Application of compressed sensing in privacy

protection

Jia Liang

School of Cyber Security and Information Law

Thursday, April 25, 2024

 Contents

Compressed sensing 1 2 CS-based cryptosystem

⚫ Definition ⚫ Definition

⚫ Application ⚫ Attack models

⚫ schemes

Compressed learning 3 4 others

⚫ Compressive analysis ⚫ CS in data collection

⚫ Compressed learning ⚫ CS in data hiding

⚫ CS in federated learning
1. Compressed sensing (CS)

Introduction to CS
1. Compressed sensing (CS)

From Nyquist to CS
1. Compressed sensing (CS)

“Can we not just directly measure the part that will not end up being
thrown away ?”
Donoho

Original 2500 KB Compressed 148

392
950 KB
100% 15%
6%
38%
 1. Compressed sensing (CS)

Sparse in wavelet-domain

Sparse representation of an image via a multiscale wavelet transform.

(a) Original image. (b) Wavelet representation. Large coefficients are represented by light pixels, while small coefficients
are represented by dark pixels. Observe that most of the wavelet coefficients are close to zero.
 1. Compressed sensing (CS)

Sparse in wavelet-domain

Sparse approximation of a natural image.

(a) Original image.(b) Approximation of image obtained by keeping
only the largest 10% of the wavelet coefficients.
1. Compressed sensing (CS)

Our Point-Of-View

Compressed Sensing(CS) must be based on sparsity and compressibility.

The signals must be sparse in time-domain or in frequency-domain.
1. Compressed sensing (CS)

“Can we not just directly measure the part that will

not end up being thrown away ?”
Donoho

“sensing … as a way of extracting information about

an object from a small number of randomly selected
observations” Candès et. al.

Analog
Audio
Signal High-rate Low-rate
Nyquist rate Compressed Compression
Sampling Sensing (e.g. MP3)
1. Compressed sensing: Definition

ym 1 xn 1

m n
Fig1. The schematic of CS model.
1. Compressed sensing: Definition
1. Compressed sensing: Definition

The reconstruction algorithm:

• The greedy iterative algorithm: OMP,
• The convex optimization: BP
• Others: The Bayesian learning framework, Deep learning

[1] S. S. Chen, D. L. Donoho, and M. A. Saunders, Atomic Decomposition by Basis Pursuit vol. 20: SIAM
Journal on Scientific Computing, 1998.
1. Compressed sensing: Definition

Fig2. The schematic of CS sapling.

1. Compressed sensing: Definition
1. Compressed sensing: Applications

◼ Lens distortion correction

◼ Image scaling
 1. Compressed sensing: Applications

CT Scans
1. Compressed sensing: Applications

Spatial Superresolution
 1. Compressed sensing

Our Point-Of-View

◼ The field of sampling was traditionally associated with methods implemented

either in the frequency domain, or in the time domain

◼ Sampling can be viewed in a broader sense of projection onto any subspace or

union of subspaces

◼ We can sample a signal below Nyquist sampling rate.(We must know something
about the signals).
 2. CS-based cryptosystem

1. Symmetric Cryptosystem

2. Attack models
 2. CS-based cryptosystem

• COA Receiver
Sender
• CPA (Bob)
(Alice)
• KPA

xn Sample ym ym Reconstruction
1 1
信道 1 xn 1
(Encryption) (Decryption)

Original signal Measurements

（Plaintext） Φm n （Ciphertext） Φm n

Measurement matrix
Attacter Measurement matrix
（Key）
(Eve) （Key）

Fig. 3. The schematic of CS-based cryptosystem.

2. CS-based cryptosystem

Shannon
2. CS-based cryptosystem

[1] T. Bianchi, V. Bioglio, and E. Magli, “Analysis of one-time random projections for privacy
preserving compressed sensing,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 2, pp. 313–327,
Feb. 2016
 2. CS-based cryptosystem

Our Point-Of-View

◼ CS can provide a degree of privacy protection.

◼ CS provides privacy protection while sampling.
 2. CS-based cryptosystem：Attacks

(1) Ciphertext-only Attack (COA).

COA refers to that the adversary, Eve, only knows the ciphertext. Bianchi et al. point
out that the measurements leaks the energy of the original signal in CS encryption,
which may contain some private information. For example, the energy of signals has
a distinct gap between Atrial fibrillation (AF) and Non-AF condition. Therefore, Eve
can get the energy of the original signal from the ciphertext and then use the energy
to infer some privacy.
 2. CS-based cryptosystem： Attacks

(2) Known-plaintext Attack (KPA).

