I Introduction
Cloud computing and edge computing have been spreading in many fields, with the development of cloud services. However, the computing environment has some serious issues for end users, such as unauthorized use and leak of data, and privacy compromise, due to unreliability of providers and some accidents. While, a lot of studies on secure, efficient and flexible communications, storage and computation have been reported [1, 2, 3]. For securing data, full encryption with provable security (like RSA, AES, etc) is the most secure option. However, many multimedia applications have been seeking a tradeoff in security to enable other requirements, e.g., low processing demands, retaining bitstream compliance, and flexible processing in the encrypted domain, so that a lot of perceptual encryption schemes have been studied as one of the schemes for achieving a tradeoff [4, 5, 6, 7, 8, 9, 10, 11, 12, 13]
In the recent years, considerable efforts have been made in the fields of fully homomorphic encryption and multiparty computation [14, 15, 16, 17]. However, these schemes can not be applied yet to SVM algorithms, although it is possible to carry out some statistical analysis of categorical and ordinal data. Moreover, the schemes have to prepare algorithms specialized for computing encrypted data.
Because of such a situation, we propose a privacypreserving SVM computing scheme in this paper . We focus on templates protected by using a random unitary transformation, which have been studied as one of methods for cancelable biometrics [18, 19, 20, 21, 22, 23, 24]
, and then consider some properties of the protected templates for secure SVM computing, where templates mean features extracted from data. As a result, the proposed scheme enables us not only to protect templates, but also to have the same performance as that of unprotected templates under some useful kernel functions as isotropic stationary kernels. Moreover, it can be directly carried out by using wellknown SVM algorithms, without preparing any algorithms specialized for secure SVM computing. In the experiments, the proposed scheme is applied to a face recognition algorithm with SVM classifiers to confirm the effectiveness.
Ii preparation
Iia Support Vector Machine
Support Vector Machine (SVM) is a supervised machine learning algorithm which can be used for both classification or regression challenges, but it is mostly used in classification problems. In SVM, we input a feature vector
to the discriminant function aswhere is a weight parameter, and is a bias.
SVM also has a technique called the kernel trick, which is a function that takes low dimensional input space and transform it to a higher dimensional space. These functions are called kernels. The kernel trick could be applied to Eq. (IIA) to map an input vector on further high dimension feature space, and then to linearly classify it on that space as
(1) 
The function maps an input vector on high dimension feature space , where is the number of the dimensions of features. In this case, feature space includes parameter (). The kernel function of two vectors , is defined as
(2) 
where
is an inner product. There are various kernel functions. For example, Radial Basis Function(RBF) kernel is given by
(3) 
and polynomial kernel is provided by
(4) 
where is a high parameter to decide the complexity of boundary determination, is a parameter to decide the degree of the polynomial, and indicates transpose.
This paper aims to propose a new framework to carry out SVM with protected vectors.
IiB Scenario
Figure 1 illustrates the scenario used in this paper. In the enrollment, client , , prepares training samples such as images, and a feature set , called a template, is extracted from the samples. Next the client creates a protected template set by a secret key and sends the set to a cloud server. The server stores it and implements learning with the protected templates for a classification problem.
In the authentication, Client creates a protected template as a query and sends it to the server. The server carries out a classification problem with a learning model prepared in advance, and then returns the result to Client .
Note that the cloud server has no secret keys and the classification problem can be directly carried out by using wellknown SVM algorithms. In the other words, the server does not have to prepare any algorithms specialized for the classification in the encrypted domain.
Iii Proposed framework
In this section, protected templates generated by using a random unitary matrix are conducted, and a SVM computation scheme with the protected templates is proposed under some kernel functions.
Iiia Template Protection
Template protection schemes based on unitary transformations have been studied as one of methods for cancelable biometrics[18, 21, 22, 23, 19, 20]. This paper has been inspired by those studies.
A template is protected by a unitary matrix having randomness with a key , as,
(5) 
where is the protected template. Various generation schemes of have been studied to generate unitary or orthogonal random matrices such as GramSchmidt method, random permutation matrices and random phase matrices[23, 22]
. For example, the GramSchmidt method can be applied to a pseudorandom matrix to generate
. Security analysis of the protection schemes have been also considered in terms of bruteforce attacks, diversity and irreversibility.IiiB SVM with protected templates
IiiB1 Properties
Property 1 : Conservation of the Euclidean distances:
Property 2 : Conservation of inner products:
Property 3 : Conservation of correlation coefficients:
where is a template of another client , who has M training samples .
IiiB2 Classes of kernels
We consider applying the protected templates to a kernel function. In the case of using RBF kernel, the following relation is satisfied from property 1 and Eq.(3)
(6)  
A stationary kernel is one which is translation invariant:
(7) 
that is, it depends only on the lag vector separating the two vectors and . Moreover, when a stationary kernel depends only on the norm of the lag vectors between two vectors, the kernel is said to be isotropic (or homogeneous)[25], and is thus only a function of distance:
(8) 
For examples, RBF, WAVE and Rational quadratic kernels belong to this class, i.e, isotropic stationary kernel, called kernel class 1 in this paper. If kernels are isotropic, the propose scheme is useful under the kernels.
