reviewarticle -...

Hindawi Publishing CorporationEURASIP Journal on Information SecurityVolume 2007, Article ID 78943, 20 pagesdoi:10.1155/2007/78943

Review ArticleProtection and Retrieval of Encrypted Multimedia Content:When Cryptography Meets Signal Processing

Zekeriya Erkin,1 Alessandro Piva,2 Stefan Katzenbeisser,3 R. L. Lagendijk,1 Jamshid Shokrollahi,4

Gregory Neven,5 and Mauro Barni6

1 Electrical Engineering, Mathematics, and Computer Science Faculty, Delft University of Technology,2628 CD, Delft, The Netherlands

2 Department of Electronics and Telecommunication, University of Florence, 50139 Florence, Italy3 Information and System Security Group, Philips Research Europe, 5656 AE, Eindhoven, The Netherlands4 Department of Electrical Engineering and Information Sciences, Ruhr-University Bochum, 44780 Bochum, Germany5 Department of Electrical Engineering, Katholieke Universiteit Leuven, 3001 Leuven, Belgium6 Department of Information Engineering, University of Siena, 53100 Siena, Italy

Correspondence should be addressed to Zekeriya Erkin, [email protected]

Received 3 October 2007; Revised 19 December 2007; Accepted 30 December 2007

Recommended by Fernando Perez-Gonzalez

The processing and encryption of multimedia content are generally considered sequential and independent operations. In certainmultimedia content processing scenarios, it is, however, desirable to carry out processing directly on encrypted signals. The fieldof secure signal processing poses significant challenges for both signal processing and cryptography research; only few ready-to-gofully integrated solutions are available. This study first concisely summarizes cryptographic primitives used in existing solutionsto processing of encrypted signals, and discusses implications of the security requirements on these solutions. The study thencontinues to describe two domains in which secure signal processing has been taken up as a challenge, namely, analysis and retrievalof multimedia content, as well as multimedia content protection. In each domain, state-of-the-art algorithms are described. Finally,the study discusses the challenges and open issues in the field of secure signal processing.

Copyright © 2007 Zekeriya Erkin et al. This is an open access article distributed under the Creative Commons Attribution License,which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION

In the past few years,the processing of encrypted signals hasemerged as a new and challenging research field. The combi-nation of cryptographic techniques and signal processing isnot new. So far, encryption was always considered as an add-on after signal manipulations had taken place (see Figure 1).For instance, when encrypting compressed multimedia sig-nals such as audio, images, and video, first the multime-dia signals were compressed using state-of-the-art compres-sion techniques, and next encryption of the compressed bitstream using a symmetric cryptosystem took place. Conse-quently, the bit stream must be decrypted before the multi-media signal can be decompressed. An example of this ap-proach is JPSEC, the extension of the JPEG2000 image com-pression standard. This standard adds selective encryptionto JPEG2000 bit streams in order to provide secure scalablestreaming and secure transcoding [1].

In several application scenarios, however, it is desirable tocarry out signal processing operations directly on encryptedsignals. Such an approach is called secure signal processing, en-crypted signal processing, or signal processing in the encrypteddomain. For instance, given an encrypted image, can we cal-culate the mean value of the encrypted image pixels? On theone hand, the relevance of carrying out such signal manipu-lations, that is, the algorithm, directly on encrypted signals isentirely dependent on the security requirements of the appli-cation scenario under consideration. On the other hand, theparticular implementation of the signal processing algorithmwill be determined strongly by the possibilities and impossi-bilities of the cryptosystem employed. Finally, it is very likelythat new requirements for cryptosystems will emerge fromsecure signal processing operations and applications. Hence,secure signal processing poses a joint challenge for both thesignal processing and the cryptographic community.

mailto:[email protected]

2 EURASIP Journal on Information Security

x(n) Process(compress) Encrypt Channel Decrypt

Process(decompress)

x(n)

Figure 1: Separate processing and encryption of signals.

The security requirements of signal processing in en-crypted domains depends strongly on the considered appli-cation. In this survey paper, we take an application-orientedview on secure signal processing and give an overview of pub-lished applications in which the secure processing of signalamplitudes plays an important role. In each application, weshow how signal processing algorithms and cryptosystemsare brought together. It is not the purpose of the paper todescribe either the signal processing algorithms or the cryp-tosystems in great detail, but rather focus on possibilities, im-possibilities, and open issues in combining the two. The pa-per includes many references to literature that contains moreelaborate signal processing algorithms and cryptosystem so-lutions for the given application scenario. It is also crucialto state that the scenarios in this survey can be implementedmore efficiently by using trusted third entities. However, it isnot always easy to find trusted entities with high computa-tional power, and even if one is found, it is not certain thatit can be applicable in these scenarios. Therefore, the trustedentities either do not exist or have little role in discussed sce-narios in this paper.

In this paper, we will survey applications that directly ma-nipulate encrypted signals. When scanning the literature onsecure signal processing, it becomes immediately clear thatthere are currently two categories under which the secure sig-nal processing applications and research can be roughly clas-sified, namely, content retrieval and content protection. Al-though the security objectives of these application categoriesdiffer quite strongly, similar signal processing considerationsand cryptographic approaches show up. The common cryp-tographic primitives are addressed in Section 2. This sectionalso discusses the need for clearly identifying the security re-quirements of the signal processing operations in a given sce-nario. As we will see, many of the approaches for secure sig-nal processing are based on homomorphic encryption, zero-knowledge proof protocols, commitment schemes, and mul-tiparty computation. We will also show that there is ampleroom for alternative approaches to secure signal processingtowards the end of Section 2. Section 3 surveys secure sig-nal processing approaches that can be classified as “contentretrieval,” among them secure clustering and recommenda-tion problems. Section 4 discusses problems of content pro-tection, such as secure watermark embedding and detection.Finally, Section 5 concludes this survey paper on secure pro-tection and retrieval of encrypted multimedia content.

2. ENCRYPTION MEETS SIGNAL PROCESSING

2.1. Introduction

The capability to manipulate signals in their encrypted formis largely thanks to two assumptions on the encryptionstrategies used in all applications discussed. In the first place,

encryption is carried out independently on individual signalsamples. As a consequence, individual signal samples can beidentified in the encrypted version of the signal, allowing forprocessing of encrypted signals on a sample-by-sample basis.If we represent a one-dimensional (e.g., audio) signal X thatconsists of M samples as

X = [x1, x2, x3, . . . , xM−1, xM]T

, (1)

where xi is the amplitude of the ith signal sample, then theencrypted version of X using key k is given as

Ek(X) = [Ek(x1),Ek(x2),Ek(x3), . . . ,Ek

(xM−1

),Ek(xM)]T

.(2)

Here the superscript “T” refers to vector transposition. Notethat no explicit measures are taken to hide the temporal orspatial structure of the signal, however, the use of sophisti-cated encryption schemes that are semantically secure (as theone in [2]) achieves this property automatically.

Secondly, only public key cryptosystems are used thathave particular homomorphic properties. The homomorphicproperty that these public key cryptographic system providewill be concisely discussed in Section 2.2.1. In simple terms,the homomorphic property allows for carrying out additionsor multiplications on signal amplitudes in the encrypted do-main. Public key systems are based on the intractability ofsome computationally complex problems, such as

(i) the discrete logarithm in finite field with a large(prime) number of elements (e.g., ElGamal cryptosys-tem [3]);

(ii) factoring large composite numbers (e.g., RSA cryp-tosystem [4]);

(iii) deciding if a number is an nth power in ZN for largeenough composite N (e.g., Paillier cryptosystem [2]).

It is important to realize that public key cryptographic sys-tems operate on very large algebraic structures. This meansthat signal amplitudes xi that were originally represented in8-to-16 bits will require at least 512 or 1024 bits per signalsample in their encrypted form Ek(xi). This data expansionis usually not emphasized in literature but this may be animportant hurdle for practical applicability of secure signalprocessing solutions. In some cases, however, several signalsamples can be packed into one encrypted value in order toreduce the size of the whole encrypted signal by a linear fac-tor [5].

A characteristic of signal amplitudes xi is that they areusually within a limited range of values, due to the 8-to-16bits amplitude representation format of sampled signals. Ifa deterministic encryption scheme would be used, each sig-nal amplitude would always give rise to the same encryptedvalue, making it easy for an adversary to infer information

Zekeriya Erkin et al. 3

Table 1: Some (probabilistic) encryption systems and their homomorphisms.

Encryption system f1(·, ·) f2(·, ·)Multiplicatively Homomorphic El-Gamal [3] Multiplication Multiplication

Additively Homomorphic El-Gamal [13] Addition Multiplication

Goldwasser-Micali [14] XOR Multiplication

Benaloh [15] Addition Multiplication

Naccache-Stern [16] Addition Multiplication

Okamoto-Uchiyama [17] Addition Multiplication

Paillier [2] Addition Multiplication

Damgard-Jurik [18] Addition Multiplication

about the signal. Consequently, probabilistic encryption hasto be used, where each encryption uses a randomization orblinding factor such that even if two signal samples xi and xjhave the same amplitude, their encrypted values Epk[xi] andEpk[xj] will be different. Here, pk refers to the public key usedupon encrypting the signal amplitudes. Public key cryptosys-tems are constructed such that the decryption uses only theprivate key sk, and that decryption does not need the valueof the randomization factor used in the encryption phase. Allencryption schemes that achieve the desired strong notion ofsemantic security are necessarily probabilistic.

Cryptosystems operate on (positive) integer values onfinite algebraic structures. Although sampled signal ampli-tudes are normally represented in 8-to-16 bits (integer) val-ues when they are stored, played, or displayed, intermediatesignal processing operations often involve noninteger signalamplitudes. Work-arounds for noninteger signal amplitudesmay involve scaling signal amplitudes with constant factors(say factors of 10 to 1000), but the unavoidable successiveoperations of rounding (quantization) and normalization bydivision pose significant challenges for being carried out onencrypted signal amplitudes.

In Section 2.2, we first discuss four important cryp-tographic primitives that are used in many secure signalprocessing applications, namely, homomorphic encryption,zero-knowledge proof protocols, commitment schemes, andsecure multiparty computation. In Section 2.3, we then con-sider the importance of scrutinizing the security require-ments of the signal processing application. It is meaninglessto speak about secure signal processing in a particular ap-plication if the security requirements are not specified. Thesecurity requirements as such will also determine the possi-bility or impossibility of applying the cryptographic prim-itives. As we will illustrate by examples—and also in moredetail in the following sections—some application scenariossimply cannot be made secure because of the inherent infor-mation leakage by the signal processing operation because ofthe limitations of the cryptographic primitives to be used,or because of constraints on the number of interactions be-tween parties involved. Finally, in Section 2.4, we briefly dis-cuss the combination of signal encryption and compressionusing an approach quite different from the ones discussed inSections 3 and 4, namely, by exploiting the concept of codingwith side information. We discuss this approach here to em-phasize that although many of the currently existing applica-

tion scenarios are built on the four cryptographic primitivesdiscussed in Section 2.2, there is ample room for entirely dif-ferent approaches to secure signal processing.

2.2. Cryptographic primitives

2.2.1. Homomorphic cryptosystems

Many signal processing operations are linear in nature. Lin-earity implies that multiplying and adding signal amplitudesare important operations. At the heart of many signal pro-cessing operations, such as linear filters and correlation eval-uations, is the calculation of the inner product between twosignals X and Y. If both signals (or segments of the signals)contain M samples, then the inner product is defined as

〈X, Y〉 = XTY = [x1, x2, . . . , xM] ·⎡⎢⎢⎢⎢⎣y1

y2...yM

⎤⎥⎥⎥⎥⎦ =M∑i=1

xi yi. (3)

This operation can be carried out directly on an encryptedsignal X and plain text signal Y if the encryption system usedhas the additive homomorphic property, as we will discussnext.

Formally, a “public key” encryption system Epk(·) and itsdecryption Dsk(·) are homomorphic if those two functionsare maps between the message group with an operation f1(·)and the encrypted group with an operation f2(·), such thatif x and y are taken from the message space of the encryptionscheme, we have

f1(x, y) = Dsk(f2(Epk(x),Epk(y)

)). (4)

For secure signal processing, multiplicative and additive ho-momorphisms are important. Table 1 gives an overview ofencryption systems with additive or multiplicative homo-morphism. Note that those homomorphic operations are ap-plied to a modular domain (i.e., either in a finite field or in aring ZN )—thus, both addition and multiplication are takenmodulo some fixed value. For signal processing applications,which usually require integer addition and multiplication, itis thus essential to choose the message space of the encryp-tion scheme large enough so that overflows due to modulararithmetic are avoided when operations on encrypted dataare performed.