 2. CS-based cryptosystem： Attacks

(3) Chosen-plaintext Attack (CPA)

 2. CS-based cryptosystem

Our Point-Of-View

◼ CS is not secure when the measurement matrix is reused

How to solve this problem？

Please think and discuss about it?
2. CS-based cryptosystem： Schemes

A Compressed Sensing Based Image Compression-Encryption Coding Scheme without Auxiliary

Information Transmission
 2. CS-based cryptosystem： Schemes

1. CS Sampling and Quantization

➢ Step1 ：CS Sampling,

➢ Step 2: Calculate the energy of measurements, .

➢ Step3: Normalization, . Auxiliary information

need to transmission!

➢ Step4: Quantization, .
 2. CS-based cryptosystem： Schemes

2. Diffusion and Permutation

 2. CS-based cryptosystem： Schemes

2. Diffusion and Permutation

Step2: Use the Logistic-Tent chaotic system to generate pseudo-

random sequence .
 2. CS-based cryptosystem： Schemes

2. Diffusion and Permutation

 2. CS-based cryptosystem： Schemes

3. Decoding
 2. CS-based cryptosystem： Schemes

3. Decoding
 2. CS-based cryptosystem： Schemes

3. Decoding
2. CS-based cryptosystem： Schemes
2. CS-based cryptosystem： Schemes
2. CS-based cryptosystem： Schemes
2. CS-based cryptosystem： Schemes
 2. CS-based cryptosystem： Schemes

To summarize, the outstanding advantage of our scheme includes: no

energy information leakage of signals, CPA attack resistance, and no extra
transmission; while other schemes cannot achieve these advantages
simultaneously.
2. CS-based cryptosystem： Schemes

Exercise :

• Please program the CS-based image encryption and decryption！

Try to give the pseudocode. In five minutes, I will ask one person to show his design.
 3. Compressed learning(CL)

Far fewer than Nyquist

Nyquist samples
sampling CS
theorem Simple

sampling Reconstruction inference Reconstruction is a

tough task!

CL Reduce computational complexity,

inference time, and power consumption.
 3. Compressed learning(CL): Compressive analysis

y Φx T Inference stage
Wy
线性
投影
Tag

Conv. fc
Input measurements

The framework of compressive analysis

C. -Y. Chou, E. -J. Chang, H. -T. Li and A. -Y. Wu, "Low-Complexity Privacy-Preserving Compressive
Analysis Using Subspace-Based Dictionary for ECG Telemonitoring System," in IEEE Transactions on
Biomedical Circuits and Systems, vol. 12, no. 4, pp. 801-811, Aug. 2018
 3. Compressed learning(CL): Compressive analysis

Matrix Factorization

d n d d d n
Y WA Y W A

There are errors

2 It is possible to learn a projection matrix with
min || E || linear dimensionality reduction that satisfies
W d d'
,A d' n F
d d
s.t. Y WA E the most recent reconstruction

Singular Value Decomposition Non Negative Matrix Factorization

(SVD) (NMF)
min || E || 2 min
d n d d
|| E ||2F
d d' d' n F A ,W
W ,A
s.t. Y WA E s.t. Y WA E
WT W I m W 0
A 0
 3. Compressed learning(CL): Compressive analysis

d 1
Given sample set X，and get W and A . The test sample x  is represented: x = Wα + e

z = Φx z = Φ( Wα + e) = ΦWα + e

z  Θα Θ = ΦW, Θ  md 

d  m
Similar to the data after dimensionality
α̂ = Θ z
†
reduction!

After the measurement vector is obtained, the approximate data after dimensionality
reduction can be obtained by multiplying a matrix left.
3. Compressed learning(CL): Compressive analysis

Fig.1 Low-complexity privacy preserving scheme based on CS and NMF for image data
3. Compressed learning(CL): Compressive analysis

Fig.2 Flowchart of the preparation stage.

3. Compressed learning(CL): Compressive analysis
 3. Compressed learning(CL): Compressive analysis

① COA

Fig.1 Energy relationship between measurement and original signal, (a) CS system (b) scheme of
proposal
 3. Compressed learning(CL): Compressive analysis

② KPA
The measurement matrix is estimated by selecting different number of plaintext ciphertext
pairs。

Φ Φeve 2
0.01
Φ 2

numbers
 3. Compressed learning(CL): Compressive analysis

③ COA

COA in standard CS encryption systems:

By encrypting a manually selected plaintext xi = [0,...,0,1i ,0,...,0]

T

to get the ciphertext z i = Φxi , we get i-th column of the

measurement matrix.

