Encrypted Domain Secret Medical-Image Sharing With Secure Outsourcing Computation in IoT Environment

Uploaded by

Jyoti Bikash Choudhury

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

10 views

Encrypted Domain Secret Medical-Image Sharing With Secure Outsourcing Computation in IoT Environment

Uploaded by

Jyoti Bikash Choudhury

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 12

This article has been accepted for publication in IEEE Internet of Things Journal.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3293165

Encrypted Domain Secret Medical-Image

Sharing with Secure Outsourcing Computation
in IoT Environment
Jingwang Huang, Qi Cui, Zhili Zhou, Member, IEEE, Keping Yu, Member, IEEE, Ching-Nung Yang,
Senior Member, IEEE, Kim-Kwang Raymond Choo, Senior Member, IEEE1

Abstract—In existing Secret Medical-Image Sharing (SMIS) habits. The terminal devices generate and transmit a huge
schemes, to protect and manage secret medical-images (SMIs), the amount of medical data on networks every day. However, how
sharing and recovery of each SMI are implemented by local to protect and manage these medical data effectively in IoT
servers of medical institutions. However, since a lot of SMIs are environment has become a challenge.
produced by personal smart terminal devices in Internet of Things
To protect and manage Secret Medical-Images (SMIs), some
(IoT) environment, directly implementing the sharing and
recovery processes will cause excessive communication and Secret Medical-Image Sharing (SMIS) schemes have been
computing burden for those local servers, which makes the proposed [1–4], which usually work as follows. First, each SMI
existing SMIS schemes not suitable for IoT environment. To is divided into several shares using secret image sharing (SIS)
address the above issue, we propose an Encrypted domain SMIS algorithms such as Visual Secret Sharing (VSS) [4] and
(Enc-SMIS) scheme with secure outsourcing computation for Polynomial-based Secret Image Sharing (PSIS) [2, 3]. Then,
protecting and managing medical images in IoT environment. In those shares are separately distributed to the local servers of
the proposed scheme, the medical images are first encrypted using medical institutions for storage. When a doctor needs to observe
Fully Homomorphic Encryption (FHE) and then outsourced to a
a specified SMI, the SMI is recovered from those shares stored
cloud server for generating a set of image shares. Subsequently,
in the local servers. In these schemes, the SMI sharing and
these shares are stored separately in different local servers of
medical institutions. Furthermore, the recovery process is also recovery processes are implemented by local servers of medical
outsourced to the cloud server when doctors need to observe the institutions. However, since a lot of SMIs are produced by
patients’ medical images. Compared with the existing SMIS personal smart terminal devices in Internet-of-Things (IoT)
schemes, the proposed Enc-SMIS scheme alleviates the computing environment, directly implementing the sharing and recovery
and communication burden on local servers significantly with of SMI will cause a lot of communication and computing
secure outsourcing computation in the semi-honest model, and burden for those local servers. Thus, these schemes are not
thus supports the storage and management of medical images well suitable for the Internet-of-Things (IoT) environment.
in IoT environment. To solve the above issue, we introduce a secure outsourcing
Index Terms—Secret image sharing (SIS), Fully homomorphic
encryption (FHE), Secure outsourcing computation, Internet of
computing scheme for SMIS in IoT environment. The
Things (IoT). outsourcing computation is the integration of cloud computing
and encryption technologies. The local servers of medical
I. INTRODUCTION institutions with limited resources can easily outsource the
complex computation tasks to the cloud server. Specifically, the
W ITH the rapid development of smart terminal devices
and Internet-of-Things (IoT) technologies, it has become
increasingly convenient for people to continuously capture their
tasks of SMI sharing and recovery are outsourced to the cloud
server to solve the problem of limited resources of local servers.
In addition, in the semi-honest model of a cloud computing
medical records for monitoring their health or transmitting them
environment, patients’ SMIs might be observed and leaked by
to healthcare medical institutions. For example, smart bracelets
the cloud server [5]. To mitigate this issue, a Fully
are used to monitor heartbeat and blood pressure, smartphones
Homomorphic Encryption (FHE) algorithm, initially
are employed to count the sleep time of users, and some other
introduced by Gentry in 2009 [6], is employed to encrypt the
devices are utilized to record people’s daily diet and exercise

This work is supported in part by the National Natural Science Foundation Engineering, Nanyang Technological University, 639798, Singapore. (Email:
of China under Grant 61972205, U1936218, and in part by the Guangdong [email protected], [email protected],
Natural Science Funds for Distinguished Young Scholar under Grant [email protected]).
2023B151502004, in part by National Science and Technology Council under Keping Yu is with the Graduate School of Science and Engineering, Hosei
Grant No. 112-2221-E-259-007-MY2, and in part by the Collaborative University, Tokyo 184-8584, Japan (e-mail: [email protected]).
Innovation Center of Atmospheric Environment and Equipment Technology Ching-Nung Yang is with the Department of Computer Science and
(CICAEET) fund, China. The work of K.-K. R. Choo was supported only by Information Engineering, National Dong Hwa University, Hualien 974301,
the Cloud Technology Endowed Professorship. (The corresponding authors are Taiwan (e-mail: [email protected]).
Zhili Zhou and Qi Cui). Kim-Kwang Raymond Choo is with the Department of Information Systems
Jingwang Huang, Qi Cui, and Zhili Zhou are with the Institute of Artificial and Cyber Security, The University of Texas at San Antonio, San Antonio, TX
Intelligence and Blockchain, Guangzhou University, Guangdong, 510006, 78249 USA. (e-mail: [email protected])
China, and Qi Cui is also with the School of Electrical and Electronic Jingwang Huang and Qi Cui contribute equally to this work.

Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 11,2023 at 12:20:59 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3293165

secret images before outsourcing. It supports addition and Enc-SMIS scheme. Section IV and Section V conduct the
multiplication operations in the encrypted domain and the security analysis and experiments, respectively. The conclusion
results after decryption are the same as the calculation results in is drawn in Section VI.
the plaintext domain.
In this paper, we propose an Encrypted domain Secret II. RELATED WORKS
Medical-Image Sharing (Enc-SMIS) scheme with secure
A. Polynomial-Based Secret Image Sharing
outsourcing computation. First, each SMI is homomorphically
encrypted as ciphertext by the FHE algorithm and is then In 1979, Shamir [7] and Blakley [8] first proposed the secret
transmitted to the cloud server. Then, the cloud server generates sharing scheme. To protect the data 𝑚, 𝑛 pieces were divided
shares in the encrypted domain securely and efficiently. in such a way that 𝑚 can be easily reconstructed from any 𝑘
Subsequently, the generated shares are distributed to different pieces, where 𝑘 < 𝑛.
medical institutions for storage. When a doctor needs to observe In the literature, there are two main models of SIS schemes:
the SMI of a patient, some medical institutions will authorize Visual Secret Sharing (VSS) and Polynomial-based Secret
the access rights of corresponding shares to a cloud server. Image Sharing (PSIS). In 1995, Naor and Shamir [9] proposed
Afterward, the cloud server will recover the Encrypted Secret a VSS scheme, in which each image is encoded into multiple
Medical Image (ESMI). Finally, the patient will obtain and shares and then decoded by the human visual system rather than
decrypt the ESMI through smart devices and send it to the computers. However, it has several weaknesses, including large
doctor. In addition, we extend the traditional PSIS to the field sizes of shares, incomplete recovery, pixel expansion, and low
of large real numbers to achieve a good balance between the visual quality. Hence, some researchers focused on the research
security and the efficiency of PSIS when using the FHE of PSIS. In 2002, Thien and Lin [10] proposed the (𝑘, 𝑛)-PSIS
algorithm. We further conduct the security analysis and scheme based on Shamir’s (𝑘, 𝑛) threshold secret sharing
extensive experiments to demonstrate the superiority of the scheme, which can reduce the size of shares to 1/𝑘 of the
proposed Enc-SMIS scheme. Its advantages can be summarized secret image. Inspired by [10], many PSIS schemes have been
as follows: proposed by combining other technologies such as
steganography [11–13] and watermarking [14–16] to improve
1) The security of SMIs can be ensured in the semi-honest
the security performance. For example, Kong et al. [13]
model. Both the SMI sharing process and recovery
presented a scalable secure scheme based on steganography for
process are implemented by the cloud server in the
sharing secret images in an imperceptible manner. Specifically,
encrypted domain. Moreover, medical institutions only
each original image is split by discrete wavelet transform to
store the shares in the form of ciphertext on their local
generate shares, and then each share is hidden into a cover
servers. Therefore, there is no leakage of any
image. The advantage of the proposed scheme is that the
information from the SMI without the patients’
security of shares is improved significantly. Azza et al. [17]
authorizations.
proposed a Multi-Secret Image Sharing (MSIS) scheme based
2) Excessive computing burden can be alleviated for smart on steganography, which provides good resistance against noise
terminal devices and medical institutions. Given the attacks and cropping attacks. However, in these steganography-
limited resources of terminal devices and a huge amount based SIS schemes, the existence of hidden image shares can
of medical data, the time-consuming tasks, i.e., SMI be detected by various powerful steganalysis tools. Mahdi et al.
sharing and recovery, are outsourced to the cloud server. [18] used the Integer Wavelet Transform (IWT) technique to
This secure outsourcing process allows the medical embed each share as a watermark into a host image. Ei-Laif et
institutions only need to store the shares of SMIs, while al. [19] introduced two quantum information-hiding
terminal devices only need to encrypt and decrypt the approaches for encrypting and embedding shares into quantum
SMIs. Thus, their computing burden is alleviated cover images. In the above methods, the shares are embedded
significantly. into cover images, which makes it hard to attract attackers’
3) The communication burden between smart terminal attention. Thus, the security of shares is improved significantly.
devices and medical institutions is reduced. Instead of Recently, secret sharing technologies [1–4] have been also
directly communicating data between smart terminal adopted to protect the SMIs in healthcare systems. Yang et al.
devices and medical institutions, the cloud server is used [4] used a visual secret sharing scheme to realize the secure
as an intermediary for data communication. Consequent- storage of SMIs in public servers. First, the medical institution
ly, the frequent authentications between terminal devi- generates a key share for each SMI using a random seed. Then,
ces and medical institutions can be avoided effectively. it also generates a master share of the SMI according to the key
4) The proposed Enc-SMIS scheme can be applied well in share by visual cryptography technology. The master share is
IoT environment. Benefiting from the above advantages, stored in a public server and the random seed is stored in the
the proposed Enc-SMIS scheme can protect and manage institution. In the recovery stage, both the mater share and the
a huge number of SMIs produced by terminal devices, random seed are used to recover the original SMI. Marwan et
thus making it suitable for IoT environment. al. [2, 3] proposed an SMIS scheme based on the traditional
The rest of the paper is organized as follows. Section II
presents the related works. Section III describes the proposed

