Secure Retrieval of Brain Tumor Images Using Perceptual Encryption in Cloud-Assisted Scenario ^†

Abstract

Scarcity of data is one of the major challenges in developing automatic computer-aided diagnosis systems, training radiologists and supporting medical research. One solution toward this is community cloud storage, which can be utilized by organizations with a common interest as a shared data repository for joint projects and collaboration. In this large database, relevant images are often searched by an image retrieval system, for which the computation and storage capabilities of a cloud server can bring the benefits of high scalability and availability. However, the main limitation in availing third party-provided services comes from the associated privacy concerns during data transmission, storage and computation. To ensure privacy, this study implements a content-based image retrieval application for finding different types of brain tumors in the encrypted domain. In this framework, we propose a perceptual encryption technique to protect images in such a way that the features necessary for high-dimensional representation can still be extracted from the cipher images. Also, it allows data protection on the client side; therefore, the server stores and receives images in an encrypted form and has no access to the secret key information. Experimental results show that compared with conventional secure techniques, our proposed system reduced the difference in non-secure and secure retrieval performance by up to 3%.

1. Introduction

In the healthcare sector, scarcity of data is one of the major challenges in developing automatic computer-aided diagnosis (CAD) systems, training radiologists and supporting medical research. In individual hospitals, image data are produced to support day-to-day clinical decisions. Therefore, combining these individual data repositories into one could be of great interest and benefit [1,2]. One solution toward this is a community cloud, where organizations with a common goal can benefit from shared services [3]. For example, cloud storage resources can be utilized as a shared data repository among the organizations for joint projects and collaboration. Also, cloud computation-resources can be used to implement several computer vision applications, such as a medical image retrieval algorithms to find and retrieve images relevant to a query from images stored on a cloud-server [1]. Such a retrieval system can support doctors and practitioners in disease diagnosis, training radiologists and medical research and can even aid in developing automatic CAD systems [4,5,6]. Though these capabilities of cloud servers bring the benefits of high scalability and availability to an image retrieval application, their main limitation comes from the privacy concerns associated with sharing data [7,8]. For example, like all communication systems, when images are outsourced to the avail of cloud services, they are at the risk of being stolen. Also, to be aligned with privacy regulation acts, it is not desirable to disclose any privacy-sensitive information during computation and storage to the cloud service providers.

To solve these privacy issues, secure content-based image retrieval (CBIR) techniques are proposed. In general, these techniques can be categorized as the ones that extract features on the client side and then encrypt both features and images before the cloud server receives them. They are often referred to as two-stage secure CBIR techniques. Secure CBIR was proposed in [9,10,11,12,13,14], which show examples in this category. Since feature extraction is in the plain image domain, strong data protection techniques can be exploited. For example, chaos theory-based algorithms were implemented in [9,14]. However, implementing a feature extractor on the client side is computationally inefficient, especially in resource-constrained environments. On the other hand, one-stage secure CBIR techniques are encryption-based, as they encrypt images on the client side prior to the cloud server storing them or receiving them as a query [15]. The images are protected in such a way that their features can be extracted directly from the cipher images, thereby eliminating any preprocessing on the client side, aside from encryption. Examples of secure CBIR in this category were proposed in [16,17,18]. Cryptographic techniques such as homomorphic encryption, which can enable computation directly on the encrypted data, can be used. However, their computational complexity and compatibility should be considered [10]. Alternatively, lightweight perceptual encryption (PE) was proposed, which hides only perceivable information in images while leaving their intrinsic characteristics intact to enable privacy-preserving computations. Its applications can be extended to secure CBIR applications. For example, for secure color image retrieval applications, the authors of [19] proposed a pixel-based PE technique that randomly substitutes and inverts pixel values to hide identifiable information in images. Similarly, the authors of [20] proposed a block-based PE technique that performs block-level transformations, and its security was improved in [21] by adopting sub-block processing. These PE-based CBIR techniques were proposed for natural image retrieval applications, but natural image contents significantly differ from those of medical images, which makes their retrieval more challenging [16]. Furthermore, in one-stage CBIR systems, there is a trade-off relationship between retrieval performance and privacy preservation.