In this test, the plaintext x = [1, 0,...,0]

T
is selected and the
encryption result is shown in Fig. 3.5, which is obviously very
different from the first column of the measurement matrix. In
other words, this type of attack does not work against the
proposed scheme.

Fig. 3.5 Encryption results of special signals

 3. Compressed learning(CL)

Compressed sensing traditional framework and compressed learning framework:

Measure Reconstru Detection \

Signals CS ments channel Result
ction classification

Measurement 测量矩阵
matrix
(a)

Measure Detection \
Signals CS ments channel Result
classification

Measurement
matrix (b)
3. Compressed learning(CL)

Robert Calderbank et al. provide theoretical

results to show that learning directly in the
compressed domain is possible.
 3. Compressed learning(CL)

Sensing stage Inference stage

y Φx Ψ y

... .. Tag

Input fc fc Reshape Conv. Conv. Conv. fc

Zisselman, Ev et al. “Compressed Learning for Image Classification: A Deep Neural Network Approach.”
(2018).
3. Compressed learning(CL)
 4. Others: CS in data collection

Background

In wireless sensor networks, it is necessary to reduce the

communication energy and prolong the network life by
compressing data.
First

Compressive Sensing (CS) can perform compression and

sampling simultaneously to reduce the amount of data
acquisition, which can lower communication overhead of
Second data gathering in WSNs.

WSNs are vulnerable to various attacks due to open

wireless media. The security of data transmission should be
taken into account.
Third
 4. Others: CS in data collection

CDG
Compresssive Data Gathering

Fig. 2. Compressive data gathering

Sensor Si : data reading xi i = 1, ,N

Column vector i from measurement matrix 

 4. Others: CS in data collection

Our scheme

Fig. 3. The framework of our scheme

Selected node Si : blinding factors wi

UnSelected node S j : confusion factor ui
 4. Others: CS in data collection

Parameter Design

First-level protection 1 Each Node si The sink

i
Second-level protection
3
1 Each Node si The sink P Selected Nodes randomly
ui generate the corresponding
u
i
i =0 Confusion factor blinding factor wk
2 P Selected Nodes 4 Random vector d is shared
throughout the network.
bk Encoding vector
k = 1, ,P
The sink
 4. Others: CS in data collection

Selection Strategy

Selected node: The selection rule for the sink to choose P

nodes is to ensure the sum of confusion factor on the
selected nodes to be 0.

u
kN P
k =0 and N P  {1, 2, , N}
NP = P
Unselected node: The remaining N − P nodes.
u
lN P
l =0 NP = N − P
 4. Others: CS in data collection

Data Gathering

• Embed own confusion number ui with random

vector d
Unselected Node Encoding • Confuse the attacker without affecting the data
recovery at the sink node
S1 , S3 are selected
S2 is not selected

S1: b1, w1
S3: b2, w2 i = 1, , N k = 1, ,P
The order of the k is determined
S2:d, u2 based on the size of the index i • Embed the blinding factorwk with encoding vector b k
• Increase the security of node information transmission
without imposing additional burden for the sink node to
Selected Node Encoding recover data.
 4. Others: CS in data collection

Data Gathering

Sink Node Decoding

 11 x1 + b11w1 + 12 x2 + d1u2 + + 1N xN + b1P wP = y1
  x + b w + x + d u + + x + b w = y
 21 1 21 1 22 2 2 2 2N N 2P P 2
 i = 1, , N

M 1 x1 + bM 1w1 + M 2 x2 + d M u2 + + MN xN + bMP wP = yM
N P

 x +  b
i =1
i i
k =1
k wk +  dul = y
l
N P

 x +  b
i =1
i i
k =1
k wk = y

Φx + Bw = y

Correctness Verification
 4. Others: CS in data collection

Data Gathering M. Yamac,̧ C¸. Dikici, and B. Sankur,“Hiding data in compressive sensed measurements: A conditionally reversible
data hiding scheme for compressively sensed measurements” Digit. Signal Prog., vol. 48, pp. 188–200, 2016.