Fig. 1. The framework of the proposed Enc-SMIS scheme. The SMI Sharing Stage is indicated by the yellow arrows, i.e., the
generation process. The SMI Recovery Stage is indicated by the orange arrows, i.e., the recovery process.
PSIS, which generates a set of shares from each SMI and then Compared to the first-generation FHE algorithms, most
stores these shares in cloud servers. Since the cloud servers are operations of the second-generation FHE algorithms are
semi-honest, it is possible that the medical data stored in cloud relatively efficient and they usually cost less than 1 second [24].
servers will be leaked and stolen. Petal et al. [1] developed the However, the second-generation FHE algorithms express the
SMIS system relying on the consensus mechanism in ciphertexts and keys as vectors, and thus the homomorphic
blockchain without a trusted third party. Different from multiplication will lead to the dimension expansion in the
traditional SMIS schemes, the sharing and recovery of each ciphertext vectors. The third-generation FHE algorithms, such
SMI are established on a private blockchain, and the SMI is as GWS [25], are constructed based on approximate
recovered with a certain consensus. eigenvector. However, the efficiency of GWS is not as good as
BGV [24]. Moreover, the common drawback of all the above
B. Fully Homomorphic Encryption based-on R-LWE
FHE algorithms is that they only support integer encryption.
Homomorphic encryption allows any third party to conduct Recently, the CKKS algorithm [26] is constructed based on
some arithmetical operations on the ciphertexts without the R-LWE problem, and it supports addition and multiplication
decryption, and the computational results after decryption are operations of real numbers, i.e., integers and floating-point
the same as the computational results in the plaintext domain. numbers. All calculations in CKKS are limited to a polynomial
It can be expressed as the following mathematical formula: ring ℝ = ℤ [𝑥]/𝑓(𝑥), where ℤ [𝑥] is a polynomial set with
𝑓 𝐸𝑛𝑐(𝑚𝑠𝑔) = 𝐸𝑛𝑐(𝑓(𝑚𝑠𝑔)). coefficients belonging to the remaining class of 𝑞 , 𝑓(𝑥) =
In the past decades, many Homomorphic Encryption (HE) 2 + 1, 𝐷 = 2 , 𝑑 is a positive integer, and 𝐷 is the degree
algorithms, such as 𝑃𝑎𝑖𝑙𝑙𝑒𝑟 [20, 21] and 𝐸𝑙𝐺𝑎𝑚𝑎𝑙 [21], have of the polynomial ring ℝ . Due to the high computational
been proposed. However, those algorithms can only support
efficiency, CKKS is mainly used in outsourcing computing [27,
single operations or limited times of combinatorial operations 28], multi-party security computing [29, 30], and federated
of addition and multiplication. In 2009, Gentry [6] proposed the learning [31–33]. In the proposed Enc-SMIS scheme, we
first Fully Homomorphic Encryption (FHE) algorithm, which extend the CKKS scheme to the field of large real numbers for
supports both the addition and the multiplication operations. SMIS to improve the efficiency of outsourcing computation.
After that, FHE has become a hot research topic and has been
greatly developed. In the literature, there are three generations III. THE PROPOSED MEDICAL-IMAGE SHARING SCHEME
of FHE algorithms.
Gentry’s algorithm [6] is the first-generation FHE algorithm, In this section, we propose an Encrypted domain Secret
which is constructed based on the ideal lattice. However, Medical Image Sharing (Enc-SMIS) scheme with secure
Gentry’s algorithm suffers from the problem of high outsourcing computation, which is detailed as follows.
computational complexity. The second-generation FHE A. Overview of the Proposed System
algorithms are usually constructed based on Learn With Error In the proposed Enc-SMIS scheme, there are five kinds of
(LWE) or Ring-LWE (R-LWE). The famous examples of participants: patients, terminal devices, medical institutions,
second-generation FHE algorithms are BGV [22] and BFV [23].