To address the aforementioned challenges, this paper implements an image retrieval system for brain tumor images in the encrypted domain to find a better trade-off in a cost-effective manner. For this purpose, we propose a pixel-based PE technique that protects the image contents in a way that it can still allow the computation of an image retrieval algorithm over encrypted data. In the proposed framework, we implement the region-of-interest (ROI)-based medical image retrieval algorithm proposed in [3], which combines adaptive spatial pooling [22] and Fisher vector representation [23]. In this method, similar images are retrieved by comparing their feature vectors using a closed-form metric learning method. One of the main advantages of the proposed secure CBIR system is that data are protected on the client side. Therefore, the server receives template and query images in an encrypted form and has no access to the secret key information.

2. Related Works

The widespread adaptability of outsourced computation and storage resources in the healthcare domain raises several privacy concerns. Regarding this, numerous privacy-preserving solutions have been proposed to protect data during data transmission, storage and usage. For a comprehensive overview, we refer to [7], which summarizes the existing privacy-preserving techniques in outsourced medical image analysis applications. Nonetheless, in this section, we mainly focus on techniques that are applicable for privacy-preserving medical image retrieval applications.

In the domain of secure content-based medical image retrieval, Zhang et al. [9] proposed a medical image retrieval algorithm that uses encrypted images. This scheme performs logistic chaos-based encryption in the frequency domain on the images prior to extracting their features. The normalized correlation coefficient is used to evaluate the similarity between a query image and stored images. Zhu et al. [10] proposed TAMMIE, a secure image retrieval algorithm where medical images and features are protected using symmetric and matrix encryption techniques. To evaluate cipher-image similarity, a privacy-preserving Mahalanobis distance comparison method is proposed. Also, for better retrieval accuracy, a pretrained convolutional neural network (CNN) is used to extract features from the plain images. Li et al. [11] proposed PMIR, which modifies TAMMIE by replacing the Mahalanobis distance with the Euclidean distance for feature vector comparison. Later, Li et al. [12] proposed AVPMIR, which allows users to validate the correctness of the retrieval results. For faster retrieval speeds, clustering and index merging techniques are employed on the cloud server. In addition, an improved logistic chaotic mapping algorithm is proposed to protect images during transmission and storage. In another work, Duan et al. [13] implemented a CNN for medical image feature extraction and the Euclidean distance to measure image similarity. In this scheme, first, features are extracted from the plain images on the client side, and then the images are encrypted using a symmetric key algorithm before uploading them to the cloud server. Also, a lightweight access control mechanism is implemented to protect data from unauthorized users. Similarly, Rajan et al. [14] leveraged the ConvNeXt model for feature extraction in the plain domain. Then, they proposed an image protection algorithm based on multiple chaotic maps and DNA encoding to protect the images prior to uploading them to the server. In general, scarcity of data in medical imaging makes it difficult to train a deep learning-based feature extractor for medical image retrieval applications. Therefore, federated learning can be leveraged to collaboratively train the feature extractor module, as proposed in [2].

The works mentioned thus far can be categorized as two-stage secure CBIR techniques that extract features from the client side to leverage strong encryption algorithms for image protection. However, implementing a feature extractor on the client side is computationally inefficient. Therefore, we next consider works that are in one-stage secure CBIR techniques category. For example, Guo et al. [16] proposed a privacy-preserving CNN employing homomorphic encryption to extract features from medical images in the encryption domain for classification and retrieval applications. Similarly, Cai et al. [17] proposed a privacy-preserving CNN feature extraction method for medical image retrieval applications that implements a set of secure two-party computation protocols. Aside from this, blockchain-based approaches have also been proposed to address the privacy concerns in multi-party image retrieval applications. For example, Shen et al. [18] proposed a blockchain-based scheme for secure medical image retrieval, where the image features are encrypted using a secure multiparty computation protocol and the Euclidean distance is used for images similarity.

Secure CBIR techniques [16,17] address the limitations of two-stage secure CBIR techniques, but their computational and communication costs are still among their challenges [10]. On the contrary, we propose a one-stage secure CBIR scheme for medical imaging applications that implements a lightweight PE algorithm to find a better trade-off between privacy and retrieval performance in a cost effective manner.