Sink Node Decoding

The left annihilator matrix of encoding
matrix B={bk } i = 1, , N

F  R mM
satisfy
FB = 0

Correctness Verification
 4. Others: CS in data collection

Security Analysis

Resist attacks:
• Routing Analysis,
• Size Correlation Analysis
• Content Correlation Analysis

替换您的图片 替换您的图片
 4. Others: CS in data collection

Efficiency Analysis

The Table compares the computational overhead with some data gathering scheme.
 4. Others: CS in data collection

Performance
 4. Others: CS in data collection

Discussion Such embedding mechanism

• maintains low communication

consumption at the sensor
• does not increase the nodes;
complexity of the sink.

• disrupts the original

message to realize
security in enhancement;
 4. Others: CS in data hiding

1 Background

• Robust watermarking in encrypted domain

Attacks
Encryption
Hiding

Characteristics: double protection of the cover and the watermarking, robustness to a variety of attacks
Purpose of the robust watermarking: identity authentication, copyright protection...
2 Research Goal

A good robust watermarking scheme in encrypted domain needs to meet

the following conditions:

Watermarking：high robustness

Cover image ：security

Reconstructed image ：high fidelity

 3 The Proposed Scheme

• Framework
Image Owner K3 Data Hider

Original Binary Watermark Secret

Image K1 and K2 Watermark Processing Watermark K2

Image Encryption Encrypted Watermark

and Preprocessing Image Embedding

Binary Watermark K2 and K3

Watermark Extraction
Marked
K1 and K2 Image
Reconstructed Image
Image Reconstruction
Receiver
 3 The Proposed Scheme Purpose: Vacating Room
1. Image Encryption and Preprocessing

High consumption！
A.Traditional
compressed
sensing
Original
Image
Sub-block B. Kronecker
compressed
sensing Low consumption！
 3 The Proposed Scheme Purpose: Vacating Room
1. Image Encryption and Preprocessing

Sub-block Bi

Reference measurements:
B. Kronecker
compressed
sensing Predicted measurements:

Embedded by LSB replacement

Predicted measurements Prediction error:

Reference measurements Reconstruction CS sampling by

 3 The Proposed Scheme Purpose: Encryption
1. Image Encryption and Preprocessing
Sub-block

…… Global
Random
Permutation

Select 1 pixel as an example Encrypted

image

Room Error

8-b bits b bits

3 The Proposed Scheme Purpose: Robustness
2. Watermark Processing

AN Integer Block Binary

EXAMPLE Lifting Wavelet Compressed Coding
Transform Sensing
Partial
Watermarking Hadamard
matrix
• Sparsity • Compression
• Integer • Encryption
• Integer
3 The Proposed Scheme Purpose: Robustness
3.2.Embedding
Watermark Processing

Vacated room with length Le

Watermarking Wn with length Lw

Marked image Imarked

Multiple embedding method:

copy and embed
4 Performance
• No interference

Original Encryptd Marked Reconstructd Extracted

image image image image Watermarking

• With interference

Gaussion clipping JPEG tampering

noise (1/4) (QF=0.8) (50%)
(0.001)
4 Performance
• Encryption results

A. Histogram of the original Lena B. Histogram of the encrypted Lena

Correlation coefficient of the encrypted Lena

Horizontal Vertical Diagonal
-0.0032 0.0201 0.0100
4 Performance

• Robustness of the extracted watermarking

Table.1 The NC and BER under different block sizes and sampling rates

It can be seen that the watermark extraction accuracy increases with the rise of the
sampling rate, and smaller sub-blocks correspond to better extraction quality.
4 Performance

• Robustness of the extracted watermarking

Table.2 The NC and BER under under

noise attacks
Table.3 The NC and BER under different quality factors
(QF) of JPEG and different tampering rates
4 Performance

• Robustness of the extracted watermarking

Table.4 The comparison of NC of the extracted watermark

[3] Shabir A Parah, Nazir A Loan, Asif A Shah, Javaid A Sheikh, and GM Bhat, “A new secure and robust water_x0002_marking technique based on logistic map and modifica_x0002_tion of dc
coefficient,” Nonlinear Dynamics, vol. 93, no.4, pp. 1933–1951, 2018.
[5] Yang Liu, Shanyu Tang, Ran Liu, Liping Zhang, and Zhao Ma, “Secure and robust digital image watermark_x0002_ing scheme using logistic and rsa encryption,” Expert Systems with Applications,
vol. 97, pp. 95–105, 2018.
[10]Di Xiao, Aozhu Zhao, and Fei Li, “Robust watermark_x0002_ing scheme for encrypted images based on scramblingand kronecker compressed sensing,” IEEE Signal Pro_x0002_cessing Letters,
vol. 29, pp. 484–488, 2022.
4 Performance