Algorithm 1: Batch Encryption

Inputs: 𝑆𝑀𝐼
Outputs: 𝐸𝑆𝑀𝐼
Initialize a row vector 𝑣
Foreach 𝑖 ∈ {1,2, … 𝑤} do
Foreach 𝑗 = 1,2, … , ℎ do
𝑣. 𝑝𝑢𝑠ℎ_𝑏𝑎𝑐𝑘(𝑆𝑀𝐼 )
End
End
𝑙𝑒𝑛 ← 𝑠𝑖𝑧𝑒(𝑣)
𝑁 ← ⌈𝑙𝑒𝑛 /(𝐷/2)⌉
Foreach 𝑖 ∈ {0,1, . . , 𝑁 − 1} do
Initialize a new vector 𝑣𝑒𝑐
𝑣𝑒𝑐 ← {𝑣 / × , 𝑣 / × , … , 𝑣 ( , / ×( ) )}
Fig. 2. Illustration of batch encryption process.
encryption the vector: 𝑐𝑖𝑝 ← 𝐸𝑛𝑐(𝑣𝑒𝑐, 𝑝𝑘) transmitted to patient. Patient will decrypt the ESMI and send
𝐸𝑀𝑆𝐼. 𝑝𝑢𝑠ℎ_𝑏𝑎𝑐𝑘(𝑐𝑖𝑝) it to doctor.
End B. SMI Sharing
cloud server, and doctors. Patients provide the data source of In this subsection, we elaborate on two main steps of the SMI
SMIs. Their daily activities such as exercise, diet, and sleep will sharing stage: batch encryption and encrypted domain share
be recorded to form the corresponding SMIs. Terminal devices generation.
are the data collectors, which are responsible for capturing and 1) Batch Encryption. Since the tasks of SMI sharing and
collecting SMIs through sensors. In addition, those devices are recovery are outsourced to the semi-honest server, i.e., cloud
also required to encrypt the SMIs to obtain the Encrypted SMIs server, the SMIs are required to be encrypted before the
(ESMIs) before outsourcing. Cloud server is the outsourcing outsourcing. However, if the pixels of each SMI are encrypted
service provider, which aims to generate encrypted shares from one by one, the computational complexity is unacceptable due
ESMIs and recover the ESMIs by the authorized shares in the to the relatively low relatively efficiency of FHE algorithms. To
encrypted domain. Medical institutions are in charge of storing conquer this problem, we adopt the batch encryption strategy
encrypted shares. Also, once an institution intends to recover for encryption. Specifically, multiple pixels of each SMI are
the ESMIs, they will authorize the institution’s identity and packed and then encrypted in parallel, and thus the encryption
upload the authorized shares to cloud server. Doctors are the efficiency is improved significantly. The batch encryption
users of SMIs. They will initiate a request of SMI recovery strategy is illustrated by Algorithm 1 and Fig. 2, and more
when they need the SMI to assist in diagnosis. The framework details are given as follows.
of the Enc-SMIS scheme is shown in Fig. 1. It works as follows. Step (1): Each SMI is converted to a vector. Suppose the size
1) SMI Sharing Stage. In the proposed Enc-SMIS scheme, of SMI is 𝑤 × ℎ. All pixels of a given SMI are concatenated to
each patient will generate his unique public key 𝑃𝑘 and form a vector 𝑣. The length of the vector is denoted by 𝑙𝑒𝑛 =
private key 𝑆𝑘 for the CKKS algorithm after setting its 𝑤 × ℎ.
parameter 𝐷. The public key 𝑃𝑘 is publicly available and 𝑆𝑘 Step (2): The vector 𝑣 is split into a set of subvectors
is stored in the user’s mobile phone. Patient’s medical records {𝑣 |1 ≤ 𝑖 ≤ 𝑁 }, where 𝑁 is the number of subvectors. The
will be collected to form the SMIs by various sensors. Then, to length of each subvector is 𝐷/2 , where 𝐷 is the degree of the
save computing resources, terminal devices will encrypt the polynomial ring ℝ in CKKS algorithm [26].
SMIs using batch encryption [34] and upload the ESMIs to Step (3): The subvectors are encrypted as
cloud server to outsource the SMI sharing task. Subsequently, {𝑉 = 𝐸𝑛𝑐(𝑣 )| 1 ≤ 𝑖 ≤ 𝑁 } by the CKKS algorithm [26].
cloud server will generate the shares in the encrypted domain Step (4): Finally, terminal devices pack the encrypted sub
by the designed PSIS scheme. Finally, the generated shares will vectors to form the ciphertext file of ESMI and upload it to
be distributed to different medical institutions. cloud server for outsourcing the task of SMI sharing.
2) SMI Recovery Stage. When a patient needs healthcare 2) Encrypted Domain Share Generation. Then, a set of
services, doctor will send the request of recovering the patient’s shares are generated from each ESMI in the encrypted domain
SMI to medical institution. Then, medical institution will using the extended Polynomial-based Secret Image Sharing
authenticate the doctor’s identity. Then, this institution will (PSIS) scheme.
require other institutions’ authorizations for uploading their In the traditional polynomial-based (𝑘, 𝑛)-threshold secret
shares to cloud server. Once 𝑘 pieces of authorizations are image sharing, the secret pixels are hidden into the coefficients
obtained and the corresponding 𝑘 shares are uploaded to cloud of the following polynomial.
server, medical institutions will outsource the SMI recovery
𝑦 = 𝑎 +𝑎 𝑥 + ⋯+𝑎 𝑥 (𝑚𝑜𝑑 𝑝) (1)
task to cloud server. Cloud server will reconstruct the ESMI in
the encrypted domain with the SMI recovery algorithm Then, participants select 𝑛 different integer values 𝑥 (1 ≤
designed in this paper. Finally, the reconstructed ESMI will be 𝑖 ≤ 𝑛) and input 𝑥 into Eq. (1) to generate the share pixels

Algorithm 2: Share Generation Algorithm Algorithm 3: Semi-ciphertext Computation

Inputs: 𝐸𝑆𝑀𝐼, {𝑥 |1 ≤ 𝑖 ≤ 𝑛}, 𝑝𝑘 Inputs: 𝑃𝑘, {𝐸𝑆 |1 ≤ 𝑖 ≤ 𝑘}, {𝑥 |1 ≤ 𝑖 ≤ 𝑘}
Outputs: {𝐸𝑆 |1 ≤ 𝑖 ≤ 𝑛} Outputs: 𝐸𝑆𝑀𝐼
Initialize encrypted shadows: {𝐸𝑆 |1 ≤ 𝑖 ≤ 𝑛} calculate the number of ciphertext in the share: 𝑇
𝑁 ← 𝑠𝑖𝑧𝑒(𝐸𝑀𝑆𝐼) Foreach 𝑖 ∈ {1,2, … , 𝑘} do
Foreach 𝑖 ∈ {1,2, … , 𝑛} do 𝑚 =1
𝑋 ← 𝐸𝑛𝑐(𝑥 , 𝑝𝑘) Foreach 𝑙 ∈ {1,2, . . , 𝑘} do
End If 𝑙 ≠ 𝑖 then
𝑇 ← ⌈𝑁 /𝑘⌉ 𝑚 ← 𝑚 × (𝑥 − 𝑥 )
Foreach 𝑗 ∈ {0,1, . . , 𝑇} do End
Foreach 𝑖 ∈ {1,2, … , 𝑛} do End
𝑌 ← 𝑉 + 𝑉 𝑋 +⋯+ 𝑉 𝑋 End
𝐸𝑆 . 𝑝𝑢𝑠ℎ_𝑏𝑎𝑐𝑘(𝑌 ) calculate the coefficients of ∏ , (𝑥 − 𝑥 ): 𝑑
End Foreach 𝑙 ∈ {0,1, … , 𝑘 − 1} do
End Foreach 𝑖 ∈ {1,2, … , 𝑘} do
𝐶 ← 𝐸𝑛𝑐(𝑑 ⁄𝑚 , 𝑃𝑘)
𝑦 , … , 𝑦 . Where, 𝑦 represents the pixel of 𝑖-th share. Since End
𝑘 pixels can be processed at a time, the above polynomial End
computation will be repeated until all secret pixels have been Foreach 𝑗 ∈ {1,2, … , 𝑇} do
processed. In the proposed scheme, we embed the encrypted Foreach 𝑙 ∈ {0,1, … , 𝑘 − 1} do
pixel vectors {𝑉 |1 ≤ 𝑖 ≤ 𝑁 } into the coefficients. If 𝑁 is Foreach 𝑖 ∈ {1,2, … , 𝑘} do
larger than 𝑘, the polynomial computation will repeat to embed 𝑉 ←𝑉 +𝑌 ×𝐶
all the vectors into the coefficients. End
Moreover, we extend the original PSIS to the field of large 𝐸𝑀𝑆𝐼. 𝑝𝑢𝑠ℎ_𝑏𝑎𝑐𝑘(𝑉 )
real numbers without molding 𝑝. Modulus operation is usually End
adopted to ensure the security of the data [7] and is widely used End
in PSIS schemes. It effectively weakens the mapping between
the hidden message and the ciphertext to ensure the security of The above process will be repeated until all encrypted vectors
pixels. However, there are some disadvantages when using the are hidden. Finally, all the ciphertexts generated by the same 𝑥
modulus operation in FHE algorithms [35]. Some operations will be packed to generate the file of encrypted share, denoted
such as division and modulus are very complex in the as 𝐸𝑆 . The generated shares are sent to the corresponding
encryption process of FHE algorithms. The idea of the extended medical institutions for storage. The share generation
PSIS is to simplify the calculation without modulus operation. algorithm is also given in Algorithm 2.
It is notable that the lack of modulus operation also poses some
problems in the traditional PSIS. It not only weakens the C. SMI Recovery
security but also easily makes the calculated results overflow. As described in the framework, the process of SMI recovery
However, these problems can be avoided in the extended PSIS needs the identity authentication of doctor, at least 𝑘 medical
since the SMI sharing and recovery are implemented in the institutions’ authorizations, and the outsource computing.
encrypted domain. The specific analysis will be elaborated in Since the computation in the encrypted domain is usually
the security analysis and experimental part. The SMI generation inefficient, we introduce a computation strategy, named as
and recovery processes in the encrypted domain are detailed as 𝑠𝑒𝑚𝑖-𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, in the SMI recovery stage. The main idea of
follows. 𝑠𝑒𝑚𝑖 - 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 strategy is to transform unnecessary
Denote 𝑇 as the total times of polynomial computation. In computation in the encrypted domain to plaintext domain
the 𝑗 - 𝑡ℎ computation, the set of encrypted vectors without affecting the security of the scheme. Compared with
𝑉 ,𝑉 ,… , 𝑉 will be embedded. Thus, the implementing all computation in the encrypted domain, this
polynomial is modified as follows: strategy can greatly improve computational efficiency, which is
also proven by the experimental results in Section V-B. More
𝑦 = 𝑉 +𝑉 𝑥 + ⋯+ 𝑉 𝑥 (2) details are given as follows.
In Eq. (2), note that it is not necessary to implement the modulus Denote the set of the 𝑘 authorized institutions’ identifies as
operation as 𝑦 is in the field of a real number. Then, the cloud {𝑥 |1 ≤ 𝑖 ≤ 𝑘}, the encrypted share set as {𝐸𝑆 |𝑖 ∈ 𝐴}, and the
server will encrypt the number 𝑥 as 𝑋 , 0 < 𝑖 ≤ 𝑛 . patient's public key as 𝑃𝑘 . The result of the outsourcing
Subsequently, 𝑋 will be input into Eq. (2) to generate the computation is the ESMI. To restore the ESMI, it is necessary
ciphertext 𝑌 , , which refers to the ciphertext generated by 𝑋 to reconstruct the coefficients of polynomials, as shown in Eq.
in the 𝑗-𝑡ℎ polynomial computation. (3). There are totally 𝑇 polynomials that need to be
reconstructed. In the 𝑗-𝑡ℎ reconstruction, we take the 𝑗-𝑡ℎ
𝑌, = 𝑉 + 𝑉 𝑋 + ⋯+𝑉 𝑋 (3) ciphertext in each share to compute the Lagrange interpolation