Another important consideration is the representation ofthe individual signal samples. As encryption schemes usuallyoperate in finite modular domains (and all messages to beencrypted must be represented in this domain), a mapping isrequired which quantizes real-valued signal amplitudes andtranslates the signal samples of X into a vector of modularnumbers. In addition to the requirement that the computa-tions must not overflow, special care must be taken to repre-sent negative samples in a way which is compatible with thehomomorphic operation offered by the cryptosystem. Forthe latter problem, depending on the algebraic structure ofthe cipher, one may either encode the negative value −x bythe modular inverse x−1 in the underlying algebra of the mes-sage space or by avoiding negative numbers entirely by usinga constant additive shift.

In the context of the above inner product example, werequire an additively homomorphic scheme (see Table 1).Hence, f1 is the addition, and f2 is a multiplication:

x + y = Dsk(Epk(x) · Epk(y)

), (5)

or, equivalently,

Epk(x + y) = Epk(x) · Epk(y). (6)

Note that the latter equation also implies that

Epk(c · x) = (Epk(x))c

(7)

for every integer constant c. Thus, every additively homo-morphic cryptosystem also allows to multiply an encryptedvalue with a constant available or known as clear text.

The Paillier cryptosystem [2] provides the required ho-momorphism if both addition and multiplication are con-sidered as modular. The encryption of a message m under aPaillier cryptosystem is defined as

Epk(m) = gmrN mod N2, (8)

where N = pq, p and q are large prime number, g ∈ Z∗N2 isa generator whose order is a multiple of N , and r ∈ Z∗N is arandom number (blinding factor). We then easily see that

Epk(x)Epk(y) = (gxrNx )(g yrNy ) mod N2

= gx+y(rxry

)Nmod N2

= Epk(x + y).

(9)

Applying the additive homomorphic property of the Paillierencryption system, we can evaluate (3) under the assumptionthat X is an encrypted signal and Y is a plain text signal:

Epk〈X, Y〉 = Epk

( M∑i=1

xi yi

)=

M∏i=1

Epk(xi yi

) = M∏i=1

Epk(xi)yi .

(10)

Here, we implicitly assume that xi, yi are represented as inte-gers in the message space of the Paillier cryptosystem, that is,xi, yi ∈ ZN . However, (10) essentially shows that it is possi-ble to compute an inner product directly in case one of the

two vectors is encrypted. One takes the encrypted samplesEpk(xi), raises them to the power of yi, and multiplies all ob-tained values. Obviously, the resulting number itself is also inencrypted form. To carry out further useful signal processingoperations on the encrypted result, for instance, to compareit to a threshold, another cryptographic primitive is needed,namely, zero knowledge proof protocols, which is discussedin the next section.

In this paper, we focus mainly on public-key encryptionschemes, as almost all homomorphic encryption schemes be-long to this family. The notable exception is the one-time pad(and derived stream ciphers), where messages taken from afinite group are blinded by a sequence of uniformly randomgroup elements. Despite its computationally efficient encryp-tion and decryption processes, the application of a one-timepad usually raises serious problems with regard to key dis-tribution and management. Nevertheless, it may be used totemporarily blind intermediate values in larger communica-tion protocols. Finally, it should be noted that some recentwork in cryptography (like searchable encryption [6] andorder-preserving encryption [7]) may also yield alternativeways for the encryption of signal samples. However, these ap-proaches have not yet been studied in the context of mediaencryption.

To conclude this section, we observe that directly com-puting the inner product of two encrypted signals is not pos-sible since this would require a cryptographic system that hasboth multiplicative and additive (i.e., algebraic) homomor-phism. Recent proposals in that direction like [8, 9] were laterproven to be insecure [10, 11]. Therefore, no provably securecryptographic system with these properties is known to date.The construction of an algebraic privacy homomorphism re-mains an open problem. Readers can refer to [12] for moredetails on homomorphic cryptosystems.

2.2.2. Zero-knowledge proof protocols

Zero-knowledge protocols are used to prove a certain state-ment or condition to a verifier, without revealing any“knowledge” to the verifier except the fact that the assertionis valid [19]. As a simple example, consider the case wherethe prover Peggy claims to have a way of factorizing largenumbers. The verifier Victor will send her a large numberand Peggy will send back the factors. Successful factorizationof several large integers will decrease Victor’s doubt in thetruth of Peggy’s claim. At the same time Victor will learn “noknowledge of the actual factorization method.”

Although simple, the example shows an important prop-erty of zero-knowledge protocol proofs, namely, that they areinteractive in nature. The interaction should be such thatwith increasing number of “rounds,” the probability of anadversary to successfully prove an invalid claim decreasessignificantly. On the other hand, noninteractive protocols(based on the random oracle model) also do exist. A formaldefinition of interactive and noninteractive proof systems,such as zero-knowledge protocols, falls outside the scope ofthis paper, but can be found, for instance, in [19].

As an example for a commonly used zero-knowledgeproof, consider the proof of knowing the discrete logarithm


x of an element y to the base g in a finite field [20]. Hav-ing knowledge of discrete logarithm x is of interest in someapplications since if

y = gx mod p, (11)

then given p (a large prime number), g, and y (the calcu-lation of the logarithm x) are computationally infeasible. IfPeggy (the prover) claims she knows the answer (i.e., thevalue of x), she can convince Victor (the verifier) of thisknowledge without revealing the value of x by the follow-ing zero-knowledge protocol. Peggy picks a random numberr ∈ Zp and computes t = gr mod p. She then sends t to Vic-tor. He picks a random challenge c ∈ Zp and sends this toPeggy. She computes s = r − cx mod p and sends this to Vic-tor. He accepts Peggy’s knowledge of x if gs yc = t, since ifPeggy indeed used the correct logarithm x in calculating thevalue of s, we have

gs yc mod p = gr−cx(gx)c

mod p = gr = t mod p. (12)

In literature, many different zero-knowledge proofs exist.We mention a number of them that are frequently used insecure signal processing:

(i) proof that an encrypted number is nonnegative [21];(ii) proof that shows that an encrypted number lies in a

certain interval [22];(iii) proof that the prover knows the plaintext x corre-

sponds to the encryption E(x) [23];(iv) proofs that committed values (see Section 2.2.3) satisfy

certain algebraic relations [24].

In zero-knowledge protocols, it is sometimes necessary forthe prover to commit to a particular integer or bit value.Commitment schemes are discussed in the next section.

2.2.3. Commitment schemes

An integer or bit commitment scheme is a method that al-lows Alice to commit to a value while keeping it hidden fromBob, and while also preserving Alice’s ability to reveal thecommitted value later to Bob. A useful way to visualize acommitment scheme is to think of Alice as putting the valuein a locked box, and giving the box to Bob. The value in thebox is hidden from Bob, who cannot open the lock (withoutthe help of Alice), but since Bob has the box, the value in-side cannot be changed by Alice; hence, Alice is “committed”to this value. At a later stage, Alice can “open” the box andreveal its content to Bob.

Commitment schemes can be built in a variety of ways.As an example, we review a well-known commitment schemedue to Pedersen [25]. We fix two large primes p and q suchthat q | (p − 1) and a generator g of the subgroup of order qof Z∗p . Furthermore, we set h = ga mod p for some randomsecret a. The values p, q, g, and h are the public parametersof the commitment scheme. To commit to a value m, Alicechooses a random value r ∈ Zq and computes the commit-ment c = gmhr mod p. To open the commitment, Alice sendsm and r to Bob, who verifies that the commitment c receivedpreviously indeed satisfies c = gmhr mod p. The scheme is

hiding due to the random blinding factor r; furthermore, itis binding unless Alice is able to compute discrete logarithms.

For use in signal processing applications, commitmentschemes that are additively homomorphic are of specificimportance. As with homomorphic public key encryptionschemes, knowledge of two commitments allows one tocompute—without opening—a commitment of the sumof the two committed values. For example, the above-mentioned Pedersen commitment satisfies this property:given two commitments c1 = gm1hr1 mod p and c2 = gm2hr2

mod p of the numbers m1 and m2, a commitment c =gm1+m2hr1+r2 mod p of m1 +m2 can be computed by multiply-ing the commitments: c = c1c2 mod p. Note that the com-mitment c can be opened by providing the values m1 + m2

and r1 + r2. Again, the homomorphic property only supportsadditions. However, there are situations where it is not possi-ble to prove the relation by mere additive homomorphismas in proving that a committed value is the square of thevalue of another commitment. In such circumstances, zero-knowledge proofs can be used. In this case, the party whichpossesses the opening information of the commitments com-putes a commitment of the desired result, hands it to theother party, and proves in zero-knowledge that the commit-ment was actually computed in the correct manner. Amongothers, such zero-knowledge proofs exist for all polynomialrelations between committed values [24].

2.2.4. Secure multiparty computation

The goal of secure multiparty computation is to evaluate apublic function f (x(1), x(2), . . . , x(m)) based on the secret in-puts x(i), i = 1, 2, . . . ,m of m users, such that the users learnnothing except their own input and the final result. A sim-ple example, called Yao’s Millionaire’s Problem, is the com-parison of two (secret) numbers in order to determine ifx(1) > x(2). In this case, the parties involved will only learnif their number is the largest, but nothing more than that.

There is a large body of literature on secure multipartycomputation; for example, it is known [26] that any (com-putable) function can be evaluated securely in the multi-party setting by using a general circuit-based construction.However, the general constructions usually require a largenumber of interactive rounds and a huge communicationcomplexity. For practical applications in the field of dis-tributed voting, private bidding and auctions, and private in-formation retrieval, dedicated lightweight multiparty proto-cols have been developed. An example relevant to signal pro-cessing application is the multiparty computation known asBitrep which finds the encryption of each bit in the binaryrepresentation of a number whose encryption under an ad-ditive homomorphic cryptosystem is given [27]. We refer thereader to [28] for an extensive summary of secure multipartycomputations and to [29] for a brief introduction.

2.3. Importance of security requirements

Although the cryptographic primitives that we discussed inthe previous section are useful for building secure signal


processing solutions, it is important to realize that in eachapplication the security requirements have to be made ex-plicit right from the start. Without wishing to turn to formaldefinition, we choose to motivate the importance of what toexpect from secure signal processing with three simple yet il-lustrative two-party computation examples.

The first simple example is the encryption of a (say au-dio) signal X that contains M samples. Due to the sample-by-sample encryption strategy as shown in (2), the encryptedsignal Epk(X) will also contain M encrypted values. Hence,the size M of the plain text signal cannot be hidden by theapproaches followed in secure signal processing surveyed inthis paper.

In the second example, we consider the linear filtering ofthe signal X. In an (FIR) linear filter, the relation between theinput signal amplitudes X and output signal amplitudes Y isentirely determined by the impulse response (h0,h1, . . . ,hr)through the following convolution equation:

yi = h0xi + h1xi−1 + · · · + hrxi−r =r∑

k=0

hkxi−k. (13)

Let us assume that we wish to compute this convolution ina secure way. The first party, Alice, has the signal X and thesecond party, Bob, has the impulse response (h0,h1, . . . ,hr).Alice wishes to carry out the convolution (13) using Bob’slinear filter. However, both Bob and Alice wish to keep secrettheir data, that is, the impulse response and the input signal,respectively. Three different setups can now be envisioned.

(1) Alice encrypts the signal X under an additive homo-morphic cryptosystem and sends the encrypted signalto Bob. Bob then evaluates the convolution (13) on theencrypted signal as follows:

EpkA

(yi) = EpkA

( r∑k=0

hkxi−k

)

=r∏

k=0

EpkA

(hkxi−k

)

=r∏

k=0

EpkA

(xi−k

)hk .(14)

Notice that the additive homomorphic property isused in the above equation and that, indeed, individ-ually encrypted signal samples should be available toBob. Also notice that the above evaluation is only pos-sible if both X and (h0,h1, . . . ,hr) are integer-valued,which is actually quite unlikely in practice. After com-puting (14), Bob sends the result back to Alice whodecrypts the signal using her private key to obtain theresult Y. In this setup, Bob does not learn the outputsignal Y.

(2) Bob encrypts his impulse response (h0,h1, . . . ,hr) un-der a homomorphic cryptosystem and sends the resultto Alice. Alice then evaluates the convolution (13) us-ing the encrypted impulse response as follows:

EpkB

(yi) = EpkB

( r∑k=0

hkxi−k

)

=r∏

k=0

EpkB

(hkxi−k

)

=r∏

k=0

EpkB

(hk)xi−k .

(15)

Alice then sends the result to Bob, who decrypts to ob-tain the output signal Y. In this solution, Bob learnsthe output signal Y.

(3) Alice and Bob engage in a formal multiparty proto-col, where the function f (x1, x2, . . . , xM ,h0,h1, . . . ,hr)is the convolution equation, Alice holds the signal val-ues xi and Bob the impulse response hi as secret inputs.Both parties will learn the resulting output signal Y.