• Robustness of the reconstruted image

A. Noise attacks ( lev1 - lev3 = 1×10−3, 3×10−6, 5×10−6) B. Clipping attacks

[8] Di Xiao, Fei Li, Mengdi Wang, and Hongying Zheng,“A novel high-capacity data hiding in encrypted im_x0002_ages based on compressive sensing progressive recov_x0002_ery,” IEEE
Signal Processing Letters, vol. 27, pp. 296–300, 2020.
[15]Liya Zhu, Huansheng Song, Xi Zhang, Maode Yan, Tao Zhang, Xiaoyan Wang, and Juan Xu, “A robust mean_x0002_ingful image encryption scheme based on block compressive sensing
and svd embedding,” Signal Process_x0002_ing, vol. 175, pp. 107629, 2020.
[16]Yuling Luo, Jia Lin, Junxiu Liu, Duqu Wei, Lvchen Cao, Ronglong Zhou, Yi Cao, and Xuemei Ding, “A robust image encryption algorithm based on chua’s circuit and compressive
sensing,” Signal Processing, vol. 161, pp. 227–247, 2019.
[17]Hao Li, Lianbing Deng, and Zhaoquan Gu, “A robust image encryption algorithm based on a 32-bit chaotic system,” IEEE Access, vol. 8, pp. 30127–30151, 2020.
 4. Others: CS in data hiding

5 Conclusion

Cover image Security

Watermarking High robustness

Reconstructed image High fidelity

 4. Others: CS in Federated Learning

Challenges
Communication cost: In the centralized optimization, communication costs
are relatively small, and computational costs is dominated. In contrast, in
federated learning(FL), communication costs is dominated. Sharing high-
dimensional gradients across iterative rounds in FL is very costly.

Privacy protection: FL offers a privacy-aware paradigm of model training

which does not require data sharing. Nevertheless, communicating model
updates throughout the training process can nonetheless reveal sensitive
information even incur deep leakage.

Byzantine robustness: There may exist Byzantine attackers in FL systems,

who can run data or model poisoning attacks to compromise the integrity of
the learning process.
 4. Others: CS in Federated Learning

Algorithm framework
CS-DP-SignSGD:

1、sparse representation
2 、linear projection
3 、differentially private
1-bit compression

4 、signal reconstruction
 4. Others: CS in Federated Learning

Sparse representation of gradients

Sparse Representation of Gradients with Adaptive Threshold:

1 Distortion

2 preservation
 4. Others: CS in Federated Learning

Differentially private 1-bit compression

Definition 2. For any given gradient 𝑦𝑡𝑖 , the compressor dpsign outputs dpsign(𝑦𝑡𝑖 , ϵ, δ), the j-th entry is
given by
𝑦𝑡𝑖 𝑗
1, 𝑤𝑖𝑡ℎ 𝑝𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 Φ
𝑖
dpsign(𝑦𝑡 , ϵ, δ)𝑗 = 𝜎
𝑦𝑡𝑖 𝑗
−1, 𝑤𝑖𝑡ℎ 𝑝𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 1 − Φ
𝜎
△ ε𝜎 △ ε𝜎
where 𝜎 is the noise scale satisfying ϕ( − )-𝑒 𝜀 𝜙(− − ) ≤ 𝛿(Analytic Gaussian Mechanism[15]).
2𝜎 △ 2𝜎 △
Accuracy evaluation

FedAvg[1] , SignSGD[2], DP-SignSGD[14]

Communication Cost evaluation

The communication overhead of SignSGD is 1/32 of FedAvg, and CS-DP-SignSGD is 1/64.

Sparsifying Methods
Byzantine Robustness
 4. Others: CS in Federated Learning

Conclusion
The CS-DP-SignSGD realizes data compression in both upstream
and downstream communications, which greatly improves the
communication efficiency , privacy protection and Byzantine
Robustness.

Different from the traditional Top-K sparse representation

method, the adaptive threshold sparsifying is innovatively
proposed to sparsely represent gradients, which protects the
sparsifying rules.
4. Others: CS in Federated Learning

Do you know any other applications of compressed sensing?

Please share with others

THANKS