polynomial 𝐿𝑛 (𝑥), which is used for share generation in the TABLE I

MINIMUM VALUE OF PARAMETER 𝐷 WITH DIFFERENT 𝑘.
encrypted domain, as shown in Eq. (4): 𝑘 𝐷 𝑇 (s) 𝑇 (s) 𝑎𝑐𝑐𝑢𝑟𝑎𝑐𝑦
(𝑥 − 𝑥 ) 2 8192 0.089 0.040 100%
𝐿𝑛 (𝑥) = 𝑌 (4) 3 8192 0.179 0.099 100%
(𝑥 − 𝑥 )
, 4 8192 0.271 0.146 100%
In Eq. (4), it is notable that the plaintexts and ciphertexts are 5 8192 0.363 0.226 100%
mixed, and it is not necessary to convert all plaintexts to 6 8192 0.440 0.318 100%
ciphertexts. To simplify the expression of polynomials, we 7 8192 0.526 0.433 100%
define the variable 𝑚 = ∏ , (𝑥 − 𝑥 ). Therefore, Eq. (4) 8 16384 1.280 1.170 100%
can be further derived as
𝑌 between the pixels of the original SMI and shares, which will
𝐿𝑛 (𝑥) = (𝑥 − 𝑥 ) (5) also cause a security issue.
𝑚
, However, our scheme does not have the above security issues.
Then multiplicative polynomial ∏ , (𝑥 − 𝑥 ) should be That is because all shares are encrypted beforehand for share
expended and merged to obtain a polynomial with coefficient storage and SMI recovery, and others cannot obtain any
𝑑 by information of the original SMI without the private key 𝑆𝑘.
Thus, when an attacker obtains fewer than 𝑘 shares, he cannot
𝑌 reveal any information of the original SMI. Specifically, for a
𝐿𝑛 (𝑥) = 𝑑 𝑥 (6)
𝑚 given plaintext 𝑚 ∈ ℝ (ℝ is a polynomial ring of degree
𝐷), the ciphertext 𝑐 will satisfy 𝐸𝑛𝑐 (𝑐) = 𝑚 + 𝑒(𝑒 ∈ ℝ ),
Since only the CKKS algorithm supports the encryption of
where 𝑒 denotes the error determined by a random polynomial
float numbers, we will encrypt 𝑑 ⁄𝑚 as ciphertext 𝐶 using
the CKKS algorithm, and thus the Eq. (6) can be further of degree 𝐷 . Since the coefficients of random 𝐷 -degree
converted to: polynomial could be 0 or 1, the probability of guessing 𝑒 is
about 1/2 . As there are 𝑘 − 1 ciphertexts, i.e., the encrypted
shares in our scheme, the probability of decrypting all the
𝐿𝑛 (𝑥) = 𝑌 𝐶 𝑥 (7)
plaintexts without the key will be 1/2 ×( ) . As 𝐷 is no less
than 8,192 according to the experimental part, the probability is
As Eq. (2) and Eq. (7) represent the same polynomial, we can very close to 0. Moreover, in most cases, the error 𝑒 will
compute the coefficients of the polynomial by increase after several calculations, and thus those coefficients
are not only equal to the binary value, i.e., 0 or 1. Consequently,
𝑉 = 𝑌 ×𝐶 (8) the probability is 𝑃𝑟 < 1/2 ×( ) in practice. That means it
is almost impossible to obtain the plaintext. In addition, since
𝑉 is the coefficient of 𝑋 during the 𝑗-𝑡ℎ reconstruction. the SMI is encrypted before share generation, the encryption
The computed vectors { 𝑉 |1 ≤ 𝑗 ≤ 𝑇, 0 ≤ 𝑙 < 𝑘 } can be will break the mapping relationships between the pixels of the
concatenated to form the ESMI, which will be sent to the original SMI and shares caused by the lack of modulus
patient for decryption. The 𝑠𝑒𝑚𝑖 -𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 Computation operation, and thus ones cannot obtain any information of the
algorithm is also described in Algorithm 3. original SMI from the mapping relationships. In summary,
fewer than 𝑘 shares cannot reveal the SMI in the proposed
IV. SECURITY ANALYSIS scheme.
Theorem 2: The outsourcing computation is secure in the
To protect patients’ privacy, the SMIs should not be leaked semi-honest model.
to any party without patients’ authorizations. Generally, cloud Proof: Cloud computing is usually regarded as a semi-honest
computing is a semi-honest environment, and it is not fully environment. In the outsourcing computing of the proposed
trusted by medical institutions and patients. Then we will scheme, all operations are implemented in the encrypted
analyze our scheme’s security in the above semi-honest model. domain, and the cloud server does not have the private key for
Theorem 1: Fewer than 𝑘 shares cannot reveal the SMI. decryption. Therefore, the cloud server cannot obtain any
Proof: In a 𝑘 − 1 degree polynomial, 𝑘 unknown information of the SMI from the encrypted shares as well as
parameters need to compute. Therefore, no fewer than 𝑘 from the computing result, i.e., the encrypted SMI.
equations should be constructed to recover the polynomial, and Theorem 3: The storage of encrypted shares can resist signal
thus 𝑘 shares are required at least. However, Beimel et al. [37] point failure.
pointed out that, if there are fewer than 𝑘 shares, a very little Proof: In SIS schemes, any 𝑘 shares can recover the secret
information of the secret image can be still recovered and image. If a medical institution loses data due to the outside
leaked [37]. Moreover, since the extended PSIS scheme does attacks or improper operations, the SMI can also be recovered
not implement the modulus operation with a constant 𝑝 in the from the remaining 𝑛 − 1 shares unless more than 𝑛 − 𝑘
share generation stage, there are some mapping relationships shares are lost simultaneously. Moreover, medical institutions

TABLE II
THE SHARING TIME AND RECONSTRUCTION TIME PER IN SINGLE POLYNOMIAL COMPUTATION UNDER DIFFERENT (𝑘, 𝐷) CONDITIONS.