Unfortunately, none of the above three solutions really pro-vides a solution to the secure computation of a convolutiondue to inherent algorithm properties. For instance, in the firstsetup, Alice could send Bob a signal that consists of all-zerovalues and a single “one” value (a so-called “impulse sig-nal”). After decrypting the result EpkA(yi) that she obtainsfrom Bob, it is easy to see that Y is equal to (h0,h1, . . . ,hr),hence Bob’s impulse response is subsequently known to Al-ice. Similar attacks can be formulated for the other two cases.In fact, even for an arbitrary input, both parties can learn theother’s input by a well-known signal processing procedureknown as “deconvolution.” In conclusion, although in somecases there may be a need for the secure evaluation of convo-lutions, the inherent properties of the algorithm make securecomputing in a two-party scenario meaningless. (Neverthe-less, the protocols have value if used as building blocks in alarge application where the output signal Y is not revealed tothe attacker.)

The third and final example is to threshold a signal’s(weighted) mean value in a secure way. The (secure) meanvalue computation is equivalent to the (secure) computationof the inner product of (3), with X the input signal and Y theweights that define how the mean value is calculated. In themost simple case, we have yi = 1 for all i, but other defini-tions are quite common. Let us assume that Alice wishes Bobto determine if the signal’s mean value is “critical,” for in-stance, above a certain threshold value Tc, without revealingX to Bob. Bob, on the other hand, does not want to reveal hisexpert knowledge, namely, the weights Y and the thresholdTc. Two possible solutions to this secure decision problemare the following.

(i) Use secure multiparty computation, where the func-tion f (x1, x2, . . . , xM , y1, y2, . . . , yM ,Tc) is a combina-tion of the inner product and threshold comparison.Both parties will only learn if the mean value is criticalor not.

(ii) Alice sends Bob the signal X under additively homo-morphic encryption. Bob securely evaluates the in-ner product using (10). After encrypting Tc using Al-ice’s public key, Bob computes the (encrypted versionof the) difference between the computed mean and


Message sourceEncryption

Key

Compression

Eavesdropper

Public channel

Secure channel

Joint decompressionand decryption

Reconstructedsource

Figure 2: Compression of an encrypted signal from [30].

threshold Tc. Bob sends the result to Alice, who de-crypts the result using her secret key and checks if thevalue is larger or smaller than zero.

Although the operations performed are similar to the sec-ond example, in this example the processing is secure sinceBob learns little about Alice’s signal and Alice will learn lit-tle about the Bob’s expert knowledge. In fact, in the firstimplementation, the entire signal processing operation isultimately condensed into a single bit of information; thesecond implementation leaks more information, namely, thedistance between the correlation value from the threshold.In both cases, the result represents a high information ab-straction level, which is insufficient for launching successfulsignal processing-based attacks. In contrast, in the examplebased on (13), the signal processing operation led to an enor-mous amount of information—the entire output signal—tobe available to either parties, making signal processing-basedattacks quite easy.

As we will see in Sections 3 and 4, many of the two-partysecure signal processing problems eventually include an in-formation condensation step, such as (in the most extremecase) a binary decision. We postulate that for two-party lin-ear signal processing operations in which the amount of plaintext information after processing is in the same order of mag-nitude as before processing, no secure solutions exist purelybased on the cryptographic primitives discussed in the previ-ous section, due to inherent properties of the signal process-ing problems and the related application scenario. For thatreason, entirely other approaches to secure signal processingare also of interest. Although few results can be found in lit-erature on approaches not using homomorphic encryption,zero-knowledge proofs, and multiparty computation proto-cols, the approach discussed in the next section may wellshow a possible direction for future developments.

2.4. Compression of encrypted signals

When transmitting signals that contain redundancy over aninsecure and bandwidth-constrained channel, it is custom-ary to first compress and then encrypt the signal. Using theprinciples of coding with side information, it is, however, alsopossible to interchange the order of (lossless) compressionand encryption, that is, to compress encrypted signals [30].

The concept of swapping the order of compression and en-cryption is illustrated in Figure 2. A signal from the messagesource is first encrypted and then compressed. The compres-sor does not have access to the secret key used in the encryp-tion. At the decoder, decompression and decryption are per-formed jointly. From classical information theory, it wouldseem that only minimal gain could be obtained as the en-crypted signal has maximal entropy, that is, no redundancyis left after encryption. However, the decoder can use thecryptographic key to decode and decrypt the compressed andencrypted bit stream. This brings opportunities for efficientcompression of encrypted signals based on principle of cod-ing with side information. In [30], it was shown that neithercompression performance nor security need to be negativelyimpacted under some reasonable conditions.

In source coding with side information, the signal X iscoded under the assumption that the decoder—but not theencoder—has statistically dependent information Y, calledthe side information, available. In conventional coding sce-narios, the encoder would code the difference signal X−Y insome efficient way, but in source coding with side informa-tion, this is impossible since we assume that Y is only knownat the decoder. In the Slepian-Wolf coding theory [31], thecrucial observation is that the side information Y is regardedas a degraded version of X. The degradations are modeled as“noise” on the “virtual channel” between X and Y. The signalX can then be recovered from Y by the decoder if sufficienterror-correcting information is transmitted over the chan-nel. The required bit rate and amount of entropy are relatedas R ≥ H(X | Y). This shows that, at least theoretically, thereis no loss in compression efficiency since the lower boundH(X | Y) is identical to the scenario in which Y is availableat the encoder. Extension of the Slepian-Wolf theory existsfor lossy source coding [32]. In all practical cases of interests,the information bits that are transmitted over the channel areparity bits or syndromes of channel coding methods such asHamming, Turbo or LDPC codes.

In the scheme depicted in Figure 2, we have a similar sce-nario as in the above source coding with side informationcase. If we consider the encrypted signal Ek(X) at the input ofthe encoder, then we see that the decoder has the key k avail-able, representing the “statistically dependent side informa-tion.” Hence, according to the Slepian-Wolf viewpoint, theencrypted signal Ek(X) can be compressed to a rate that is


the same as if the key k would be available during the sourceencoding process, that is, R ≥ H(Ek(X) | k) = H(X). Thisclearly says that the (lossless) coding of the encrypted sig-nal Ek(X) should be possible with the same efficiency as the(lossless) coding of X. Hence, using the side information keyk, the decoder can recover first Ek(X) from the compressedchannel bit stream and subsequently decode Ek(X) into X.

A simple implementation of the above concept for a bi-nary signal X uses a pseudorandomly generated key. The keyk is in this case a binary signal K of the same dimension M asthe signal X. The encrypted signal is computed as follows:

Ek(X) = X⊕K,

Ek(xi) = xi ⊕ ki, i = 1, 2, . . . ,M.

(16)

The encrypted signal Ek(X) is now input to a channel cod-ing strategy, for instance, a Hamming coding. The strengthof the Hamming code is dependent on the dependency be-tween Ek(X) and the side information K at the decoder.This strength obviously depends solely on the properties ofthe original signal X. This does, however, require the mes-sage source to inform the source encoder about the entropyH(X), which represents a small leak of information. The en-coder calculates parity check bits over binary vectors of somelength L created by concatenating L bits of the encryptedsignal Ek(X), and sends only these parity check bits to thereceiver.

The decoder recovers the encrypted signal by first ap-pending to K the parity check bits, and then error correctingthe resulting bit pattern. The success of this error correctionstep depends on the strength of the Hamming code, but asmentioned, this strength has been chosen sufficiently withregards to the “errors” in K on the decoding side. Notice thatin this particular setup the “errors” represent the bits of theoriginal signal X. If the error correction step is successful,the decoder obtains Ek(X), from which the decryption canstraightforwardly take place:

X = Ek(X)⊕K,

xi = Ek(xi)⊕ ki, i = 1, 2, . . . ,M.

(17)

The above example is too simple for any practical sce-nario for a number of reasons. In the first place, it uses onlybinary data, for instance, bit planes. More efficient codingcan be obtained if the dependencies between bit planes areconsidered. This effectively requires an extension of the bitplane coding and encryption approach to coding and en-cryption of symbol values. Secondly, the decoder lacks amodel of the dependencies in X. Soft decoders for Turbo orLDPC codes can exploit such message source models, yield-ing improved performance. Finally, the coding strategy islossless. For most continuous or multilevel message sources,such as audio, images, and video, lossy compression is desir-able.

3. ANALYSIS AND RETRIEVAL OF CONTENT

In the today’s society, huge quantities of personal data aregathered from people and stored in databases for various

purposes ranging from medical researches to online person-alized applications. Sometimes, providers of these servicesmay want to combine their data for research purposes. Aclassical example is the one where two medical institutionswish to perform joint research on the union of their pa-tients data. Privacy issues are important in this scenario be-cause the institutions need to preserve their private data dur-ing their cooperation. Lindell and Pinkas [33] and Agrawal

and Srikant [34] proposed the notion of privacy preservingdata mining, meaning the possibility to perform data analysisfrom distributed database, under some privacy constraints.Privacy preserving data mining [35–38] deals with mutualuntrusted parties that on the one hand wish to cooperate toachieve a common goal but, on the other hand, are not will-ing to disclose their knowledge to each other.

There are several solutions that cope with exact matchingof data in a secure way. However, it is more common in signalprocessing to perform inexact matching, that is, learning thedistance between two signal values, rather than exact match-ing. Consider two signal values x1 and x2. Computing thedistance between them or checking if the distance is within athreshold is important:

∣∣x1 − x2∣∣ < ε. (18)

This comparison or fuzzy matching can be used in a vari-ety of ways in signal processing. One example is quantizingdata which is of crucial importance for multimedia compres-sion schemes. However, considering that these signal valuesare encrypted—thus the ordering between them is totally de-stroyed, there is not any efficient way known to fuzzy com-pare two values.

In the following sections, we give a summary of tech-niques that focus on extracting some information from pro-tected datasets. Selected studies mostly use homomorphicencryption, zero-knowledge proofs, and, sometimes, multi-party computations. As we will see, most solutions still re-quire substantial improvements in communication and com-putation efficiency in order to make them applicable in prac-tice. Therefore, the last section addresses a different approachthat uses other means of preserving privacy to show that fur-ther research on combining signal processing and cryptogra-phy may result in new approaches rather than using encryp-tion schemes and protocols.

3.1. Clustering

Clustering is a well-studied combinatorial problem in datamining [39]. It deals with finding a structure in a collectionof unlabeled data. One of the basic algorithms of cluster-ing is the K-means algorithm that partitions a dataset intoK clusters with a minimum error. We review the K-meansalgorithm and its necessary computations such as distancecomputation and finding the cluster centroid, and show thatcryptographic protocols can be used to provide user’s privacyin clustering for certain scenarios.


Y

X

Cluster centers

Objects

Figure 3: Clustered dataset. Each object is a point in the 2-dimensional space. K-means clustering algorithm assigns each ob-ject to the cluster with the smallest distance.

(1) select K random objects representing the Kinitial centroid of the clusters.

(2) assign each object to the cluster with thenearest centroid.

(3) recalculate the centroids for each cluster.(4) repeat step 2 and 3 until centroids do not

change or a certain threshold achieved.

Algorithm 1: The K-means clustering algorithm

3.1.1. K -means clustering algorithm

The K-means clustering algorithm partitions a dataset D of“objects” such as signal values or features thereof into K dis-joint subsets, called clusters. Each cluster is represented by itscenter which is the centroid of all objects in that subset.

As shown in Algorithm 1, the K-means algorithm is aniterative procedure that refines the cluster centroids until apredefined condition is reached. The algorithm first choosesK random points as the cluster centroids in the dataset Dand assigns the objects to the closest cluster centroid. Then,the cluster centroid is recomputed with recently assigned ob-jects. When the iterative procedure reaches the terminationcondition, each data object is assigned to the closest cluster(Figure 3). Thus to carry out the K-means algorithm, the fol-lowing quantities needs to be computed:

(i) the cluster centroid, or the mean of the data objects inthat cluster,

(ii) the distance between an object and the cluster cen-troid,

(iii) the termination condition which is a distance mea-surement compared to a threshold.

Attribute names

Data owned by Alice

Data owned by Bob

Figure 4: Shared dataset on which K-means algorithm is run.

In the following section, we describe a secure protocol thatcarries out secure K-means algorithm on protected data ob-jects.

3.1.2. Secure K -means clustering algorithm

Consider the scenario in which Alice and Bob want to applythe K-means algorithm on their joint datasets as shown inFigure 4, but at the same time they want to keep their owndataset private. Jagannathan and Wright proposed a solutionfor this scenario in [40].

In the proposed method, both Alice and Bob get the fi-nal output but the values computed in the intermediate stepsare unknown to the both parties. Therefore, the intermediatevalues such as cluster centroids are uniformly shared betweenAlice and Bob in such a way that for a value x, Alice gets arandom share a and Bob gets another random share b, where(a + b) modN = x and N is the size of the field in which alloperations take place. Alice and Bob keep their private sharesof the dataset secret.