Besides, from property 3, we can also use a kernel that depends only on the inner products between two vectors given as
(9) 
Polynomial kernel and linear kernel are in this class, referred to as class 2.
Some kernels such as Fisher and pspectrum ones, to which the protected templates can not be applied, belong to other classes. We focus on using kernel class 1 and class 2.
IiiB3 Dual problem
Next, we consider binary classification that is the task of classifying the elements of a given set. A dual problem to implement a SVM classifier with protected templates is expressed as
(10) 
where and are correct labels for each training data, and are dual variables and C is a regular coefficient. If we use kernel class 1 or class 2 described above, the inner product is equal to . Therefore, even in the case of using protected templates, the dual problem with protected templates is reduced to the same problem as that of the original templates. This conclusion means that the use of the proposed templates gives no effect to the performance of the SVM classifier under kernel class 1 and class 2.
IiiC Relation among keys
As shown in Fig 1, a protected template is generated from training data by using a key . Two relations among keys are summarized, here.
IiiC1 Key condition 1:
The first key choice is to use a common key in all clients, namely, . In this case, all protected templates satisfy the properties described in IIIB, so the SVM classifier has the same performance as that of using the original templates.
IiiC2 Key condition 2:
The second key choice is to use a different key in each client, namely . In this case, the three properties are satisfied only among templates with a common key. This key condition allows us to enhance the robustness of the security against various attacks as discussed later.
Iv Experimental Results
The propose scheme was applied to face recognition experiments which were carried out as a dual problem.
Iva Data Set
We used Extended Yale Face Database B[24] that consists of 2432 frontal facial images with pixels of persons like Fig 2. 64 images for each person were divided into half randomly for training data samples and queries. We used random permutation matrices as unitary matrices to produce protected templates. Besides, RBF kernel and linear kernel were used, where they belong to kernel class 1 and class 2, respectively. The protection was applied to templates with 1216 dimensions generated by the downsampling method[21]. The downsampling method divides an image into nonoverlapped blocks and then calculates the mean value in each block. Figure 3 shows the examples of an original template and the protected one.
(a) person1  (b) person2 
(a) template  (b) protected 
IvB Results and Discussion
In face recognition with SVM classifiers, one classifier is created for each enrollee. The classifier outputs a predicted class label and a classification score for each query template , where is a protected template generated from the template of a query, . The classification score is the distance from the query to the boundary ranging. The relation between the classification score and a threshold for the positive label of is given as
(11) 
In the experiment, False Reject Rate(FRR), False Accept Rate(FAR), and Equal Error Rate(EER) at which FAR is equal to FRR were used to evaluate the performance.
IvB1
Figure 4 shows results in the case of using key condition 1. The results demonstrate that SVM classifiers with protected templates (protected in Fig 4) had the same performances as those fo SVM classifiers with the original templates (not protected in Fig 4). From the results, it is confirmed that the proposed framework gives no effect to the performance of SVM classifiers under key condition 1.
IvB2
Figure 5 shows results in the case of using key condition 2. In this condition, it is expected that a query will be authenticated only when it meets two requirements, i.e. the same key and the same person, although only the same person is required under key condition1. Therefore, the performances in Fig. 5 were slightly different from those in Fig. 4, so the FAR performances for key condition 2 were better due to the strict requirements.
IvB3 Unauthorized outflow ()
Figure 6 shows the FAR performance in the case that a key leaks out. In this situation, other clients could use the key without any authorization as spoofing attacks. As shown in Fig.6, the FAR (key leaked in Fig.6) still had low vales due to two requirements, although it was slightly degraded, compared to Fig.5.
Figure 7 is the FAR performance in the case that a template leaks out. It is confirmed that the FAR (template leaked in Fig.7) still had low vales as well as in Fig.6.
From these results, the use of key condition 2 enhances the robustness of the security against spoofing attacks.
V conclusion
In this paper, we proposed a privacypreserving SVM computing scheme with protected templates. It was shown that templates protected by a unitary transform has some useful properties, and the properties allow us to securely compute SVM algorithms without any degradation of the performances. Besides, two key conditions were considered to enhance the robustness of the security against various attacks. Some facebased authentication experiments using SVM classifiers were also demonstrated to experimentally confirm the effectiveness of the proposed framework.
Acknowledgements
This work was partially supported by GrantinAid for Scientific
Research(B), No.17H03267, from the Japan Society
for the Promotion Science.
References
 [1] C. T. Huang, L. Huang, Z. Qin, H. Yuan, L. Zhou, V. Varadharajan, and CC. J. Kuo, “Survey on securing data storage in the cloud,” APSIPA Transactions on Signal and Information Processing, vol. 3, 2014.
 [2] R. Lazzeretti and M. Barni, “Private computing with garbled circuits [applications corner],” IEEE Signal Processing Magazine, vol. 30, no. 2, pp. 123–127, 2013.