Sharing time 𝑻𝟏 Reconstruction time 𝑻𝟐

Schemes
𝑫 = 𝟖𝟏𝟗𝟐 𝑫 = 𝟏𝟔𝟑𝟖𝟒 𝑫 = 𝟑𝟐𝟕𝟔𝟖 𝑫 = 𝟖𝟏𝟗𝟐 𝑫 = 𝟏𝟔𝟑𝟖𝟒 𝑫 = 𝟑𝟐𝟕𝟔𝟖
Traditional 𝟎. 𝟎𝟖𝟓 𝟎. 𝟏𝟖𝟓 𝟎. 𝟑𝟖𝟗 𝟎. 𝟎𝟒𝟎 𝟎. 𝟎𝟖𝟐 𝟎. 𝟏𝟕𝟐
𝒌=2
Batch 𝟎. 𝟎𝟖𝟗 𝟎. 𝟏𝟖𝟓 𝟎. 𝟑𝟖𝟕 𝟎. 𝟎𝟒𝟎 𝟎. 𝟎𝟖𝟐 𝟎. 𝟏𝟕𝟑
Traditional 𝟎. 𝟏𝟖𝟐 𝟎. 𝟑𝟔𝟔 𝟎. 𝟕𝟔𝟐 𝟎. 𝟎𝟗𝟗 𝟎. 𝟏𝟕𝟗 𝟎. 𝟑𝟔𝟑
𝒌=3
Batch 𝟎. 𝟏𝟕𝟗 𝟎. 𝟑𝟔𝟖 𝟎. 𝟕𝟕𝟎 𝟎. 𝟏𝟎𝟎 𝟎. 𝟏𝟕𝟓 𝟎. 𝟑𝟓𝟕
Traditional 𝟎. 𝟐𝟕𝟎 𝟎. 𝟓𝟔𝟓 𝟏. 𝟏𝟖𝟎 𝟎. 𝟏𝟒𝟔 𝟎. 𝟑𝟎𝟏 𝟎. 𝟔𝟑𝟐
𝒌=4
Batch 𝟎. 𝟐𝟕𝟏 𝟎. 𝟓𝟔𝟓 𝟏. 𝟏𝟔𝟎 𝟎. 𝟏𝟒𝟓 𝟎. 𝟐𝟗𝟔 𝟎. 𝟔𝟑𝟒
Traditional 𝟎. 𝟑𝟔𝟑 𝟎. 𝟕𝟑𝟔 𝟏. 𝟓𝟒𝟎 𝟎. 𝟐𝟐𝟔 𝟎. 𝟒𝟔𝟔 𝟎. 𝟗𝟕𝟔
𝒌=5
Batch 𝟎. 𝟑𝟔𝟎 𝟎. 𝟕𝟑𝟔 𝟏. 𝟓𝟐𝟎 𝟎. 𝟐𝟐𝟑 𝟎. 𝟒𝟔𝟑 𝟎. 𝟗𝟕𝟗
Traditional 𝟎. 𝟒𝟑𝟖 𝟎. 𝟗𝟎𝟏 𝟎. 𝟏𝟗𝟐 𝟎. 𝟑𝟏𝟖 𝟎. 𝟔𝟔𝟖 𝟏. 𝟑𝟗𝟎
𝒌=6
Batch 𝟎. 𝟒𝟒𝟎 𝟎. 𝟗𝟐𝟎 𝟏. 𝟗𝟐𝟎 𝟎. 𝟑𝟐𝟑 𝟎. 𝟔𝟒𝟑 𝟏. 𝟑𝟗𝟎
Traditional 𝟎. 𝟓𝟏𝟖 𝟏. 𝟏𝟏𝟎 𝟐. 𝟐𝟔𝟎 𝟎. 𝟒𝟑𝟑 𝟎. 𝟗𝟎𝟑 𝟏. 𝟗𝟎𝟎
𝒌=7
Batch 𝟎. 𝟓𝟐𝟔 𝟏. 𝟏𝟎𝟎 𝟐. 𝟑𝟏𝟎 𝟎. 𝟒𝟐𝟎 𝟎. 𝟗𝟏𝟎 𝟏. 𝟖𝟗𝟎
Traditional − 𝟏. 𝟐𝟖𝟎 𝟐. 𝟔𝟗𝟎 − 𝟏. 𝟏𝟕𝟎 𝟐. 𝟒𝟕𝟎
𝒌=8
Batch − 𝟏. 𝟐𝟖𝟎 𝟐. 𝟕𝟐𝟎 − 𝟏. 𝟏𝟖𝟎 𝟐. 𝟒𝟑𝟎

TABLE III
proposed scheme. Thus, we will discuss the parameter settings
THE NUMBER OF SECRET PIXELS PROCESSED IN EACH POLYNOMIAL under different (𝑘, 𝑛) thresholds in the following experiments.
COMPUTATION. FOR SIMPLICITY, WE DENOTE TRADITIONAL AS TRAD. As mentioned in Section II, CKKS is constructed based on
𝐷 = 8192 𝐷 = 16384 𝐷 = 32768 R-LWE. All calculations in CKKS are limited to a polynomial
Schemes
Batch Trad Batch Trad Batch Trad
𝑘=2 8192 2 16384 2 32768 2
ring ℝ = ℤ [𝑥]/𝑓(𝑥), where ℤ [𝑥] is a polynomial set with
𝑘=3 12288 3 24576 3 49152 3 the coefficients in the remaining class of 𝑞 , 𝑓(𝑥) = 2 +
𝑘=4 16384 4 32768 4 65536 4 1, 𝐷 = 2 , and 𝑑 is a positive integer. 𝐷 is the degree of the
𝑘=5 20480 5 40960 5 81920 5
polynomial ring ℝ , which decides the highest degree of all
𝑘=6 24576 6 49152 6 98304 6 polynomials in ℝ . Since all ciphertexts are expressed as
𝑘=7 28672 7 57344 7 114688 7 polynomials in the CKKS algorithm, 𝐷 also decides the
𝑘=8 − − 65536 8 131072 8
storage sizes of ciphertexts. During the encryption, the SMI’s
pixel vector {𝑣 | 1 ≤ 𝑖 ≤ 𝑁 } are firstly encoded as a set of
Trad/
1/4096 1/8092 1/16384 polynomials, and then each polynomial is encrypted with a
Batch
random polynomial 𝑒 to form the ciphertext. The random
can also restore the lost encrypted shares, since the recovered polynomial is also regarded as noise, which can be used to
ESMI can be used to generate the encrypted shares again prevent the encrypted pixels from leaking. However, to decrypt
without decryption. Therefore, the proposed scheme has the the encrypted image successfully, the noise range should be
characteristics of data backup, and the storage of encrypted limited. In other words, when the noise is out of range, the
shares can resist signal point failure. decryption cannot be successfully implemented. In the
literature [23], it is pointed out that the tolerance range of noise
V. EXPERIMENTS AND RESULTS is related to the parameter 𝐷, which means the range will be
In this section, we conducted several experiments to evaluate extended with the growth of 𝐷 . The maximum value of 𝐷
the proposed scheme. All experiments are conducted on supported by the 𝑆𝐸𝐴𝐿 library is 32,768 [23]. During the
Windows 10 with i7-9750H CPU @2.60GHz. The basic process of calculation, homomorphic addition and
libraries of the language C++, as well as the SEAL library, are multiplication will increase the noise in the ciphertext.
used to design the outsourcing computation method based on Specifically, the ciphertext’s noise increases linearly during
CKKS. We adopt a typical medical image database, i.e., homomorphic addition, while the noise in the ciphertext will
COVID-CT [38] in the experiments. The code link is: increase exponentially by homomorphic multiplication.
https://github.com/201983290498/the-SIS-scheme-based-on- Consequently, although the CKKS algorithm supports infinite
FHE homomorphic operation in theory with bootstrap technology
A. The Parameter Setting [29], it is not true in practice. Therefore, the depth of
multiplication should be controlled when using CKKS.
In the experiments, the parameters of the CKKS algorithm According to the above introduction, the depth of
have a great impact on the efficiency and accuracy of the homomorphic multiplication will directly affect the size of