The secure K-means clustering algorithm is separatedinto subprotocols where Alice and Bob computes the follow-ings (Algorithm 2).

(i) Distance measurement and finding the closest cluster: thedistance between each object and cluster centroid iscomputed by running a secure scalar product proto-col by Goethals et al. [41]. The closest cluster centroidis determined by running Yao’s circuit evaluation pro-tocol [42] with the shared data of Alice and Bob.

(ii) New cluster centroid: the new cluster centroid requiresto determine an average computation over shared val-ues of Alice and Bob. This function of the form (a +b)/(m+n) can be computed by applying Yao’s protocolwhere Alice knows a and m and Bob knows b and n.


Randomly select K objects from the dataset D as initialcluster centroidsRandomly share the cluster centroid between Aliceand Bobrepeat

for all object dk in dataset D doRun the secure closest cluster protocolAssign to dk to the closest cluster

end forAlice and Bob computes the random shares for the newcentroids of the clusters.

until cluster centroids are close to each other with an errorof ε.

Algorithm 2: Privacy preserving K-means clustering algorithm.

(iii) Termination condition: the termination condition ofthe algorithm is computed by running the Yao’s circuitevaluation protocol [42].

The squared distance between an object Xi = (xi,1, . . . , xi,M)and a cluster centroid μj is given by the following equation:

(dist

(Xi,μj

))2

= (xi,1 − μj,1)2

+(xi,2 − μj,2

)2+ · · · +

(xi,M − μj,M

)2.

(19)

Considering that the clusters centroids are shared betweenAlice and Bob, (19) can be written as(

dist(

Xi,μj))2

= (xi,1 − (μAj,1 + μBj,1))2

+ · · · +(xi,M −

(μAj,M + μBj,M

))2,

(20)

where μAj is Alice’s share and μBj is Bob’s share such that the

jth-cluster centroid is μj = μAj +μBj . Then, (20) can be writtenas

(dist

(Xi,μj

))2=M∑k=1

x2i,k+

M∑k=1

(μAj,k)2

+M∑k=1

(μBj,k)2

+2M∑k=1

μAj,kμBj,k

− 2M∑k=1

μAj,kxi,k − 2M∑k=1

xi,kμBj,k.

(21)

Equation (21) can be computed by Alice and Bob jointly. Asthe first term of the equation is shared between them, Al-ice computes the sum of components of her share while Bobcomputes the rest of the components. The second term andthird term can be computed by Alice and Bob individually,and the rest of the terms are computed by running a securescalar product protocol between Alice and Bob, much similarto the evaluation of (3) via the secure form of (10). Alice firstencrypts her data EpkA(μAj ) = (EpkA(μAj,1), . . . ,EpkA(μAj,M)) andsends it to Bob who computes the scalar product of this datawith his own by using the additive homomorphic property

of the encryption scheme as follows:

EpkA

(μAj)μBj = (EpkA

(μAj,1)μBj,1 , . . . ,EpkA

(μAj,M

)μBj,M). (22)

Then, multiplying the encrypted components gives the en-crypted scalar product of Alice’s and Bob’s data

EpkA

( M∑k=1

μAj,kμBj,k

)=

M∏k=1

EpkA

(μAj,k)μBj,k . (23)

The computed distances between the objects and the clustercentroids can later be the input to the Yao’s circuit evaluationprotocol [42] in which the closest cluster centroid is deter-mined. We refer readers to [41, 42] for further details on thispart.

Once the distances and the closest clusters to the objectsare determined, each object is labeled with the nearest clusterindex. At the end of each iteration, it is necessary to computethe new cluster centroids. Alice computes the sum of the cor-responding coordinates of all object s j and the number ofobjects nj within each of the K clusters for j, 1 ≤ j ≤ M.As shown in Figure 4, Alice has only some of the attributes ofthe objects, thus she treats these missing values as zero. Bobalso applies the same procedure and determines the sum ofcoordinates t j and the number of objects mj in the clusters.Given s j , t j ,nj , and mj , the jth component of the ith clusteris

μi, j =s j + t jnj + mj

. (24)

Since there are only four values, this equation can be com-puted efficiently by using Yao’s circuit evaluation protocol[42] with Alice’s shares s j and nj and Bob’s shares t j and mj .

In the last step of the K-means algorithm, the iterationis terminated if there is no further improvement between theprevious and current cluster centroids. In order to do that, adistance is computed between the previous and current clus-ter centroids. This is done in the same way as computing dis-tances between an object and a cluster centroid but in addi-tion, this distance is compared to a threshold value ε. Con-sidering that the cluster centroids are shared between Aliceand Bob, the result of the computation of the squared dis-tance of cluster centroids for the kth and (k + 1)th iterationsis again random shares for Alice and Bob:

(dist

(μA,k+1j + μB,k+1

j ,μA,kj + μB,k

j

))2 = αj + βj , (25)

where α and β are the shares of Alice and Bob. Alice andBob then apply Yao’s protocol on their K-length vectors(α1, . . . ,αK ) and (β1, . . . ,βK ) to check if αj + βj < ε for1 ≤ j ≤ K .

3.2. Recommender systems

Recommender services play an important role in applica-tions like e-commerce and direct recommendations for mul-timedia contents. These services attempt to predict items that


a user may be interested in by implementing a signal process-ing algorithm known as collaborative filtering on user prefer-ences to find similar users that share the same taste (likes ordislikes). Once similar users are found, this information canbe used in variety ways such as recommending restaurants,hotels, books, audio, and video.

Recommender systems store user data, also known aspreferences, in servers, and the collaborative filtering algo-rithms work on these stored preferences to generate recom-mendations. The amount of data collected from each userdirectly affects the accuracy of the predictions. There are twoconcerns in collecting information from the users in suchsystems. First, in an ordinary system they are in the order ofthousands items, so that it is not realistic for the users to rateall of them. Second, users would not like to reveal too muchprivacy sensitive information that can be used to track them.

The first problem, also known as the sparseness problemin datasets, is addressed for collaborative filtering algorithmsin [43–45]. The second problem on user privacy is of interestto this survey paper since users tend to not give more infor-mation about themselves for privacy concerns and yet theyexpect more accurate recommendations that fit their taste.This tradeoff between privacy and accuracy leads us to anentirely new perspective on recommender systems. Namely,how can privacy of the users be protected in recommendersystems without loosing too much accuracy?

We describe two solutions that address the problem ofpreserving privacy of users in recommender systems. In thefirst approach, user privacy is protected by means of encryp-tion and the recommendations are still generated by pro-cessing these encrypted preference values. In the second ap-proach, protecting the privacy of the users is possible withoutencryption but by means of perturbation of user preferencedata.

3.2.1. Recommendations by partial SVD onencrypted preferences

Canny [46] addresses the user privacy problem in recom-mender systems and proposes to encrypt user preferences.Assume that the recommender system applies a collaborativefiltering algorithm on a matrix P of users versus item ratings.Each row of this matrix represents the corresponding user’staste for the corresponding items. Canny proposes to use acollaborative filtering algorithm based on dimension reduc-tion of P. In this way, an approximation matrix of the orig-inal preference matrix is obtained in a lower dimension thatbest represents the user taste for the overall system. When anew user enters the system, the recommendations are gener-ated by simply reprojecting the user preference vector, whichhas many unrated items, over the approximation matrix. As aresult, a new vector will be obtained which contains approx-imated values for the unrated items [43, 46].

The ratings in recommender systems are usually integernumbers within a small range and items that are not rated areusually assigned to zero. To protect the privacy of the users,the user preferences vector X = [x1, x2, . . . , xM] is encryptedindividually as Epk(X). To reduce the dimension of the pref-

erence matrix P singular value decomposition (SVD) is anoption. The SVD allows P to be written as

P = UDVT , (26)

where the columns of U are the left singular vectors, D is adiagonal matrix containing the singular values, and VT hasrows that are the right singular vectors.

Once the SVD of the preference matrix P is computed,an approximation matrix in a lower-dimension subspace canbe computed easily. Computing the SVD on P that containsencrypted user preferences is, however, more complicated.

Computing the decomposition of the users’ preferencematrix requires sums of products of vectors. If the preferencevector of each user is encrypted, there is no efficient way ofcomputing sums of products of vectors since this would re-quire an algebraic homomorphic cryptosystem. Using securemultiparty computation protocols on this complex functionis costly considering the size of the circuit necessary for thecomplex operation.

Instead of straightforward computation of SVD, Canny[46] proposed to use an iterative approximation algorithmto obtain a partial decomposition of the user preference ma-trix. The conjugate gradient algorithm is an iterative pro-cedure consisting merely of additions of vectors which canbe done under homomorphically encrypted user preferencevectors. Each iteration in the protocol has two steps, that is,users compute (1) their contribution to the current gradientand (2) scalar quantities for the optimization of the gradi-ent. Both steps require only additions of vectors thus we onlyexplain the first step.

For the first step of the iterations, each user computes hiscontribution Gk to the current gradient G by the followingequation:

Gk = AXTk Xk

(I− ATA

), (27)

where matrix A is the approximation of the preference ma-trix P and it is initialized as a random matrix before the pro-tocol starts. Each user encrypts his own gradient vector Gk

with the public key of the user group by following the Peder-sen’s threshold scheme [47] that uses El Gamal cryptosystemwhich is modified to be additively homomorphic. All con-tributions from the users are then added up to form the en-crypted gradient Epk(G) by using the additive homomorphicproperty of the cryptosystem:

Epk(G) = Epk

( ∑k∈users

Gk

)=

∏k∈users

Epk(

Gk). (28)

This resulting vector Epk(G) is then jointly decrypted andused to update the approximated matrix A which is publiclyknown and used to compute the new gradient for the nextiteration.

Although the protocol is based on addition of vectors,zero-knowledge proof protocols play an important role. Thevalidity of the user inputs, that is, the encrypted preferencevector elements lie in a certain range, are verified by zero-knowledge proofs. Moreover, the partial encryption results


User1 User2 UserN

Collaborative filtering

Data disguising

Central database

Disguised dataOriginal data

Figure 5: Privacy preserving collaborative filtering with user pref-erence perturbation.

from the users are also proved valid by running a zero-knowledge proof protocol. Both group of zero-knowledgeproofs are checked by a subgroup of users of whose major-ity is necessary for the validation.

Canny [48] also applies this approach to a differentcollaborative filtering method, namely, expectation maxi-mization- (EM-) based factor analysis. Again this algorithminvolves simple iterative operations that can be implementedby vector additions. In both recommender system solutions,multiple iterations are necessary for the algorithm to con-verge and in each iteration, users need to participate in thecryptographic computations as in joint decryption and zero-knowledge proofs for input validation. These computationsare interactive and thus, it is imperative for the users to beonline and synchronized.

3.2.2. Randomized perturbation to protect preferences

Previous section showed that homomorphic cryptosystems,zero-knowledge proof protocols, and secure multiparty com-putations play an important role in providing solutions forprocessing encrypted data. However, there are other ways topreserve privacy. In the following, we discuss preserving pri-vacy in recommender systems by perturbation of user data.

Randomized perturbation technique was first intro-duced in privacy-preserved data-mining by Agrawal andSrikant [34]. Polat and Du [49, 50] proposed to use thisrandomization-based technique in collaborative filtering.The user privacy is protected by simply randomizing userdata while certain computations on aggregate data can stillbe done. Then, the server generates recommendations basedon the blinded data but can not derive the user’s private in-formation (Figure 5).

Consider the scalar product of two vectors X and Y.These vectors are blinded by R = [r1, . . . , rM] and S = [s1,. . . , sM] such that X′ = X + R and Y′ = Y + S. Here ri’s andsi’s are uniformly distributed random values with zero mean.The scalar product of X and Y can be estimated from X′ andY′:

X′ · Y′ =M∑k=1

(xk yk + xksk + rk yk + rksk

) ≈ M∑k=1

xk yk. (29)

Since R and S are independent and independent of X andY, we have

∑Mk=1xksk ≈ 0,

∑Mk=1rk yk ≈ 0, and

∑Mk=1rksk ≈ 0.

Similarly, the sum of the elements of any vector A can be esti-mated from its randomized form A′. Polat and Du used thesetwo approximations to develop a privacy-preserving collab-orative filtering method [49, 50].

This method works if the number of users in the system issignificantly large. Only then the computations based on ag-gregated data can still be computed with sufficient accuracy.Moreover, it is also pointed out in [51, 52] that the idea ofpreserving privacy by adding random noise might not pre-serve privacy as much as it had been believed originally. Theuser data can be reconstructed from the randomly perturbeduser data matrix. The main limitation in the original work ofPolat and Du is shown to be the item-invariant perturbation[53]. Therefore, Zhang et al. [53] propose a two-way com-munication perturbation scheme for collaborative filteringin which the server and the user communicates to determineperturbation guidance that is used to blind user data beforesending to the server. Notwithstanding these approaches, thesecurity of such schemes based on perturbation of data is notwell understood.