 [3] M. Barni, G. Droandi, and R. Lazzeretti, “Privacy protection in biometricbased recognition systems: A marriage between cryptography and signal processing,” IEEE Signal Processing Magazine, vol. 32, no. 5, pp. 66–76, 2015.
 [4] R. L. Lagendijk, Z. Erkin, and M. Barni, “Encrypted signal processing for privacy protection: Conveying the utility of homomorphic encryption and multiparty computation,” IEEE Signal Processing Magazine, vol. 30, no. 1, pp. 82–105, 2013.
 [5] I. Ito and H. Kiya, “Onetime key based phase scrambling for phaseonly correlation between visually protected images,” in EURASIP J. Information Security, vol. 2009, no. 841045, 2010.
 [6] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scramblingbased etc systems against jigsaw puzzle solver attacks,” in IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 2157–2161.
 [7] J. Zhou, X. Liu, O. C. Au, and Y. Y. Tang, “Designing an efficient image encryptionthencompression system viapredictionerrorclusteringandrandompermutation,” in IEEE transactions on information forensics and security, vol. 9, no. 1, 2014, pp. 39–50.
 [8] K. Kurihara, S. Shiota, and H. Kiya, “2015 an encryptionthencompression system for jpeg standard,” in Picture Coding Symposium (PCS), 2015, pp. 119–123.
 [9] K. Kurihara, M. Kikuchi, S. Imaizumi, S. Shiota, and H. Kiya, “An encryptionthencompression system for jpeg/motion jpeg standard,” in IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 98, no. 11, 2015, pp. 2238–2245.
 [10] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scramblingbased etc systems against jigsaw puzzle solver attacks,” in 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 2157–2161.
 [11] T. Chuman, K. Kurihara, and H. Kiya, “Security evaluation for block scramblingbased etc systems against extended jigsaw puzzle solver attacks,” in 2017 IEEE International Conference on Multimedia and Expo (ICME), 2017, pp. 229–234.
 [12] T. Chuman, K. Iida, and H. Kiya, “Image manipulation on social media for encryptionthencompression systems,” in 2017 AsiaPacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), 2017.
 [13] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scramblingbased etc systems against extended jigsaw puzzle solver attacks,” IEICE Transactions on Information and Systems, vol. E101.D, no. 1, pp. 37–44, 2018.
 [14] T. Araki, A. Barak, J. Furukawa, T. Lichter, Y. Lindell, A. Nof, K. Ohara, A. Watzman, and O. Weinstein, “Optimized honestmajority mpc for malicious adversaries  breaking the 1 billiongate per second barrier,” in IEEE Symposium on Security and Privacy (SP), 2017, pp. 843–862.
 [15] T. Araki, J. Furukawa, Y. Lindell, A. Nof, and K. Ohara, “Highthroughput semihonest secure threeparty computation with an honest majority,” in Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 805–817.
 [16] W. Lu, S. Kawasaki, and J. Sakuma, “Using fully homomorphic encryption for statistical analysis of categorical, ordinal and numerical data,” in IACR Cryptology ePrint Archive, vol. 2016, 2016, p. 1163.

[17]
Y. Aono and T. Hayashi and L. Phong and L. Wang, “Privacypreserving logistic regression with distributed data sources via homomorphic encryption,”
IEICE Transactions on Information and Systems, vol. E99.D, no. 8, pp. 2079–2089, 2016.  [18] C. Rathgeb, and A. Uhl, “A survey on biometric cryptosystems and cancelable biometrics,” in EURASIP J. Information Security, vol. 2011, no. 1, 2011, pp. 1–25.
 [19] K. Nandakumar, A. K. Jain, “Biometric template protection: Bridging the performance gap between theory and practice,” in Signal Processing Magazine, IEEE, vol. 32, no. 5, 2015, pp. 88–100.
 [20] S. Rane, “Standardization of biometric template protection,” in Signal Processing Magazine, IEEE, vol. 21, no. 4, 2014.
 [21] J. Wright, A. Yang, A. Ganesh, S. Sastry, and Y. Ma, “Robust face recognition via sparse representation,” in IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 31, no. 2, 2009.
 [22] I. Nakamura, Y. Tonomura, and H. Kiya, “Unitary transformbased template protection and its properties,” in European Signal Processing Conference, vol. SIPAP3.4, 2015, pp. 2466–2470.
 [23] I. Nakamura, Y. Tonomura, and H. Kiya, “Unitary transformbased template protection and its application to l2norm minimization problems,” in IEICE Transactions on Information and Systems, vol. E99D, no. 1, 2016, pp. 60–68.
 [24] A.S. Georghiades, P.N. Belhumeur, and D.J. Kriegman, “From few to many: Illumination cone models for face recognition under variable lighting and pose,” in IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 23, no. 6, 2001, pp. 643–660.
 [25] M. G. Genton, “Classes of kernels for machine learning: A statistics perspective,” J. Mach. Learn. Res., vol. 2, pp. 299–312, 2002.
Comments
There are no comments yet.