TABLE IV
5.50 THE COMPUTATION SAVED ON LOCAL TERMINALS’ SIDE UNDER DIFFERENT
𝑘.
5.00 𝑘 𝑇 (s) 𝑇 (s) 𝑇 (s) 𝑇 (s) 𝛼(%)
k=2
2 0.013 0.003 0.049 0.049 86.0
4.50 k=3 3 0.015 0.003 0.093 0.083 92.8
k=4 4 0.021 0.004 0.177 0.162 93.1
4.00 5 0.027 0.005 0.281 0.252 94.3
k=5
6 0.032 0.006 0.406 0.353 95.2
3.50 k=6
7 0.037 0.007 0.518 0.471 95.7
k=7
8 0.096 0.016 1.61 1.40 96.4
3.00 k=8
TABLE V
2.50 THE THRESHOLD RANGE OF THE PROPOSED SCHEME.
D=8192 D=16384 N=32768 𝑘 2 3 4 5 6 7 8

Fig. 3. The time cost of sharing an SMI of size 512 × 512. 𝑛 ≈ 10 ≈ 2400 ≈ 100 ≈ 50 ≈ 30 15 10

5.5 TABLE VI
5 STORAGE PARAMETERS OF SHARES WITH DIFFERENT 𝐷.
𝐷 𝑁 𝑆 𝑆
4.5 k=2 8192 4096 384KB 3.38MB
4 k=3 16384 8192 768KB 3.75MB
32768 16384 1.5MB 4.5MB
3.5 k=4

3 k=5 SMIS scheme in the following aspects: 1) the comparison

k=6 between the proposed PSIS scheme with batch encryption and
2.5
the traditional PSIS scheme and 2) the effect of homomorphic
k=7
2 encryption parameter 𝐷 on the efficiency of the proposed Enc-
k=8 SMIS scheme.
1.5
As an optimization strategy in FHE, batch encryption mainly
1 packs a set of pixels as one vector, and thus supports parallel
D=8192 D=16384 D=32768 encryption of multiple image pixels without affecting the FHE
Fig. 4. The time cost of recovering an SMI of size 512 × 512. operation efficiency. As mentioned in SMI sharing, all the
secret pixels are packed into a vector set {𝑣 |1 ≤ 𝑖 ≤ 𝑁 } and
noise, and the parameter 𝐷 decides the tolerable range of noise. then encrypted into a ciphertext set {𝑉 |1 ≤ 𝑖 ≤ 𝑁 }. During
In our scheme, both the sharing and recovery of SMIs are each single polynomial computation, 𝑘 ciphertexts are
implemented in the encrypted domain. To ensure the accuracy embedded into the 𝑘 coefficients, and the number of pixels in
of SMI recovery, it is necessary to find the minimum value of each vector 𝑣 is D/2. As a result, the number of pixels that
𝐷 under different 𝑘 . We define the variable 𝐷 as the can be processed in each polynomial computation is denoted as
minimum value of 𝐷 to ensure that the proposed Enc-SMIS 𝑁 =𝐷/2 × 𝑘. When the SMI’s size is over 𝑁 , the image needs
scheme works correctly. In addition, we test the sharing time to be processed multiple times. The total cost time 𝑇 of SMI
𝑇 of each polynomial generation, the reconstruction time 𝑇 sharing or recovery is evaluated by
of each polynomial reconstruction, and the accuracy of the 𝑇 = (𝑁 /𝑁 ) × 𝑇 (9)
SMIS scheme, as listed in Table I. In the experiment, 𝑛 is
fixed to 10. Where 𝑁 is the number of SMI’s pixels and the variable 𝑇
From the table, it is clear that the minimum value of 𝐷 is refers to the time cost of single computation, including the
8,192 when 𝑘 is less than 8. As 𝑘 increases, the computation sharing time 𝑇 and reconstruction time 𝑇 of each single
becomes more complex, and the minimum value of 𝐷 also polynomial computation. However, each coefficient can be
increases. When 𝑘 is up to 8, the minimum value increases to used to embed a pixel rather than a vector in the traditional PSIS
16,384. Moreover, our scheme can achieve 100% recovery schemes. As a result, the number of pixels 𝑁 that can be
accuracy. processed in single polynomial computation is equal to 𝑘 ,
In addition, according to Table I, the time consumption of which is only 2/𝐷 of that using batch encryption. Thus, to
single polynomial computation is about 1 second at most, which compare the efficiency of different schemes, it is necessary to
is acceptable in most practical scenarios. test their cost time of sharing and reconstruction in each single
computation.
B. The Efficiency of the Enc-SMIS Scheme
In addition, as 𝐷 grows, the number of pixels embedded in
In this subsection, we will test the efficiency of the Enc- each coefficient increases, and the time cost of all kinds of

Fig. 5. Three pairs of the original SMIs and the corresponding SMIs recovered by the proposed Enc-SMIS scheme.
operations in CKKS is also increased. Therefore, we try to find and 32,768, respectively.
out the optimal value of 𝐷 with different 𝑘. Additionally, the sharing time 𝑇 and reconstruction time
In the experiment, we list the number of processed pixels 𝑁 𝑇 increase with 𝐷 , which are consistent with theoretical
of the proposed Enc-SMIS scheme and the traditional scheme, expectations. Moreover, the growth rate 𝑇/𝐷 keeps nearly the
and the ratio of processed pixels per polynomial computation. same. For example, when 𝑘 is 3, the sharing time is 0.099s,
Then, we test the cost time of sharing 𝑇 and that of 0.179s, and 0.363s when 𝐷 is equal to 8,192, 16,384, and
reconstruction 𝑇 for traditional PSIS scheme and proposed 32,768, respectively. When the value of 𝐷 doubles, the time
scheme with different 𝐷, as listed in Table II. This experiment cost increases about two times.
not only tests the impact of batch encryption on computation According to the above, it can be concluded that, although
task but also reflects how the parameter 𝐷 influence the the SMI recovery is more complex than the SMI sharing, the
efficiency of the proposed Enc-SMIS scheme with different 𝑘. reconstruction time 𝑇 is much less than the sharing time 𝑇
Finally, we further test the time cost 𝑇 of the proposed Enc- with the same 𝐷 and 𝑘, which also proves the efficiency of
SMIS scheme to process a whole SMI of size 512 × 512. The the proposed 𝑠𝑒𝑚𝑖-𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 strategy.
experimental results are shown in Fig. 3 and Fig. 4. All the From Fig. 3 and Fig. 4, with batch encryption, the SMI
experiments are repeated many times and the average values of sharing time and SMI recovery time are no more than 6s, which
time cost are recorded. can satisfy the requirements of most practical applications in
As shown in Table II and Table III, as the value of 𝐷 IoT environment. In addition, the efficiency is higher when 𝐷
increases, more pixels can be processed in single polynomial is smaller with different 𝑘. Thus, we set 𝐷 as the minimum
computation. Moreover, the sharing and reconstruction of the value with different 𝑘 in the following experiments.
whole SMI can be realized only by repeating a small number of
C. Computation Saved on Local Terminals’ Side
polynomial computations, since the number of pixels processed
in each single computation is very large, making it efficient to As described in Section-III, terminal devices are only
apply the FHE in PSIS schemes. responsible for the encryption and decryption of the SMI. The
SMI sharing and recovery are outsourced to cloud server to
According to the results in Table II and Table III, for the
reduce the computation burden of terminal devices. Compared
traditional PSIS scheme and the proposed scheme, their sharing
to the traditional SMIS scheme, in which cloud server only
time 𝑇 and reconstruction time 𝑇 of each polynomial are
supports the storage services and terminal devices are required
almost the same with different values of 𝑘 and 𝐷. However, to complete the whole calculation of SMI sharing, the proposed
the number of processed pixels 𝑁 is 𝐷/2 × 𝑘 in the Enc-SMIS scheme greatly reduces the computation burden for
proposed Enc-SMIS scheme and that in the traditional PSIS the local servers of medical institutions. Then, we test the
scheme is only 𝑘. Thus, the total efficiency of the traditional computation saved on the local terminals’ side.
PSIS scheme is 1/(𝐷/2) of the proposed Enc-SIMS scheme. Since the proposed Enc-SMIS scheme contains the repeated
Specifically, the efficient ratios between the traditional PSIS process of polynomial generation and recovery, we only test the
scheme and the proposed Enc-SIMS scheme are 1/4,096 , encryption time 𝑇 , decryption time 𝑇 , share generation
1/8,192, 1/16,384, when the values of 𝐷 are 8,092, 16,384, time 𝑇 , and recovery time 𝑇 during each polynomial

