.gif .

Proof.

let us consider the following equalities:
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ50_HTML.gif
(50)

Then, it suffices to note that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq217_HTML.gif and replace https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq218_HTML.gif with https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq219_HTML.gif in the proof of Theorem 1.

By exploiting the composite representation, we can process https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq220_HTML.gif blocks by using a single s.p.e.d. DCT. This means that the complexity of the s.p.e.d. BDCT is reduced by a factor https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq221_HTML.gif with respect to that of a pixelwise implementation, since the size of the encrypted values will be the same irrespective of the implementation. Moreover, the bandwidth usage is also reduced by the same factor, since we pack https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq222_HTML.gif pixels into a single ciphertext.

Finally, we would like to point out that the fast DCT algorithm can be used for the BDCT as well. The fast BDCT algorithm is simply obtained by computing the fast DCT of the composite signal https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq223_HTML.gif . In order to verify that the above algorithm is correct, it suffices to substitute https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq224_HTML.gif in (49) with the https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq225_HTML.gif element of the matrix https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq226_HTML.gif as defined in (21).

6. Numerical Examples

We will consider the application of the s.p.e.d. 2D-DCT and 2D-BDCT to square https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq227_HTML.gif 8-bit greyscale images. The quantization scaling factor can be assumed as https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq228_HTML.gif . As to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq229_HTML.gif , we will assume that the cosine values are quantized so as not to exceed the quantization error of the corresponding plaintext implementation. Three plaintext implementations are considered: (1) 16-bit fixed point (XP); (2) single precision floating point (FP1); (3) double precision floating point (FP2). In the first case, we can assume https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq230_HTML.gif . In the floating point case, since the smallest magnitude of a cosine value is equal to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq231_HTML.gif , we need https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq232_HTML.gif , where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq233_HTML.gif is the number of bits of the fractional part of the floating point representation. For the sake of simplicity, we will assume https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq234_HTML.gif , so that we can choose https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq235_HTML.gif (FP1) and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq236_HTML.gif (FP2).

Since the values of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq237_HTML.gif in (34)–(37) can be huge, in the case of the full frame DCT we will consider an upper bound on the number of bits required in order to correctly represent the DCT outputs. If we assume https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq238_HTML.gif , this can be expressed as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ51_HTML.gif
(51)
where https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq239_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq240_HTML.gif . Note that if https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq241_HTML.gif , it follows that https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq242_HTML.gif . In Table 1, we give some upper bounds considering different values of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq243_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq244_HTML.gif . Highlighted in bold are the cases which cannot be implemented relying on a 1024-bit modulus, which is a standard in several cryptographic applications. As can be seen, except for the case of FP2, a full frame s.p.e.d. DCT can be always implemented relying on a standard modulus.
Table 1

Upper bounds (in bits) on the output values of s.p.e.d. 2D-DCTs having different size. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq245_HTML.gif is equivalent to a 16-bit fixed point implementation. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq246_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq247_HTML.gif are equivalent to a single precision and a double precision floating point implementations, respectively. A square https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq248_HTML.gif 2D-DCT has been considered.

 

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq249_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq250_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq251_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq252_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq253_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq254_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq255_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq256_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq257_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq258_HTML.gif

64

51

201

93

453

151

801

256

55

265

97

601

155

1065

1024

59

329

101

749

159

1329

4096

63

393

105

897

163

1593

As to the s.p.e.d. 2D-BDCT, we consider an estimate of the number of pixels that can be safely packed into a single word. A safe implementation requires https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq259_HTML.gif . Since we must have https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq260_HTML.gif , this leads
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ52_HTML.gif
(52)
In Table 2, we give some values of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq261_HTML.gif considering DCT sizes ranging from https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq262_HTML.gif to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq263_HTML.gif and different precisions. Specifically, https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq264_HTML.gif indicates the value of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq265_HTML.gif obtained with a direct implementation of the DCT, while https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq266_HTML.gif indicates the corresponding value for a fast implementation of DCT. The results demonstrate that the composite representation permits to significantly reduce both the bandwidth requirements and the complexity, especially for the fixed point case.
Table 2

Upper bounds on the number of blocks https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq267_HTML.gif that can be processed in parallel by an s.p.e.d. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq268_HTML.gif 2D-BDCT. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq269_HTML.gif indicates a direct or a fast implementation of the DCT. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq270_HTML.gif is equivalent to a 16-bit fixed point implementation. https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq271_HTML.gif and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq272_HTML.gif are equivalent to a single precision and a double precision floating point implementations, respectively. We have assumed https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq273_HTML.gif .