4. CONTENT PROTECTION

4.1. Watermarking of content

In the past decade, content protection measures have beenproposed based on digital watermarking technology. Digi-tal watermarking [54, 55] allows hiding into a digital con-tent information that can be detected or extracted at a latermoment in time by means of signal processing operationssuch as correlation. In this way, digital watermarking pro-vides a communication channel multiplexed into originalcontent through which it is possible to transmit informa-tion. The type of information transmitted from sender to re-ceiver depends on the application at hand. As an example, ina forensic tracing application, a watermark is used to embeda unique code into each copy of the content to be distributed,where the code links a copy either to a particular user or toa specific device. When unauthorized published content isfound, the watermark allows to trace the user who has redis-tributed the content.

Secure signal processing needs to be performed in casewatermark detection or embedding is done in untrusted de-vices; watermarking schemes usually rely on a symmetric keyfor both embedding and detection, which is critical to boththe robustness and security of the watermark and thus needsto be protected.

For the application of secure signal processing in con-tent protection, three categories can be identified, namely,distribution models, customer rights protection, and securewatermark detection. The first two categories are relevant toforensic tracing (fingerprinting) applications. In classical dis-tribution models, the watermark embedding process is car-ried out by a trusted server before releasing the content to theuser. However this approach is not scalable, and in large-scaledistribution systems, the server may become overloaded. Inaddition, since point-to-point communication channels are


X

b Embedder

sk

Xw Channel

Attacksmanipulations

X′

b

X sk

Detector/decoderbYes/no

Figure 6: A digital watermarking model.

required, bandwidth requirements become prohibitive. Aproposed solution is to use client-side watermark embed-ding. Since the client is untrusted, the watermark needs tobe embedded without the client having access to the originalcontent and watermark.

The customer’s rights problem relates to the intrinsicproblem of ambiguity when watermarks are embedded at thedistribution server: a customer whose watermark has beenfound on unauthorized copies can claim that he has beenframed by a malicious seller who inserted his identity as wa-termark in an arbitrary object. The mere existence of thisproblem may discredit the accuracy of the forensic tracingarchitecture. Buyer-seller protocols have been designed toembed a watermark based on the encrypted identity of thebuyer, making sure that the watermarked copy is availableonly to the buyer and not to the seller.

In the watermark detection process, a system has to proveto a verifier that a watermark is present in certain content.Proving the presence of such a watermark is usually doneby revealing the required detection information to the ver-ifying party. All current applications assume that the verifieris a trusted party. However, this is not always true, for in-stance, if the prover is a consumer device. A cheating veri-fier could exploit the knowledge acquired during watermarkdetection to break the security of the watermarking system.Cryptographic protocols, utilizing zero-knowledge proofs,have been constructed in order to mitigate this problem.

We will first introduce a general digital watermarkingmodel to define the notation that will be useful in theremainder of the section. An example of a watermarkingscheme is proposed, namely, the one proposed by Cox et al.[56] since this scheme is adopted in many of the content pro-tection applications.

4.1.1. Watermarking model

Figure 6 shows a common model for a digital watermark-ing system [57]. The inputs of the system are the originalhost signal X and some application dependent to-be-hiddeninformation, here represented as a binary string B = [b1,b2, . . . , bL], with bi taking values in {0, 1}. The embedder in-serts the watermark code B into the host signal to producea watermarked signal Xw, usually making use of a secret keysk to control some parameters of the embedding process andallow the recovery of the watermark only to authorized users.

The watermark channel takes into account all processingoperations and (intentional or non-intentional) manipula-tions the watermarked content may undergo during distri-

bution and use. As a result, the watermarked content Xw ismodified into the “received” version X′. Based on X′, eithera detector verifies the presence of a specific message given toit as input, thus only answering yes or no, or a decoder readsthe (binary) information conveyed by the watermark. Detec-tors and decoders may need to know the original content Xin order to retrieve the hidden information (non-blind de-tector/decoder), or they do not require the original content(blind or oblivious detector/decoder).

4.1.2. Watermarking algorithm

Watermark information is embedded into host signals bymaking imperceptual modifications to the host signal. Themodifications are such that they convey the to-be-hidden in-formation B. The hidden information can be retrieved after-wards from the modified content by detecting the presenceof these modifications. Embedding is achieved by modifyingthe set of features X = [x1, x2, . . . , xM]. In the most simplecase, the features are simple signal amplitudes. In more com-plicated scenarios, the features can be DCT or wavelet coeffi-cients. Several watermarking schemes make use of a spread-spectrum approach to code the to-be-hidden information Binto W = [w1,w2, . . . ,wM]. Typically, W is a realization of anormally distributed random signal with zero mean and unitvariance.

The most well-known spread-spectrum techniques wasproposed by Cox et al. [56]. The host signal is first trans-formed into a discrete cosine transform (DCT) representa-tion. Next the largest magnitude DCT coefficients are se-lected, obtaining the set of features X. The multiplicative wa-termark embedding rule is defined as follows:

xw,i = xi + γwixi = xi(1 + γwi

), (30)

where xw,i is the ith component of the watermarked featurevector and γ is a scaling factor controlling the watermarkstrength. Finally, an inverse DCT transform yields the wa-termarked signal Xw.

To determine if a given signal Y contains the watermarkW, the decoder computes the DCT of Y, extracts the set X′ oflargest DCT coefficients, and then computes the correlationρX′W between the features X′ and the watermark W. If thecorrelation is larger than a threshold T , that is,

ρX′W = 〈X′, W〉〈X′, X′〉 ≥ T , (31)

the watermark is considered present in Y.


4.2. Client-side watermark embedding

Client-side watermark embedding systems transmit the sameencrypted version of the original content to all the clients buta client-specific decryption key allows to decrypt the contentand at the same time implicitly embed a watermark. Whenthe client uses his key to decrypt the content, he obtains auniquely watermarked version of the content. The securityproperties of the embedding scheme usually guarantees thatobtaining either the watermark or the original content in theclear is of comparable hardness as removing the watermarkfrom the personalized copy.

In literature, several approaches for secure embeddingcan be found. In [58], a pseudorandom mask is blended overeach frame of a video. Each client is given a different mask,which, when subtracted from the masked broadcast video,leaves an additive watermark in the content. The scheme isnot very secure because since the same mask is used for allframes of a video, it can be estimated by averaging attacks.

In broadcast environments, stream switching [59, 60]can be performed. Two differently watermarked signals arechopped up into small chunks. Each chunk is encrypted bya different key. Clients are given a different set of decryp-tion keys that allow them to selectively decrypt chunks of thetwo broadcast streams such that each client obtains the fullstream decrypted. The way the full stream is composed outof the two broadcast versions encodes the watermark. Thissolution consumes considerable bandwidth, since the data tobe broadcast to the clients is twice as large as the content it-self.

A second solution involves partial encryption, for in-stance, encrypting the signs of DCT coefficients of a signal[61]. Since the sign bits of DCT coefficients are perceptu-ally significant, the partially encrypted version of the signalis heavily distorted. During decryption, each user has a dif-ferent key that decrypts only a subset of these coefficients, sothat some signs are left unchanged. This leaves a detectablefingerprint in the signal. A similar approach was used in [62]to obtain partial encryption-based secure embedding solu-tions for audiovisual content.

A third approach is represented by methods using astream-cipher that allows the use of multiple decryptionkeys, which decrypt the same cipher text to slightly differ-ent plain-texts. Again, the difference between the originaland the decrypted content represents the embedded water-mark. The first scheme following this approach was pro-posed by Anderson and Manifavans [63] who designed aspecial stream cipher, called Chameleon, which allows todecrypt Chameleon-encrypted content in slightly differentways. During encryption, a key and a secure index generatorare used to generate a sequence of indices, which are used toselect four entries from a look-up-table (LUT). These entriesare XORed with the plaintext to form a word of the ciphertext. The decryption process is identical to encryption exceptfor the use of a decryption LUT, which is obtained by prop-erly inserting bit errors in some entries of the encryptionLUT. Decryption superimposes these errors onto the con-tent, thus leaving a unique watermark. Recently, Adelsbachet al. [64] and Celik et al. [65] proposed generalizations of

X

sk

Encryption

Enc LUT

Server

Wk

X′

sk

Dec LUT

Decryption XW

Clientk

Figure 7: Encryption and following joint decryption and water-marking procedure proposed in [65].

Chameleon, suitable for embedding robust spread-spectrumwatermarks. The schemes operate on LUTs composed of in-tegers from Zp and replace the XOR operation by a (modu-lar) addition.

In more detail, the secure embedding solution works asfollows. The distribution server generates a long-term mas-ter encryption LUT E of size L, whose entries properlygener-ated random samples; E will be used to encrypt the contentto be distributed to the clients. Next, for the kth client, theserver generates a personalized watermark LUT Wk accord-ing to a desired probability distribution, and builds a person-alized decryption LUT Dk by combining the master LUT andthe watermark LUT:

Dk[i] = −E[i] + Wk[i]. (32)

The personalized LUTs are then transmitted once to eachclient over a secure channel. Let us note that the generationof the LUTs is carried out just once at the setup of the ap-plication. A content X is encrypted by adding to it a pseu-dorandom sequence obtained by selecting some entries ofthe LUT with a secure pseudorandom sequence generatordriven by a session key sk. Each client receives the encryptedcontent X′ along with the session key sk and decrypts it us-ing some entries of his/her personalized decryption LUT Dk

(again chosen according to sk), with the final effect that aspread-spectrum watermark sequence is embedded into thedecrypted content. This process is summarized in Figure 7.In detail, driven by the session key sk, a set of indices ti j isgenerated, where 0 ≤ i ≤M−1, 0 ≤ j ≤ S−1, 0 ≤ ti j ≤ L−1.Each feature of the content xi is encrypted by adding S entriesof the encryption LUT, obtaining the encrypted feature x′i asfollows:

x′i = xi +S−1∑j=0

E[ti j]. (33)

Joint decryption and watermarking is accomplished by re-constructing with the session key sk the same set of indicesti j and by adding S entries of the decryption LUT to each en-crypted feature x′i :

xw,i = x′i +S−1∑j=0

D[ti j] = xi +

S−1∑j=0

W[ti j] = xi + wi. (34)


4.3. Buyer seller protocols

Forensic tracing architectures which perform watermark em-bedding at the distribution server are vulnerable against adishonest seller. The mere fact that a seller may fool a buyermay have an impact on the credibility of the whole tracingsystem. (Note that a seller may in fact have an incentive tofool a buyer: a seller who acts as an authorized reselling agentmay be interested in distributing many copies of a work con-taining the fingerprint of a single buyer to avoid paying theroyalties to the author by claiming that such copies were ille-gally distributed or sold by the buyer.)

A possible solution consists in resorting to a trusted thirdparty, responsible for both embedding and detection of wa-termarks; however, such an approach is not feasible in prac-tical applications because the TTP could easily become a bot-tleneck for the whole system. The Buyer-Seller Protocol relieson cryptographic primitives to perform watermark embed-ding [66]; the protocol assures that the seller does not haveaccess to the watermarked copy carrying the identity of thebuyer, hence he cannot distribute or sell these copies. In spiteof this, the seller can identify the buyer from whom unau-thorized copies originated, and prove it by using a properdispute resolution protocol.

We describe the protocol by Memon and Wong [66] inmore detail. Let Alice be the seller, Bob the buyer, and WCA atrusted watermark certification authority in charge of gener-ating legal watermarks and sending them to any buyer uponrequest. The protocol uses a public key cryptosystem whichis homomorphic with respect to the operation used in thewatermark embedding equation (i.e., the cryptosystem willbe multiplicatively homomorphic if watermark embeddingis multiplicative, like in Cox’s scheme); moreover, Alice andBob possess a pair of public/private keys denoted by pkA, pkB(public keys) and skA, skB (private keys).

In the first part of the protocol, on request of Bob, theWCA generates a valid watermark signal W and sends it backto Bob, encrypted with Bob’s public key EpkB (W), along withits digital signature SWCA(EpkB (W)), to prove that the water-mark is valid.