computation with different 𝑘 . The saving rate 𝑅 of According to Table VI, the size of 𝑆 increases
computation is evaluated by 𝑅= proportionally with the increase of parameter 𝐷 . Moreover,
(𝑇 + 𝑇 )⁄(𝑇 + 𝑇 + 𝑇 + 𝑇 ) . As illustrated in selecting smaller 𝐷 yields a smaller 𝑆 . Taking 𝐷 = 8,192
Section V-B, the smaller 𝐷 is the better choice when 𝑘 is as an example, to hide all the pixels, the number of ciphertext
fixed. The value of 𝐷 is 8,192 when 𝑘 is less than 8, and the 𝑛𝑢𝑚 should be 10, and there are 672 pixels hidden in the last
value of 𝐷 is 16,384 when k is equal to 8. The results are ciphertext and the capacity is 4,092. When 𝐷 = 32,768, the
shown in Table IV. The saving rate 𝑅 reaches 86.0% to 96.4%. capacity of the last ciphertext is 16,384 and the number of
Specifically, as 𝑘 increases, the saving rate 𝑅 also grows. hidden pixels in the last ciphertext is still 672, and thus a lot of
That is because the computation tasks of SMI sharing and storage space can be saved.
recovery will be more complex as 𝑘 increases. In conclusion, Also, the proposed scheme reduces the communication
the proposed scheme can greatly reduce the local computation burden of terminal devices. That is because the identity
burden using the designed outsourcing computation algorithm. authentication is implemented between the terminal devices and
the intermedia, i.e., cloud server, instead of the terminal devices
D. The Supported Integer Range and 𝑛 medical institutions. As a result, the communication
In the proposed Enc-SMIS scheme, we extend the original cost of the proposed scheme is reduced to 1/𝑛 of the
PSIS to the field of large real numbers, which would cause the communication cost of the traditional SMIS schemes.
overflow problem. In this subsection, we mainly discuss the
overflow problem. According to the generation method VI. CONCLUSION
mentioned above, the identify 𝑥 of each medical institution In this paper, we have presented an Encrypted domain SMIS
will be input into the following (𝑘 − 1)-degree polynomial scheme (Enc-SMIS) with secure outsourcing computation.
𝑦 = 𝑉 + 𝑉 𝑥 + ⋯ + 𝑉 𝑥 . The value of 𝑦 is easy to be Considering the limited computing resources of terminal
out of the range without the modulus operation. Therefore, we devices and medical institution servers, which can hardly
implement an experiment to test the approximate range of handle the huge amount of medical data generated by terminal
(𝑘, 𝑛) that the proposed scheme can work correctly. devices, we explore the CKKS algorithm to outsource the task
According to Table V, the maximum value of 𝑘 is 8 and the of sharing and recovery of SMI securely. In addition, the range
maximum value of 𝑛 is 10. When 𝑘 = 9, the degree of the of SIS is extended to the field of large real numbers, and the
polynomial is 8, making the encrypted pixels easy to overflow. 𝑠𝑒𝑚𝑖-𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 strategy is adopted to improve the efficiency
In most practical applications, patients might be bound to of secure outsourcing computation based on FHE. The
several fixed medical institutions and the threshold (8,10) is experiment results demonstrate the sharing and recovery of
enough. (8,10)-threshold SMIS only need no more than 5.5s and 5s,
E. The Results of the Enc-SMIS Scheme respectively. In summary, compared to the other SMIS schemes,
the proposed Enc-SMIS scheme can effectively alleviate the
In this subsection, we show the results of SMI sharing and
computing and communication burden of the terminal devices
recovery on some groups of images using the proposed Enc-
and medical institutions and has the potential for dealing with a
SMIS scheme as shown in Fig. 5.
large amount of image data, making it suitable for the IoT
In this experiment, we take the (3, 4) threshold as an example.
environment.
The right side of Fig. 5(a) is the recovered SMI after decryption.
In addition, observing the original versions and recovered
REFERENCES
versions of other medical images, as shown by the examples in
Fig. 5(b) and Fig. 5(c), we can find that the left side of each [1] V. Patel, "A framework for secure and decentralized sharing of
medical imaging data via blockchain consensus," Health
figure is the original image and the right side is the informatics journal, vol. 25, no. 4, pp. 1398-1411, 2019.
corresponding recovered image. From these figures, it is hard [2] M. Marwan, A. Kartit, and H. Ouahmane, "Secure cloud-based
to detect any difference between the original SMI and the medical image storage using secret share scheme," in 2016 5th
International Conference on Multimedia Computing and Systems
recovered one, as the accuracy of the proposed scheme is 100%. (ICMCS), 2016: IEEE, pp. 366-371.
As illustrated in Section III-B, the image shares are stored in [3] M. Marwan, A. Kartit, and H. Ouahmane, "A secure framework for
encrypted form on local servers. There are two variables, which medical image storage based on multi-cloud," in 2016 2nd
International Conference on Cloud Computing Technologies and
are determined by the CKKS’s parameter 𝐷, 𝑖. 𝑒., the number Applications (CloudTech), 2016: IEEE, pp. 88-94.
of pixels that can be packed in a ciphertext in batch encryption [4] D. Yang, I. Doh, and K. Chae, "Secure medical image-sharing
𝑁 and the storage size of each share 𝑆 . The storage size mechanism based on visual cryptography in EHR system," in 2018
20th International Conference on Advanced Communication
of each share 𝑆 is related to the number of ciphertext 𝑛𝑢𝑚 Technology (ICACT), 2018: IEEE, pp. 463-467.
packed in the share and the size of the single ciphertext 𝑆 , [5] A. K. Chattopadhyay, A. Nag, and K. Majumder, "Secure Data
which can be calculated by 𝑆 = 𝑛𝑢𝑚 ∗ 𝑆 . Outsourcing on Cloud Using Secret Sharing Scheme," Int. J. Netw.
Secur., vol. 19, no. 6, pp. 912-921, 2017.
In this experiment, since the sizes of image shares is 1/𝑘 of [6] C. Gentry, "Fully homomorphic encryption using ideal lattices," in
that of the original SMI, and thus the sizes of the shares can be Proceedings of the forty-first annual ACM symposium on Theory of
computed by 276 × 408 × 1/3 = 37,536 , the number of computing, 2009, pp. 169-178.
ciphertexts can be calculated by 𝑛𝑢𝑚 = ⌈37,536/(𝐷/2)⌉ . [7] A. Shamir, "How to share a secret," Communications of the ACM,
vol. 22, no. 11, pp. 612-613, 1979.
Then, we record the size of the single ciphertext 𝑆 and
calculate 𝑆 with a different 𝐷, as listed in Table VI.