 

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq274_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq275_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq276_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq277_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq278_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq279_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq280_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq281_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq282_HTML.gif

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq283_HTML.gif

4

24

12

12

6

7

3

8

23

8

11

4

7

2

16

22

6

11

3

7

1

32

21

4

11

2

6

1

64

20

4

11

2

6

1

It is worth noting that a direct implementation allows to increase https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq284_HTML.gif up to seven times with respect to the fast BDCT. Since the BDCT usually works with small sized blocks, the complexity of the direct implementation will not be much higher than that of the fast implementation. To give some figures, let us consider the number of multiplications per sample required by the different implementations. The complexity of a direct https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq285_HTML.gif -point DCT is https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq286_HTML.gif multiplications: if we consider a separable implementation, an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq287_HTML.gif DCT will require https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq288_HTML.gif https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq289_HTML.gif -point DCTs to compute https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq290_HTML.gif output samples. Since a BDCT can compute https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq291_HTML.gif DCTs in parallel, this results in a complexity of
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ53_HTML.gif
(53)
As to the fast https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq292_HTML.gif -point DCT, the complexity is https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq293_HTML.gif multiplications [20]. By using similar arguments, the complexity of a fast BDCT implementation can be then evaluated as
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ54_HTML.gif
(54)
In Figure 3, we compare the complexity of direct and fast BDCT for two different precisions. The complexity of the fast BDCT is always below that of the direct implementation. However, it is worth noting that for small BDCT sizes, for example, up to https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq294_HTML.gif , the complexity of the direct implementation is only slightly larger than that of the fast implementation. Hence, there can be cases in which it is preferable to employ a direct s.p.e.d. BDCT, since this will reduce the bandwidth usage at the price of a very small increase of complexity.
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Fig3_HTML.jpg
Figure 3

Complexity of direct BDCT versus fast BDCT. 8-bit input values ( https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq295_HTML.gif ) have been assumed. We have assumed https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq296_HTML.gif . (a) https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq297_HTML.gif ; (b) https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq298_HTML.gif .

7. Implementation Case Study

The feasibility of the s.p.e.d. DCT in a practical scenario is verified by considering its use in a buyer-seller watermarking protocol. Namely, we consider the secure embedding of a watermark as described in [8, 21]. In this scenario, a seller receives the bits of the watermark encrypted with the public key of a buyer—the output of a previous protocol between him and the buyer—and embeds them into a set of features extracted from the digital content he owns. The output of this procedure is a set of watermarked and encrypted features that are sent to the buyer. In the following, such a protocol will be referred to as secure watermark embedding (SWE).

In our case study, we assume that the content is an image and that the features are obtained by applying a block 2D-DCT to the pixel values. We also assume that the seller wants to perform the inverse DCT (IDCT) of the watermarked features in the encrypted domain, before sending them to the buyer. This can be justified by his wish to keep the actual transform secret, so as to expose as little details as possible regarding the watermarking algorithm. Another reason for using the s.p.e.d. IDCT is the possibility of applying some postprocessing to the watermarked image before distributing it. Common postprocessing steps are the use of a perceptual mask [22] or the insertion of a synchronization pattern [23].

The scheme we consider is summarized in Figure 4. The image is divided into square blocks of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq299_HTML.gif pixels and an https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq300_HTML.gif (I)DCT is applied to each block. We will assume that the plaintext DCT and SWE building blocks are already available and we will concentrate on the implementation of the s.p.e.d. IDCT block. Two different implementations are considered: a separable direct IDCT as described in Section 4.1; a separable fast IDCT as described in Section 4.2. As to the data representation, both a pixelwise/coefficientwise representation and a composite representation as described in Section 5 are considered. The combination of the former choices results in four alternative s.p.e.d. implementations: pixelwise direct IDCT (IDCT), pixelwise fast IDCT (F-IDCT), composite (block) direct IDCT (B-IDCT), and composite (block) fast IDCT (BF-IDCT).
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Fig4_HTML.jpg
Figure 4

Secure watermark embedding scenario.

The aforementioned versions have been implemented in C++ using the GNU Multi-Precision (GMP) library [24] and the NTL library [25], which provide software optimized routines for the processing of integers having arbitrary length. All versions have been run on an Intel(R) Core(TM)2 Quad CPU at 2.40 GHz, used as a single processor. In order to verify the feasibility of the s.p.e.d. approach, we measured the execution times of the four versions using three different image sizes: https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq301_HTML.gif , https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq302_HTML.gif , and https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq303_HTML.gif . In all tests, the marked features are represented as 8-bit integers ( https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq304_HTML.gif ) and the cosine values are quantized as 16-bit integers ( https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq305_HTML.gif ). The image features are encrypted with the Paillier's cryptosystem, using a modulo https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq306_HTML.gif of 1024 bits.