Next, Bob sends to Alice EpkB (W) and SWCA(EpkB (W)),so that Alice can verify that the encrypted watermark hasbeen generated by the WCA. Alice performs two watermarkembedding operations. First, she embeds (with any water-marking scheme) into the original content X a watermarkV, which just conveys a distinct ID univocally identifying thetransaction, obtaining the watermarked content X′. Next, asecond watermark is built by using EpkB (W): Alice permutesthe watermark components through a secret permutation σ :

σ(EpkB (W)

) = EpkB

(σ(W)

), (35)

and inserts EpkB (σ(W)) in X′ directly in the encrypted do-main, obtaining the final watermarked content X′′ in en-crypted form; X′′ is thus unknown to her. This is possibledue to the homomorphic property of the cipher:

EpkB (X′′) = EpkB (X′) · EpkB

(σ(W)

). (36)

When Bob receives EpkB (X′′), he decrypts it by using his pri-vate key skB, thus obtaining X′′, where the watermarks V and

σ(W) are embedded. Note that Bob cannot read the water-mark σ(W), since he does not know the permutation σ . Thescheme is represented in Figure 8.

In order to recover the identity of potential copyrightviolators, Alice first looks for the presence of V. Upon de-tection of an unauthorized copy of X, say Y, she can usethe second watermark to effectively prove that the copy isoriginated from Bob. To do so, Alice must reveal to judgethe permutation σ , the encrypted watermark EpkB (W) andSWCA(EpkB (W)). After verifying SWCA(EpkB (W)), the judgeasks Bob to use his private key skB to compute and revealW. Now it is possible to check Y for the presence of σ(W):if such a presence is verified, then Bob is judged guilty, oth-erwise, Bob’s innocence has been proven. Note that if σ(W)is found in Y, Bob cannot state that Y originated from Alicesince to do so Alice should have known either W to insert itwithin the plain asset X, or skB to decrypt EpkB (X′′) after thewatermark was embedded in the encrypted domain.

As a particular implementation of the protocol, [66] pro-posed to use Cox’s watermarking scheme and a multiplica-tively homomorphic cipher (despite its deterministic nature,authors use RSA). More secure and less complex implemen-tations of the Buyer Seller Protocol have been proposed in[67–70].

4.4. Secure watermark detection

To tackle the problem of watermark detection in the pres-ence of an untrusted verifier (to whom the watermark se-crets cannot be disclosed), two approaches have been pro-posed: one approach called asymmetric watermarking [71,72] uses different keys for watermark embedding and detec-tion. Whereas a watermark is embedded using a private key,its presence can be detected by a public key. In such schemes,the knowledge of the public detection key must not enablean adversary to remove the embedded watermark; unfortu-nately, none of the proposed schemes is sufficiently robustagainst malicious attacks [73]. Another approach is repre-sented by zero-knowledge watermark detection.

Zero-knowledge watermark detection (ZKWD) uses acryptographic protocol to wrap a standard symmetric wa-termark detection process. In general, a zero-knowledge wa-termark detection algorithm is an interactive proof systemwhere a prover tries to convince a verifier that a digital con-tent X′ is watermarked with a given watermark B withoutdisclosing B. In contrast to the standard watermark detector,in ZKWD the verifier is given only properly encoded (or en-crypted) versions of security-critical watermark parameters.Depending on the particular protocol, the watermark code,the watermarked object, a watermark key, or even the origi-nal unmarked object is available in an encrypted form to theverifier. The prover runs the zero-knowledge watermark de-tector to demonstrate to the verifier that the encoded water-mark is present in the object in question, without removingthe encoding. A protocol run will not leak any informationexcept for the unencoded inputs and the watermark presencedetection result.

Early approaches for zero-knowledge watermark detec-tion used permutations to conceal both the watermark and


EpkB (X′) · σ · EpkB (W)

XEmbedding

V

X′

σ

Seller

EpkB (X′′)Decryption

X′′

Buyer

skB

EpkB (W)

WCA

Figure 8: The scheme of the Buyer Seller Protocol proposed in [66].

the object in which the watermark is to be detected [74]; theprotocol assures that the permuted watermark is detected inthe permuted content and that both the watermark and theobject are permuted in the same manner. Craver [75] pro-posed to use ambiguity attacks as a central tool to constructzero-knowledge detectors; such attacks allow to compute awatermark that is detectable in a content but never has beenembedded there. To use ambiguity attacks in a secure detec-tor, the real watermark is concealed within a number of fakemarks. The prover has to show that there is a valid watermarkin this list without revealing its position. Now, the adversary(equipped solely with a watermark detector) cannot decidewhich of the watermarks is not counterfeit. Removal of thewatermark is thus sufficiently more difficult.

Another proposal is to compute the watermark detec-tion statistic in the encrypted domain (e.g., by using additivehomomorphic public-key encryption schemes or commit-ments) and then use zero-knowledge proofs to convince theverifier that the detection statistic exceeds a fixed threshold.This approach was first proposed by Adelsbach and Sadeghi[76], who use a homomorphic commitment scheme to com-pute the detection statistic; the approach was later refined in[77].

Adelsbach and Sadeghi [76] propose a zero-knowledgeprotocol based on the Cox’s watermarking scheme. In con-trast to the original algorithm, it is assumed that the water-mark and DCT-coefficients are integers and not real numbers(this can be achieved by appropriate quantization). More-over, for efficiency reasons, the correlation computation in(31) is replaced by the detection criterion:

C := (〈X′, W〉)2 − 〈X′, X′〉 · T2

:= (A)2 − B ≥ 0;(37)

the latter detection criterion is equivalent to the original one,provided that the factor A is positive.

The following zero-knowledge detection protocol hasbeen designed to allow the prover to prove to a verifier thatthe watermark committed to in the commitment com(W) ispresent in the watermarked content X′, without revealing anyinformation about W. In the protocol, the authors employ anadditively homomorphic commitment scheme (such as theone proposed by Damgard and Fujisaki [78]). Let ppub, X′,

com(W), T be the common inputs of prover and verifier andlet psec be the private input of the prover. First, both proverand verifier select the watermarked features X′ and computethe value B of (37); the prover sends a commitment com(B)to the verifier and opens it immediately, allowing him to ver-ify that the opened commitment contains the same value Bhe computed himself. Now both compute the commitment

com(A) =M∏i=1

com(wi)x′i (38)

by taking advantage of the homomorphic property of thecommitment scheme. Subsequently, the prover proves inzero-knowledge that A ≥ 0. Next, the prover computes thevalue A2, sends a commitment com(A2) to the verifier, andgives him a zero-knowledge proof to prove that com(A2) re-ally contains the square of the value contained in com(A).Being convinced that com(A2) really contains the correctlycomputed value A2, the two parties compute the commit-ment com(C) := com(A2)/com(B) on the value C. Fi-nally, the prover proves to the verifier, with a proper zero-knowledge protocol, that com(C) ≥ 0. If this proof is ac-cepted, then the detection algorithm ends with true, other-wise, with false.

While early protocols addressed only correlation-basedwatermark detectors, the approach has recently be extendedto Gaussian maximum likelihood detectors [79] and Dithermodulation watermarks [80, 81].

5. CONCLUSION AND DISCUSSION

The availability of signal processing algorithms that work di-rectly on the encrypted data would be of great help for appli-cation scenarios where “valuable” signals must be produced,processed, or exchanged in digital format. In this paper, wehave broadly referred to this new class of signal processingtechniques operating in the encrypted domain as signal pro-cessing in the encrypted domain. We mainly review the state-of-the-art, describing the necessary properties of the crypto-graphic primitives and highlighting the limits of current so-lutions that have an impact on processing in the encrypteddomain.


Concerning the use of cryptographic primitives for sig-nal processing in the encrypted domain, we can observe thattreating the digital content as a binary data is not realistic andeliminates the possibility of further processing. Concerningthe basic encryption primitives that make processing in theencrypted domain possible, for the particular case when itis necessary to compress an encrypted signal, a possibility isto resort to the theory of coding with side information; thisprimitive, however, seems to be applicable only to this kindof problem.

The general cryptographic tools that allow to process en-crypted signals are homomorphic cryptosystems since theyallow performing linear computations on the encrypted data.In order to implement necessary signal processing opera-tions, it seems crucial to have an algebraic cryptosystem.However, such a system does not exist and despite the factthat there is no formal proof, it is highly believed that sucha system will be insecure due to preserving too much struc-ture. Yet, homomorphic cryptosystems are the key compo-nents in signal processing in the encrypted domain. Anotherproperty, important for signal processing in the encrypteddomain, is probabilistic encryption: since signal samples areusually 8-bit or 16-bit in length, encrypting such values witha deterministic cryptosystem will result in reoccurring en-crypted values which significantly reduces the search spacefor brute-force attacks. A probabilistic scheme, which doesnot encrypt two equal plain texts into the same cipher text,eliminates such an issue. However, once the data is en-crypted, the probabilistic encryption makes it impossible tocheck if the encrypted value represents a valid input for thepurposes of the subsequent processing. Similarly, the out-put of a function that is computed with encrypted data mayneed to be compared with another value. In such situations,cryptography provides a solution known as zero-knowledgeproofs. Moreover, when nonlinear function needs to be com-puted, homomorphic encryption cannot help; in such a case,it is possible to resort to interactive protocols (e.g., the securemultiparty computation). The limit of these protocols is thata general solution is infeasible for situations where the partiesown huge quantities of data or the functions to be evaluatedare complex, as it happens in signal processing scenarios.

Though the possibility of processing encrypted data hasbeen advanced several years ago, processing encrypted sig-nals poses some new problems due to the peculiarities ofsignals with respect to other classes of data more commonlyencountered in the cryptographic literature, for example, al-phanumeric strings or bit sequences. One property of sig-nals is that in many signal processing applications, there isinterest on the way the signal varies with time rather thanthe single values it assumes. Moreover, the arithmetic usedto represent the signal samples has to be carefully taken intoaccount. If the signal samples are represented by means offixed-point arithmetic, we need to ensure that no overflowoccurs; for signal processing in the encrypted domain, it isnecessary that such a condition is ensured a priori by care-fully constraining the properties of the signals we operate onand the type and number of operations we want to performon them. Moreover, keeping the distinction between the in-teger and the fractional part of a number is a difficult task,

given that, once again, it calls for the possibility of comparingencrypted numbers. If the signals are represented by meansof floating point arithmetic, working in the encrypted do-main is a very difficult task due to the necessity of imple-menting operations such as comparisons and right shifts inthe encrypted domain, for which efficient (noninteractive)solutions are not known yet.

ACKNOWLEDGMENTS

The work reported here has been funded in part by the Eu-ropean Community’s Sixth Framework Programme underGrant no. 034238, SPEED project—Signal Processing in theEncrypted Domain. The work reported reflects only the au-thors’ views; the European Community is not liable for anyuse that may be made of the information contained herein.

REFERENCES

[1] JPSEC, International standard, ISO/IEC 15444-8, 2007.

[2] P. Paillier, “Public-key cryptosystems based on composite de-gree residuosity classes,” in Proceedings of the InternationalConference on the Theory and Application of CryptographicTechniques (EUROCRYPT ’99), vol. 1592 of Lecture Notes inComputer Science, pp. 223–238, Springer, Prague, Czech Re-public, May 1999.

[3] T. ElGamal, “A public key cryptosystem and a signaturescheme based on discrete logarithms,” in Proceedings of the 4thAnnual International Cryptology Conference (CRYPTO ’84),vol. 196 of Lecture Notes in Computer Science, pp. 10–18,Springer, Santa Barbara, Calif, USA, August 1985.

[4] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtain-ing digital signatures and public-key cryptosystems,” Commu-nications of the ACM, vol. 21, no. 2, pp. 120–126, 1978.

[5] J. R. Troncoso-Pastoriza, S. Katzenbeisser, M. Celik, and A.Lemma, “A secure multidimensional point inclusion proto-col,” in Proceedings of the 9th Workshop on Multimedia & Secu-rity (MM&Sec ’07), pp. 109–120, ACM Press, Dallas, Tex, USA,September 2007.

[6] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano,“Public key encryption with keyword search,” in Proceedingsof the International Conference on the Theory and Applicationsof Cryptographic Techniques (EUROCRYPT ’04), vol. 3027 ofLecture Notes in Computer Science, pp. 506–522, Springer, In-terlaken, Switzerland, May 2004.

[7] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order pre-serving encryption for numeric data,” in Proceedings ofthe ACM International Conference on Management of Data(SIGMOD ’04), pp. 563–574, ACM Press, Paris, France, June2004.

[8] J. Domingo-Ferrer, “A new privacy homomorphism and ap-plications,” Information Processing Letters, vol. 60, no. 5, pp.277–282, 1996.

[9] J. Domingo-Ferrer, “A provably secure additive and multi-plicative privacy homomorphism,” in Proceedings of the 5thInternational Conference on Information Security (ISC ’02),vol. 2433 of Lecture Notes in Computer Science, pp. 471–483,Springer, Sao Paulo, Brazil, September-October 2002.

[10] J. H. Cheon and H. S. Nam, “A cryptanalysis of the originalDomingo-Ferrer’s algebraic privacy homomophism,” Cryp-tology ePrint Archive, Report 2003/221, 2003.