[8] G. R. Blakley, "Safeguarding cryptographic keys," in Managing encrypted IoT data in smart cities," IEEE Internet of Things Journal,
Requirements Knowledge, International Workshop on, 1979: IEEE vol. 6, no. 5, pp. 7702-7712, 2019.
Computer Society, pp. 313-313. [31] Q. Yang, Y. Liu, Y. Cheng, Y. Kang, T. Chen, and H. Yu,
[9] M. Naor and A. Shamir, "Visual cryptography," in Workshop on the "Federated learning," Synthesis Lectures on Artificial Intelligence
Theory and Application of Cryptographic Techniques, 1994: and Machine Learning, vol. 13, no. 3, pp. 1-207, 2019.
Springer, pp. 1-12. [32] T. Li, A. K. Sahu, A. Talwalkar, and V. Smith, "Federated learning:
[10] C.-C. Thien and J.-C. Lin, "Secret image sharing," Computers & Challenges, methods, and future directions," IEEE Signal
Graphics, vol. 26, no. 5, pp. 765-770, 2002. Processing Magazine, vol. 37, no. 3, pp. 50-60, 2020.
[11] C.-C. Wu, M.-S. Hwang, and S.-J. Kao, "A new approach to the [33] Z. Li, V. Sharma, and S. P. Mohanty, "Preserving data privacy via
secret image sharing with steganography and authentication," The federated learning: Challenges and solutions," IEEE Consumer
Imaging Science Journal, vol. 57, no. 3, pp. 140-151, 2009. Electronics Magazine, vol. 9, no. 3, pp. 8-16, 2020.
[12] C.-N. Yang, T.-S. Chen, K. H. Yu, and C.-C. Wang, "Improvements [34] J. H. Cheon et al., "Batch fully homomorphic encryption over the
of image sharing with steganography and authentication," Journal integers," in Annual International Conference on the Theory and
of Systems and software, vol. 80, no. 7, pp. 1070-1076, 2007. Applications of Cryptographic Techniques, 2013: Springer, pp. 315-
[13] C.-C. Lin and W.-H. Tsai, "Secret image sharing with 335.
steganography and authentication," Journal of Systems and software, [35] K. Tjell and R. Wisniewski, "Privacy in Distributed Computations
vol. 73, no. 3, pp. 405-414, 2004. based on Real Number Secret Sharing," arXiv preprint
[14] A. Rani, A. K. Bhullar, D. Dangwal, and S. Kumar, "A zero- arXiv:2107.00911, 2021.
watermarking scheme using discrete wavelet transform," Procedia [36] T. Finamore, "SHAMIR’S SECRET SHARING SCHEME USING
Computer Science, vol. 70, pp. 603-609, 2015. FLOATING POINT," Florida Atlantic University Boca Raton,
[15] B. Surekha and G. Swamy, "Visual secret sharing based digital Florida, 2012.
image watermarking," International Journal of Computer Science [37] A. Beimel, "Secret-sharing schemes: A survey," in International
Issues (IJCSI), vol. 9, no. 3, p. 312, 2012. conference on coding and cryptology, 2011: Springer, pp. 11-46.
[16] N. V. Dharwadkar and B. Amberker, "Watermarking scheme for [38] X. Yang, X. He, J. Zhao, Y. Zhang, S. Zhang, and P. Xie, "COVID-
color images using wavelet transform based texture properties and CT-dataset: a CT scan dataset about COVID-19," arXiv preprint
secret sharing," International Journal of Signal Processing, vol. 6, arXiv:2003.13865, 2020.
no. 2, pp. 93-100, 2010.
[17] A. Azza and S. Lian, "Multi-secret image sharing based on
elementary cellular automata with steganography," Multimedia Jingwang Huang is currently pursuing the
Tools and Applications, vol. 79, no. 29, pp. 21241-21264, 2020.
[18] G. S. Mahdi, N. Yousif, and A. F. Shimal, "Medical Image
M.S. degree in Nanjing University of
Watermarking Based on Secret Sharing and Integer Wavelet Information Science and Technology,
Transform," in Journal of Physics: Conference Series, 2021, vol. China, in 2020. His research interest
1963, no. 1: IOP Publishing, p. 012159. includes Blockchain, Secret image sharing,
[19] A. A. Abd El-Latif, B. Abd-El-Atty, M. S. Hossain, M. A. Rahman,
and Artificial intelligent security, and
A. Alamri, and B. B. Gupta, "Efficient quantum information hiding
for remote medical image sharing," IEEE Access, vol. 6, pp. 21075- Digital Forensics.
21083, 2018.
[20] P. Paillier, "Public-key cryptosystems based on composite degree
residuosity classes," in International conference on the theory and
applications of cryptographic techniques, 1999: Springer, pp. 223-
Qi Cui received his B.S. degree in Software
238.
[21] T. ElGamal, "A public key cryptosystem and a signature scheme Engineering from Nanjing University of
based on discrete logarithms," IEEE transactions on information Information Science and Technology,
theory, vol. 31, no. 4, pp. 469-472, 1985. China in 2017. He is currently pursuing his
[22] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, "(Leveled) fully
Ph.D. in Information and communication
homomorphic encryption without bootstrapping," ACM
Transactions on Computation Theory (TOCT), vol. 6, no. 3, pp. 1- engineering at the same university. Now he
36, 2014. is a visiting scholar in the Department of
[23] J. Fan and F. Vercauteren, "Somewhat practical fully homomorphic Electrical and Computer Engineering at the
encryption."
[24] A. Acar, H. Aksu, A. S. Uluagac, and M. Conti, "A survey on
University of Windsor, Canada. His
homomorphic encryption schemes: Theory and implementation," research interests include adversarial deep learning,
ACM Computing Surveys (CSUR), vol. 51, no. 4, pp. 1-35, 2018. information hiding, steganalysis, and multimedia security.
[25] C. Gentry, A. Sahai, and B. Waters, "Homomorphic encryption from
learning with errors: Conceptually-simpler, asymptotically-faster,
attribute-based," in Annual Cryptology Conference, 2013: Springer,
pp. 75-92. Zhili Zhou (Member, IEEE) received his
[26] J. H. Cheon, A. Kim, M. Kim, and Y. Song, "Homomorphic MS and PhD degrees in Computer
encryption for arithmetic of approximate numbers," in International Application at the School of Information
Conference on the Theory and Application of Cryptology and
Science and Engineering from Hunan
Information Security, 2017: Springer, pp. 409-437.
[27] L. Jiasen, W. X. An, C. Bowei, T. Zheng, and Z. Kaiyang, University, in 2010 and 2014, respectively.
"Outsourced Secure Face Recognition Based on CKKS He is currently a professor with Institute of
Homomorphic Encryption in Cloud Computing," International Artificial Intelligence and Blockchain,
Journal of Mobile Computing and Multimedia Communications
Guangzhou University. Also, he was a
(IJMCMC), vol. 12, no. 3, pp. 27-43, 2021.
[28] M. Kim et al., "Ultrafast homomorphic encryption models enable Postdoctoral Fellow with the Department
secure outsourcing of genotype imputation," Cell Systems, vol. 12, of Electrical and Computer Engineering, University of
no. 11, pp. 1108-1120. e4, 2021. Windsor, Canada. His current research interests include
[29] R. Badhwar, "The Future State of Data Security," in The CISO’s
Multimedia Security, Artificial Intelligence Security,
Next Frontier: Springer, 2021, pp. 113-121.
[30] M. Shen, X. Tang, L. Zhu, X. Du, and M. Guizani, "Privacy- Information Hiding, Digital Forensics, Blockchain, and Secret
preserving support vector machine training over blockchain-based Sharing. He has authored or coauthored more than 100 refereed

papers. He is serving as an Associate Editor of Journal of Real-

Time Image Processing, Security and Communication
Networks, and International Journal on Semantic Web and
Information Systems. He received ACM Rising Star Award and
got Guangdong Natural Science Funds for Distinguished
Young Scholar.

Keping Yu (Member, IEEE) received the

M.E. and Ph.D. degrees is global
information and telecommunication studies
from the Graduate School of Global
Information and Telecommunication
Studies, Waseda University, Tokyo, Japan,
in 2012 and 2016, respectively. He is
currently a Researcher with the Global
Information and Telecommunication
Institute, Waseda University. He is also a Visiting Professor
with the College of Computer Science, Sichuan Normal
University, Chengdu, China. His research interests include
smart grids, information-centric networking, the Internet of
Things, blockchain, and information security.

Ching-Nung Yang (Senior Member,

IEEE) received the B.S. and M.S. degrees
in telecommunication engineering from
National Chiao Tung University, Hsinchu,
Taiwan, in 1983 and 1985, respectively,
and the Ph.D. degree in electrical
engineering from National Cheng Kung
University, Tainan City, Taiwan, in 1997.
He is currently a Full Professor with the Department of
Computer Science and Information Engineering, National
Dong Hwa University, Hualien, Taiwan. His research interests
include coding theory, information security, and cryptography.
He is a fellow of IET.

Kim-Kwang Raymond Choo (Senior

Member, IEEE) received the Ph.D. degree
in information security from the
Queensland University of Technology,
Brisbane, QLD, Australia, in 2006.,He
currently holds the Cloud Technology
Endowed Professorship with The
University of Texas at San Antonio, San
Antonio, TX, USA., Dr. Choo is the founding Co-Editor-in-
Chief of ACM Distributed Ledger Technologies: Research and
Practice, and the founding Chair of IEEE TEMS Technical
Committee on Blockchain and Distributed Ledger
Technologies. He is also an ACM Distinguished Speaker and
IEEE Computer Society Distinguished Visitor (2021–2023)
and a Web of Science’s Highly Cited Researcher (Computer
Science—2021, Cross-Field—2020). He was the recipient of
the 2019 IEEE Technical Committee on Scalable Computing
Award for Excellence in Scalable Computing (Middle Career
Researcher).