The correctness of the s.p.e.d. DCT implementation has been verified by comparing its output with the output of an analogous plaintext DCT implementation, as well as by verifying the amount of error introduced after the application of a standard plaintext DCT followed by an encrypted domain IDCT. With the used precision, the normalized MSE after the DCT-IDCT chain was on the order of https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq307_HTML.gif . As to block DCT, its correctness has been verified by checking that the output of B-(I)DCT, after decryption and unpacking, was identical to the output of the corresponding (I)DCT.

The execution times are reported in Table 3. From the comparison between the pixelwise representation and the composite representation, it is evident that the latter permits to sensibly reduce the computational complexity of an s.p.e.d. DCT. Interestingly, the B-IDCT proves slightly more efficient than the BF-IDCT, confirming that the direct DCT implementation may be preferable when combined with the composite representation. In the considered scenario, we assume that the inputs to the s.p.e.d. DCT are encrypted samplewise. Hence, both B-IDCT and BF-IDCT require the conversion from an encrypted samplewise representation to an encrypted composite representation. Such a conversion can be done thanks to the homomorphic properties of the cryptosystem:
https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_Equ55_HTML.gif
(55)
From Table 3, we can notice that the time required by this conversion is greater than the time required to perform an s.p.e.d. DCT. Since the overall computational complexity of B-IDCT and BF-IDCT is given as the sum of both times, this reduces the performance gain achievable by the composite representation. Namely, B-IDCT is about three times faster than F-IDCT; whereas BF-IDCT is only slightly faster than F-IDCT.
Table 3

Execution times (in seconds) of the different implementations. The row labeled as "packing" refers to the conversion from encrypted samplewise representation to encrypted composite representation. The row labeled as "DCT" refers to the actual DCT computation.

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq308_HTML.gif

IDCT

F-IDCT

B-IDCT

BF-IDCT

packing

20.6

51.2

DCT

164.2

79.8

7.2

10

total

164.2

79.8

27.8

61.2

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq309_HTML.gif

IDCT

F-IDCT

B-IDCT

BF-IDCT

packing

83.8

208.2

DCT

663.2

319.7

29

40

total

663.2

319.7

112.8

248.2

https://static-content.springer.com/image/art%3A10.1155%2F2009%2F716357/MediaObjects/13635_2009_Article_64_IEq310_HTML.gif

IDCT

F-IDCT

B-IDCT

BF-IDCT

packing

334.4

850

DCT

2647.7

1277.1

115.2

159.6

total

2647.7

1277.1

449.6

1009.6

8. Concluding Remarks

We have considered the implementation of the DCT on an encrypted image by relying on the homomorphic properties of the underlying cryptosystem. It has been shown how the maximum allowable DCT size depends on the modulus of the cryptosystem, on the chosen DCT implementation, and on the required precision. We have also proposed an s.p.e.d. block DCT which is based on the packing of several pixels into a single encrypted word, thus permitting the parallel application of the s.p.e.d. DCT algorithm to different image blocks.

To evaluate the proposed solutions, we have considered the application of the s.p.e.d. 2D-DCT and 2D-BDCT to 8-bit greyscale images, computing the upper bound on the number of bits required in order to correctly represent the DCT outputs, and, for the s.p.e.d. 2D-BDCT, the number of pixels that can be safely packed into a single word. The results demonstrate that there can be cases in which it is preferable to employ a direct s.p.e.d. BDCT, since this will reduce the bandwidth usage at the price of a very small increase of complexity.

The feasibility of the application of the s.p.e.d. DCT in a practical buyer-seller watermarking protocol has been also verified, providing promising results. Future research will be devoted to the design and implementation of the complete buyer-seller watermarking protocol.

Declarations

Acknowledgments

The work described in this paper has been partially supported by the European Commission through the IST Programme under Contract no 034238-SPEED and by the Italian Research Project (PRIN 2007): "Privacy aware processing of encrypted signals for treating sensitive information." The information in this document reflects only the author's views, is provided as is, and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

Authors’ Affiliations

(1)
Department of Electronics and Telecommunications, University of Florence
(2)
Department of Information Engineering, University of Siena