[11] D. Wagner, “Cryptanalysis of an algebraic privacy homomor-phism,” in Proceedings of the 6th International Conference onInformation Security (ISC ’03), vol. 2851 of Lecture Notes inComputer Science, pp. 234–239, Bristol, UK, October 2003.

[12] C. Fontaine and F. Galand, “A survey of homomorphic en-cryption for nonspecialists,” EURASIP Journal on InformationSecurity, vol. 2007, Article ID 13801, 10 pages, 2007.

[13] B. Schoenmakers and P. Tuyls, “Practical two-party com-putation based on the conditional gate,” in Proceedings ofthe 10th International Conference on the Theory and Applica-tion of Cryptology and Information Security (ASIACRYPT ’04),vol. 3329 of Lecture Notes in Computer Science, pp. 119–136,Jeju Island, Korea, December 2004.

[14] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour-nal of Computer and System Sciences, vol. 28, no. 2, pp. 270–299, 1984.

[15] J. Benaloh, Verifiable secret-ballot elections, Ph.D. thesis, De-partment of Computer Science, Yale University, New Haven,Conn, USA, 1988.

[16] D. Naccache and J. Stern, “A new public key cryptosystembased on higher residues,” in Proceedings of the 5th ACM Con-ference on Computer and Communications Security (CCS ’98),pp. 59–66, San Francisco, Calif, USA, November 1998.

[17] T. Okamoto and S. Uchiyama, “A new public-key cryptosys-tem as secure as factoring,” in Proceedings of the Interna-tional Conference on the Theory and Application of Crypto-graphic Techniques (EUROCRYPT ’98), vol. 1403 of LectureNotes in Computer Science, pp. 308–318, Springer, Espoo, Fin-land, May-June 1998.

[18] I. Damgard and M. Jurik, “A generalisation, a simplificationand some applications of Paillier’s probabilistic public-keysystem,” in Proceedings of the 4th International Workshop onPractice and Theory in Public Key Cryptosystems (PKC ’01),vol. 1992 of Lecture Notes In Computer Science, pp. 119–136,Springer, Cheju Island, Korea, February 2001.

[19] O. Goldreich, Foundations of Cryptography I, Cambridge Uni-versity Press, Cambridge, UK, 2001.

[20] C. P. Schnorr, “Efficient identification and signatures for smartcards,” in Proceedings of the 9th Annual International Cryp-tology Conference (CRYPTO ’89), vol. 435 of Lecture Notes inComputer Science, pp. 239–252, Springer, Santa Barbara, Calif,USA, August 1990.

[21] H. Lipmaa, “On diophantine complexity and statistical zero-knowledge arguments,” in Proceedings of the 9th InternationalConference on the Theory and Application of Cryptology andInformation Security (ASIACRYPT ’03), vol. 2894 of LectureNotes in Computer Science, pp. 398–415, Springer, Taipei, Tai-wan, November-December 2003.

[22] F. Boudot, “Efficient proofs that a committed number liesin an interval,” in Proceedings of the International Conferenceon the Theory and Application of Cryptographic Techniques(EUROCRYPT ’00), vol. 1807 of Lecture Notes in ComputerScience, pp. 431–444, Springer, Bruges, Belgium, May 2000.

[23] E. Fujisaki and T. Okamoto, “Statistical zero-knowledge pro-tocols to prove modular polynomial relations,” in Proceed-ings of the 17th Annual International Cryptology Conference(CRYPTO ’97), vol. 1294 of Lecture Notes in Computer Science,pp. 16–30, Springer, Santa Barbara, Calif, USA, August 1997.

[24] J. Camenisch and M. Michels, “Proving in zero-knowledgethat a number is the product of two safe primes,” in Proceed-ings of the International Conference on the Theory and Applica-tion of Cryptographic Techniques (EUROCRYPT ’99), vol. 1592

of Lecture Notes in Computer Science, pp. 107–122, Springer,Prague, Czech Republic, May 1999.

[25] T. Pedersen, “Non-interactive and information-theoretic se-cure verifiable secret sharing,” in Proceedings of the 11thAnnual International Cryptology Conference (CRYPTO ’91),vol. 576 of Lecture Notes in Computer Science, pp. 129–140,Springer, Santa Barbara, Calif, USA, August 1992.

[26] A. C. Yao, “Protocols for secure computations,” in Proceedingsof 23rd IEEE Symposium on Foundations of Computer Science(FOCS ’82), pp. 160–164, Chicago, Ill, USA, November 1982.

[27] B. Schoenmakers and P. Tuyls, “Efficient binary conversion forPaillier encrypted values,” in Proceedings of the 24th Annual In-ternational Conference on the Theory and Applications of Cryp-tographic Techniques (EUROCRYPT ’06) , vol. 4004 of LectureNotes in Computer Science, pp. 522–537, Springer, St. Peters-burg, Russia, May-June 2006.

[28] O. Goldreich, Foundations of Cryptography II, Cambridge Uni-versity Press, Cambridge, UK, 2004.

[29] S.-C. S. Cheung and T. Nguyen, “Secure multiparty computa-tion between distrusted networks terminals,” EURASIP Jour-nal on Information Security, vol. 2007, Article ID 51368, 10pages, 2007.

[30] M. Johnson, P. Ishwar, V. Prabhakaran, D. Schonberg, and K.Ramchandran, “On compressing encrypted data,” IEEE Trans-actions on Signal Processing, vol. 52, no. 10, pp. 2992–3006,2004.

[31] D. Slepian and J. K. Wolf, “Noiseless coding of correlated in-formation sources,” IEEE Transactions on Information Theory,vol. 19, pp. 471–480, 1973.

[32] S. Pradhan and K. Ramchandran, “Distributed source codingusing syndromes (DISCUS): design and construction,” IEEETransactions on Information Theory, vol. 49, no. 3, pp. 626–643, 2003.

[33] Y. Lindell and B. Pinkas, “Privacy preserving data mining,” inProceedings of the 20th Annual International Cryptology Con-ference (CRYPTO ’00), vol. 1880 of Lecture Notes in ComputerScience, pp. 36–54, Santa Barbara, Calif, USA, August 2000.

[34] R. Agrawal and R. Srikant, “Privacy-preserving data mining,”ACM SIGMOD Record, vol. 29, no. 2, pp. 439–450, 2000.

[35] C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M. Y. Zhu,“Tools for privacy preserving distributed data mining,” ACMSIGKDD Explorations Newsletter, vol. 4, no. 2, pp. 28–34, 2002.

[36] M. Kantarcioglu and J. Vaidya, “Privacy preserving naiveBayes classifier for horizontally partitioned data,” in Procced-ings of the IEEE Workshop on Privacy Preserving Data Mining(ICDM ’03), pp. 3–9, Melbourne, Fla, USA, November 2003.

[37] B. Pinkas, “Cryptographic techniques for privacy-preservingdata mining,” ACM SIGKDD Explorations Newsletter, vol. 4,no. 2, pp. 12–19, 2002.

[38] V. S. Verykios, E. Bertino, I. N. Fovino, L. P. Provenza, Y. Say-gin, and Y. Theodoridis, “State-of-the-art in privacy preserv-ing data mining,” ACM SIGMOD Record, vol. 33, no. 1, pp.50–57, 2004.

[39] A. K. Jain, M. N. Murty, and P. J. Flynn, “Data clustering: areview,” ACM Computing Surveys, vol. 31, no. 3, pp. 264–323,1999.

[40] G. Jagannathan and R. N. Wright, “Privacy-preserving dis-tributed k-means clustering over arbitrarily partitioned data,”in Proceedings of the ACM SIGKDD International Conferenceon Knowledge Discovery and Data Mining (KDD ’05), pp. 593–599, ACM Press, Chicago, Ill, USA, August 2005.

[41] B. Goethals, S. Laur, H. Lipmaa, and T. Mielikainen, “On se-cure scalar product computation for privacy-preserving data


mining,” in Proceedings of the 7th Annual International Con-ference in Information Security and Cryptology (ICISC ’04),vol. 3506 of Lecture Notes in Computer Science, pp. 104–120,Springer, Seoul, Korea, December 2004.

[42] A. C. Yao, “How to generate and exchange secrets,” in Proceed-ings of the 27th Annual Symposium on Foundations of Com-puter Science, pp. 162–167, Toronto, Ontario, Canada, October1986.

[43] K. Goldberg, T. Roeder, D. Gupta, and C. Perkins, “Eigentaste:a constant time collaborative filtering algorithm,” InformationRetrieval, vol. 4, no. 2, pp. 133–151, 2001.

[44] J. D.M. Rennie and N. Srebro, “Fast maximum margin ma-trix factorization for collaborative prediction,” in Proceed-ings of the 22nd International Conference on Machine Learning(ICML ’05), pp. 713–720, Bonn, Germany, August 2005.

[45] B. Sarwar, G. Karypis, J. Konstan, and J. Riedl, “Applica-tion of dimensionality reduction in recommender systems,”in Proceedings of the Web Mining for E-Commerce—Challengesand Opportunities (WEBKDD ’00), Boston, Mass, USA, Au-gust 2000.

[46] J. F. Canny, “Collaborative filtering with privacy,” in Proceed-ings of the IEEE Symposium on Security and Privacy, pp. 45–57,Berkeley, Calif, USA, May 2002.

[47] T. Pedersen, “A threshold cryptosystem without a trustedparty,” in Proceedings of the Workshop on the Theory andApplication of Cryptographic Techniques (EUROCRYPT ’91),vol. 547 of Lecture Notes in Computer Science, pp. 522–526,Brighton, UK, April 1991.

[48] J. F. Canny, “Collaborative filtering with privacy via factoranalysis,” in Proceedings of the 25th Annual International ACMSIGIR Conference on Research and Development in InformationRetrieval (SIGIR ’02), pp. 238–245, ACM Press, Tampere, Fin-land, August 2002.

[49] H. Polat and W. Du, “Privacy-preserving collaborative filter-ing using randomized perturbation techniques,” in Proceed-ings of the 3rd IEEE International Conference on Data Min-ing (ICDM ’03), pp. 625–628, IEEE Computer Society, Mel-bourne, Fla, USA, November 2003.

[50] H. Polat and W. Du, “SVD-based collaborative filtering withprivacy,” in Proceedings of the 20th Annual ACM Symposiumon Applied Computing (SAC ’05), vol. 1, pp. 791–795, Santa Fe,NM, USA, March 2005.

[51] Z. Huang, W. Du, and B. Chen, “Deriving private informa-tion from randomized data,” in Proceedings of the ACM Inter-national Conference on Management of Data (SIGMOD ’05),pp. 37–48, ACM Press, Baltimore, Md, USA, June 2005.

[52] H. Kargupta, S. Datta, Q. Wang, and K. Sivakumar, “On theprivacy preserving properties of random data perturbationtechniques,” in Proceedings of the 3rd IEEE International Con-ference on Data Mining (ICDM ’03), pp. 99–106, Melbourne,Fla, USA, November 2003.

[53] S. Zhang, J. Ford, and F. Makedon, “A privacy-preserving col-laborative filtering scheme with two-way communication,” inProceedings of the 7th ACM Conference on Electronic Commerce(EC ’06), pp. 316–323, Ann Arbor, Mich, USA, June 2006.

[54] M. Barni and F. Bartolini, Watermarking Systems Engineering:Enabling Digital Assets Security and Other Applications, MarcelDekker, New York, NY, USA, 2004.

[55] I. J. Cox, M. L. Miller, and J. A. Bloom, Digital Watermarking,Morgan Kaufmann, San Francisco, Calif, USA, 2001.

[56] I. J. Cox, J. Kilian, F. T. Leighton, and T. Shamoon, “Securespread spectrum watermarking for multimedia,” IEEE Trans-actions on Image Processing, vol. 6, no. 12, pp. 1673–1687, 1997.

[57] M. Barni and F. Bartolini, “Data hiding for fighting piracy,”IEEE Signal Processing Magazine, vol. 21, no. 2, pp. 28–39,2004.

[58] S. Emmanuel and M. Kankanhalli, “Copyright protectionfor MPEG-2 compressed broadcast video,” in Proceedings ofthe IEEE International Conference on Multimedia and Expo(ICME ’01), pp. 206–209, Tokyo, Japan, August 2001.

[59] J. Crowcroft, C. Perkins, and I. Brown, “A method and appa-ratus for generating multiple watermarked copies of an infor-mation signal,” WO Patent No. 00/56059, 2000.

[60] R. Parviainen and P. Parnes, “Large scale distributed water-marking of multicast media through encryption,” in Proceed-ings of the IFIP TC6/TC11 International Conference on Com-munications and Multimedia Security Issues of the New Cen-tury, vol. 192, pp. 149–158, Darmstadt, Germany, May 2001.