References

  1. Piva A, Katzenbeisser S: Signal processing in the encrypted domain. EURASIP Journal on Information Security 2007, 2007:-1.Google Scholar
  2. Erkin Z, Piva A, Katzenbeisser S, et al.: Protection and retrieval of encrypted multimedia content: when cryptography meets signal processing. EURASIP Journal on Information Security 2007, 2007:-20.Google Scholar
  3. Memon N, Wong PW: A buyer-seller watermarking protocol. IEEE Transactions on Image Processing 2001, 10(4):643-649. 10.1109/83.913598View ArticleMATHGoogle Scholar
  4. Shashank J, Kowshik P, Srinathan K, Jawahar CV: Private content based image retrieval. Proceedings of the 26th IEEE Conference on Computer Vision and Pattern Recognition (CVPR '08), June 2008 1-8.Google Scholar
  5. Bianchi T, Piva A, Barni M: Implementing the discrete Fourier transform in the encrypted domain. Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP '08), March-April 2008, Las Vegas, Nev, USA 1757-1760.Google Scholar
  6. Bianchi T, Piva A, Barni M: On the implementation of the discrete Fourier transform in the encrypted domain. IEEE Transactions on Information Forensics and Security 2009, 4(1):86-97.View ArticleGoogle Scholar
  7. Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology, Lecture Notes in Computer Science. Volume 1592. Springer, New York, NY, USA; 1999:223-238. 10.1007/3-540-48910-X_16Google Scholar
  8. Kuribayashi M, Tanaka H: Fingerprinting protocol for images based on additive homomorphic property. IEEE Transactions on Image Processing 2005, 14(12):2129-2139.View ArticleGoogle Scholar
  9. Adelsbach A, Katzenbeisser S, Sadeghi A-R: Watermark detection with zero-knowledge disclosure. Multimedia Systems 2003, 9(3):266-278. 10.1007/s00530-003-0098-zView ArticleGoogle Scholar
  10. Goethals B, Laur S, Lipmaa H, Mielikäinen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th International Conference on Information Security and Cryptology (ICISC '04), 2004, Lecture Notes in Computer Science 3506: 104-120.MathSciNetGoogle Scholar
  11. Yao AC: Protocols for secure computations. Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, November 1982, Chicago, Ill, USA 160-164.Google Scholar
  12. Cramer R, Damgård I, Nielsen JB: Multiparty computation from threshold homomorphic encryption. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '01), 2001, London, UK, Lecture Notes in Computer Science. Volume 2045. Springer; 280-299.Google Scholar
  13. Rivest R, Adleman L, Dertouzos M: On data banks and privacy homomorphisms. In Foundations of Secure Computation. Edited by: DeMillo RA, Lipton RJ, Dobkin DP, Jones AK. Academic Press, New York, NY, USA; 1978:169-179.Google Scholar
  14. Gentry C: Fully homomorphic encryption using ideal lattices. Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC '09), 2009, Bethesda, Md, USA 169-178.View ArticleGoogle Scholar
  15. Goldwasser S, Micali S: Probabilistic encryption. Journal of Computer and System Sciences 1984, 28(2):270-299. 10.1016/0022-0000(84)90070-9MathSciNetView ArticleMATHGoogle Scholar
  16. Damgård I, Jurik M: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography, 2001, Lecture Notes In Computer Science 1992: 119-136.View ArticleMATHGoogle Scholar
  17. Zeng Y, Cheng L, Bi G, Kot AC: Integer DCTs and fast algorithms. IEEE Transactions on Signal Processing 2001, 49(11):2774-2782. 10.1109/78.960425MathSciNetView ArticleGoogle Scholar
  18. Catalano D, Gennaro R, Howgrave-Graham N: The bit security of Paillier's encryption scheme and its applications. In Proceedings of the International Conference on the Theory and Application of Crypto Graphic Techniques (EUROCRYPT '01), May 2001, Innsbruck, Austria. Springer; 229-243.Google Scholar
  19. Bianchi T, Piva A, Barni M: Efficient pointwise and blockwise encrypted operations. Proceedings of the 10th ACM Workshop on Multimedia and Security, 2008, Oxford, UK 85-90.View ArticleGoogle Scholar
  20. Hou H: A fast recursive algorithm for computing the discrete cosine transform. IEEE Transactions on Acoustics, Speech, and Signal Processing 1987, 35(10):1455-1461. 10.1109/TASSP.1987.1165060View ArticleGoogle Scholar
  21. Prins JP, Erkin Z, Lagendijk RL: Anonymous fingerprinting with robust QIM watermarking techniques. EURASIP Journal on Information Security 2007, 2007:-13.Google Scholar
  22. Bartolini F, Barni M, Cappellini V, Piva A: Mask building for perceptually hiding frequency embedded watermarks. Proceedings of the 5th IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA 1: 450-454.View ArticleGoogle Scholar
  23. Moulin P, Ivanovic A: The Fisher information game for optimal design of synchronization patterns in blind watermarking. Proceedings of the 8th IEEE International Conference on Image Processing (ICIP '01), October 2001, Thessaloniki, Greece 2: 550-553.Google Scholar
  24. GNU Multiple Precision Arithmetic Library http://gmplib.org/
  25. NTL: A library for doing number theory http://www.shoup.net/ntl/

Copyright

© Tiziano Bianchi et al. 2009

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.