[61] D. Kundur and K. Karthik, “Video fingerprinting and encryp-tion principles for digital rights management,” Proceedings ofthe IEEE, vol. 92, no. 6, pp. 918–932, 2004.

[62] A. Lemma, S. Katzenbeisser, M. Celik, and M. van der Veen,“Secure watermark embedding through partial encryption,” inProceedings of the 5th International Workshop on Digital Water-marking (IWDW ’06), vol. 4283 of Lecture Notes in ComputerScience, pp. 433–445, Jeju Island, Korea, November 2006.

[63] R. J. Anderson and C. Manifavas, “Chameleon—a new kind ofstream cipher,” in Proceedings of the 4th International Workshopon Fast Software Encryption (FSE ’97), vol. 1267, pp. 107–113,Springer, Haifa, Israel, January 1997.

[64] A. Adelsbach, U. Huber, and A.-R. Sadeghi, “Fingercasting—joint fingerprinting and decryption of broadcast messages,” inProceedings of the 11th Australasian Conference on InformationSecurity and Privacy (ACISP ’06), vol. 4058 of Lecture Notesin Computer Science, pp. 136–147, Springer, Melbourne, Aus-tralia, July 2006.

[65] M. Celik, A. Lemma, S. Katzenbeisser, and M. van der Veen,“Secure embedding of spread spectrum watermarks usinglook-up tables,” in Proceedings of the International Conferenceon Acoustics, Speech and Signal Processing (ICASSP ’07), vol. 2,pp. 153–156, IEEE Press, Honolulu, Hawaii, USA, April 2007.

[66] N. Memon and P. W. Wong, “A buyer-seller watermarking pro-tocol,” IEEE Transactions on Image Processing, vol. 10, no. 4, pp.643–649, 2001.

[67] F. Ahmed, F. Sattar, M. Y. Siyal, and D. Yu, “A secure wa-termarking scheme for buyer-seller identification and copy-right protection,” EURASIP Journal on Applied Signal Process-ing, vol. 2006, Article ID 56904, 15 pages, 2006.

[68] M. Kuribayashi and H. Tanaka, “Fingerprinting protocolfor images based on additive homomorphic property,” IEEETransactions on Image Processing, vol. 14, no. 12, pp. 2129–2139, 2005.

[69] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficientand anonymous buyer-seller watermarking protocol,” IEEETransactions on Image Processing, vol. 13, no. 12, pp. 1618–1626, 2004.

[70] J. Zhang, W. Kou, and K. Fan, “Secure buyer-seller watermark-ing protocol,” IEE Proceedings—Information Security, vol. 153,no. 1, pp. 15–18, 2006.

[71] J. J. Eggers, J. K. Su, and B. Girod, “Public key watermarkingby eigenvectors of linear transforms,” in Proceedings of the Eu-ropean Signal Processing Conference (EUSIPCO ’00), Tampere,Finland, September 2000.

[72] T. Furon and P. Duhamel, “An asymmetric public detectionwatermarking technique,” in Proceedings of the 3rd Interna-tional Workshop on Information Hiding (IH ’99), vol. 1768 of


Lecture Notes in Computer Science, pp. 88–100, Springer, Dres-den, Germany, September-October 2000.

[73] J. J. Eggers, J. K. Su, and B. Girod, “Asymmetric watermark-ing schemes,” in Proceedings of the Sicherheit in Mediendaten,GMD Jahrestagung, Berlin, Germany, September 2000.

[74] S. A. Craver and S. Katzenbeisser, “Security analysis of public-key watermarking schemes,” in Mathematics of Data/ImageCoding, Compression, and Encryption IV, with Applications,vol. 4475 of Proceedings of SPIE, pp. 172–182, San Diego, Calif,USA, July 2001.

[75] S. Craver, “Zero knowledge watermark detection,” in Proceed-ings of the 3rd International Workshop on Information Hiding(IH ’99), vol. 1768 of Lecture Notes in Computer Science, pp.101–116, Springer, Dresden, Germany, September-October1999.

[76] A. Adelsbach and A.-R. Sadeghi, “Zero-knowledge water-mark detection and proof of ownership,” in Proceedings of the4th International Workshop on Information Hiding (IH ’01),vol. 2137 of Lecture Notes in Computer Science, pp. 273–288,Springer, Pittsburgh, Pa, USA, April 2001.

[77] A. Adelsbach, M. Rohe, and A.-R. Sadeghi, “Non-interactivewatermark detection for a correlation-based watermarkingscheme,” in Proceedings of the 9th IFIP TC-6 TC-11Interna-tional Conference on Communications and Multimedia Security(CMS ’05), vol. 3677 of Lecture Notes in Computer Science, pp.129–139, Springer, Salzburg, Austria, September 2005.

[78] I. Damgard and E. Fujisaki, “A statistically-hiding integer com-mitment scheme based on groups with hidden order,” inProceedings of the 8th International Conference on the The-ory and Application of Cryptology and Information Security(ASIACRYPT ’02), Y. Zheng, Ed., vol. 2501 of Lecture Notes inComputer Science, pp. 125–142, Springer, Queenstown, NewZealand, December 2002.

[79] J. R. Troncoso-Pastoriza and F. Perez-Gonzalez, “Efficientnon-interactive zero-knowledge watermark detector robust tosensitivity attacks,” in Security,Steganography, and Watermark-ing of Multimedia Contents IX, P. W. Wong and E. J. Delp, Eds.,vol. 6505 of Proceedings of SPIE, pp. 1–12, San Jose, CA, USA,January 2007.

[80] M. Malkin and T. Kalker, “A cryptographic method for securewatermark detection,” in Proceedings of the 8th InternationalWorkshop on Information Hiding (IH ’06), vol. 4437 of LectureNotes in Computer Science, pp. 26–41, Springer, Alexandria,Va, USA, July 2006.

[81] A. Piva, V. Cappellini, D. Corazzi, A. De Rosa, C. Orlandi, andM. Barni, “Zero-knowledge ST-DM watermarking,” in Secu-rity, Steganography, and Watermarking of Multimedia ContentsVIII, vol. 6072 of Proceedings of SPIE, pp. 291–301, San Jose,Calif, USA, January 2006.

EURASIP Journal on Wireless Communications and Networking

Special Issue on

Advances in Quality and Performance Assessment forFuture Wireless Communication Services

Call for Papers

Wireless communication services are evolving rapidly intandem with developments and vast growth of heteroge-neous wireless access and network infrastructures and theirpotential. Many new, next-generation, and advanced futureservices are being conceived. New ideas and innovation inperformance and QoS, and their assessment, are vital tothe success of these developments. These should be openand transparent, with not only network-provider-drivenbut also service-provider-driven and especially user-driven,options on management and control to facilitate always bestconnected and served (ABC&S), in whatever way this isperceived by the different stake holders. To wireless commu-nication services suppliers and users, alike the complexityand integrability of the immense, diverse, heterogeneouswireless networks’ infrastructure should add real benefits andalways appear as an attractive user-friendly wireless servicesenabler, as a wireless services performance enhancer and as astimulant to wireless services innovation. Effecting the inte-gration of services over a converged IP platform supportedby this diverse and heterogeneous wireless infrastructurepresents immense QoS and traffic engineering challenges.Within this context, a special issue is planned to addressquestions, advances, and innovations in quality and perfor-mance assessment in heterogeneous wireless service delivery.

Topics of interest include, but are not limited to:

• Performance evaluation and traffic modelling• Performance assessments and techniques at system/

flow level, packet level, and link level• Multimedia and heterogeneous service integration-

performance issues, tradeoffs, user-perceived QoS, andquality of experience

• Network planning; capacity; scaling; and dimension-ing

• Performance assessment, management, control, andsolutions: user-driven; service-provider-driven; net-work-provider-driven; subscriber-centric and consu-mer-centric business model dependency issues

• Wireless services in support of performance assess-ment, management, and control of multimedia servicedelivery

• Performance management and assessment in user-driven live-access network change and network-driveninternetwork call handovers

• Subscriber-centric and consumer-centric businessmodel dependency issues for performance manage-ment, control, and solutions

• Simulations and testbeds

Before submission, authors should carefully read over thejournal’s Author Guidelines, which are located at http://www.hindawi.com/journals/wcn/guidelines.html. Prospective au-thors should submit an electronic copy of their completemanuscript through the journal Manuscript Tracking Sys-tem at http://mts.hindawi.com/, according to the followingtimetable:

Manuscript Due August 1, 2009

First Round of Reviews November 1, 2009

Publication Date February 1, 2010

Lead Guest Editor

Máirtín O’Droma, Telecommunications Research Centre,University of Limerick, Ireland; [email protected]

Guest Editors

Markus Rupp, Institute of Communications andRadio-Frequency Engineering, Vienna University ofTechnology, Gusshausstrasse 25/389, 1040 Vienna, Austria;[email protected]

Yevgeni Koucheryavy, Department of CommunicationEngineering, Tampere University of Technology,Korkeakoulunkatu 10, 33720 Tampere, Finland; [email protected]

Andreas Kassler, Computer Science Department,University of Karlstad, Universitetsgatan, 65188 Karlstad,Sweden; [email protected]

Hindawi Publishing Corporationhttp://www.hindawi.com

http://www.hindawi.com/journals/wcn/guidelines.html

http://www.hindawi.com/journals/wcn/guidelines.html

http://mts.hindawi.com/





EURASIP Journal on Information Security

Special Issue on

Enhancing Privacy Protection in Multimedia Systems

Call for PapersThe right to privacy has long been regarded as one ofthe basic universal human rights. In the last thirty years,advances in computing technologies have brought dramaticimprovement in collecting storing and sharing personalinformation among government agencies and private sec-tors. The combination of ubiquitous sensors, wireless con-nectivity, and powerful recognition algorithms make it easierthan ever to monitor every aspect of our daily activities. Fromthe use of sophisticated pattern recognition in surveillancevideo to the theft of biometric signals and personal multi-media contents—people have become increasingly worriedabout the privacy of their multimedia data. To mitigatepublic concern about privacy violation, it is imperative tomake privacy protection a priority in current and futuremultimedia systems.

Even though research on privacy enhancing technologies(PETs) began twenty years ago, most of the existing schemesfocus on textual or categorical data and are inadequateto protect multimedia. The particular challenges includebut are not limited to the difficulty in extracting semanticinformation for protection, the ability to apply crypto-graphic primitives to high data-rate multimedia streams,basic signal processing algorithms for protecting privacywithout destroying the perceptual quality of the signal, andprivacy models for governing and handling privacy rightsin multimedia systems. In the last few years, there has beenmuch exciting new theoretical and practical work to tacklethese challenges by combining expertise from multimedia,pattern recognition, cryptography, and computer security.This work has the potential of not only providing enhancedlevel of privacy, but also revolutionizing the research frontierin the fundamental studies of multimedia and security. Thegoal of this special issue is to collect cutting-edge researchwork in privacy protection technologies for multimedia,and to provide a high-quality forum for researchers fromdifferent areas to explore future opportunities in this area.

We seek submissions from academia and industry present-ing novel research and field experiments on topics whichinclude, but are not limited to:

• Privacy in multimedia database systems• Privacy in multimodal biometric systems• Privacy in multimodal surveillance systems• Privacy in mobile multimedia systems

• Privacy preserving digital right management systems• Privacy preserving feature extraction• Privacy preserving pattern recognition• Privacy threat and attack models• Signal-based obfuscation• Reversibility in signal-based obfuscation• Signal processing in encrypted domains• Subject identification for privacy protection• Location and tracking privacy in multimedia signals• Multimedia sensor protocols that preserve anonymity/

privacy• Application of multimedia scrambling and data hiding

for privacy protection• Usability issues in privacy-protected multimedia sys-

tems• Legality and economics of privacy in multimedia

systems

Authors should follow the EURASIP Journal on Informa-tion Security manuscript format described at the jour-nal site http://www.hindawi.com/journals/is/. Prospectiveauthors should submit an electronic copy of their completemanuscript through the journal Manuscript Tracking Sys-tem at http://mts.hindawi.com/ according to the followingtimetable:

Manuscript Due March 1, 2009

First Round of Reviews June 1, 2009

Publication Date September 1, 2009

Guest Editors

Sen-ching Samson Cheung, Center for Visualization andVirtual Environments, Department of Electrical andComputer Engineering, University of Kentucky, Lexington,KY 40507, USA; [email protected]

Deepa Kundur, Electrical and Computer EngineeringDepartment, Texas A&M University, College Station, TX77843, USA; [email protected]

Andrew Senior, Google Inc., NY 10011, USA;[email protected]

Hindawi Publishing Corporationhttp://www.hindawi.com

http://www.hindawi.com/journals/is/

http://mts.hindawi.com/

reviewarticle -...

Documents