3. Methods

3.1. Preliminaries

• Squared Sine Logistic Map. The squared sine logistic map (SSLM) proposed in [24] is defined as a combination of two simple dynamic chaotic maps, namely the logistic chaotic map and sine chaotic map. The logistic map $\left(f_r\right)$ parameterized by the control variable $r\in [0,4]$ is as follows:

  $$f_r\left(x_n\right)=x_{n+1}=r{x}_n\left(1-x_n\right),$$

  (1)

The sine map $\left(g_{\mu }\right)$ parameterized by the control variable $\mu \in [0,1]$ is given by

$$g_{\mu }\left(x_n\right)=x_{n+1}=\mu sin\left(\pi x_n\right).$$

(2)

In both Equations (1) and (2), $x_0\in [0,1]$ is an initial value of the corresponding map. The SSLM $h_{r,\mu }\left(x_n\right)$ is given by

$$h_{r,\mu }\left(x_n\right)=x_{n+1}=r{x}_n\left(1-x_n\right)+\mu {sin}^2\left(2\pi x_n\right).$$

(3)

For a positive initial value $x_0$, the square operation ensures that the map’s iterations are in the interval $[0,1]$. To control the dynamical behavior of SSLM, the parameters r and $\mu$ are chosen in the intervals $[0,3.81\overline{581})$ and $[0,1]$, respectively. In general, the r value varies while the $\mu$ value remains fixed, such as $\mu =0.2$, as recommended in [24]. The SSLM exhibits better chaotic behavior than the logistic map, and its main advantage comes from its simple calculations. Also, SSLM has favorable properties for image encryption, as demonstrated in [19]. Therefore, we utilized SSLM to generate random sequences for the secret key generation in our proposed PE algorithm.

3.2. Proposed Secure Medical Image Retrieval System

Figure 1a shows the framework of our proposed secure brain tumor image retrieval system, which mainly consists of two modules: an image encryption algorithm and an image retrieval method. Below, we describe them in detail.

3.2.1. Proposed Perceptual Encryption Algorithm

The proposed algorithm makes an image perceptually unrecognizable by hiding only part of the information in it. This data protection is achieved by a piece-wise encryption function that selectively substitutes pixel values based on a random key. Also, each pixel substitution is dependent on previously encrypted pixel values to exhibit favorable encryption properties. This procedure is described below in detail.

• Key generation. To generate a secret key $\mathbf{k}$, we iterate the SSLM in Equation (3) $M+N$ times to obtain three random sequences ${\mathbf{u}}_0$, ${\mathbf{u}}_1$ and ${\mathbf{u}}_2$, each of a size N. The first M iterations are discarded to eliminate the transient effect, and N is the number of pixels in an image. The control parameter of the SSLM is set to $r=3.71$ for sequence ${\mathbf{u}}_0$, $r=3.715$ for sequence ${\mathbf{u}}_1$ and $r=3.7157$ for sequence ${\mathbf{u}}_2$. The initial value of the first sequence is set at random to ${\mathbf{u}}_{0\left(0\right)}=0.47$, while it is set to ${\mathbf{u}}_{1\left(0\right)}={\mathbf{u}}_{0(N-1)}$ for the second sequence and ${\mathbf{u}}_{2\left(0\right)}={\mathbf{u}}_{1(N-1)}$ for the third sequence. These three sequences are preprocessed as ${\mathbf{u}}_3$ and ${\mathbf{u}}_4$ in Equation (4) to generate the secret key $\mathbf{k}\in [0,255]$ in Equation (5):

  $$\left\{\begin{array}{c}{\mathbf{u}}_3=⌊{\mathbf{u}}_0\times {10}^{14}⌋\mathrm{mod}256.\hfill \\ {\mathbf{u}}_4=⌊\left({\mathbf{u}}_1+{\mathbf{u}}_2\right)\times {10}^{14}⌋\mathrm{mod}2.\hfill \end{array}\right.$$

  (4)

  $$\mathbf{k}={\mathbf{u}}_3\times {\mathbf{u}}_4.$$

  (5)

This key $\mathbf{k}$ is used to substitute the pixel values in an image as described below.

• Encryption. A cipher image vector $\mathbf{c}$ of a plain image vector $\mathbf{p}$ can be obtained as follows:

  $${\mathbf{c}}_{\left(i\right)}=\left\{\begin{array}{cc}{\mathbf{k}}_{\left(i\right)}\oplus \left(\left({\mathbf{p}}_{\left(i\right)}+{\mathbf{k}}_{\left(i\right)}\right)\mathrm{mod}L\right)\oplus {\mathbf{c}}_{(i-1)}\hfill & \mathrm{if}{\mathbf{k}}_{\left(i\right)}>0\hfill \\ {\mathbf{p}}_{\left(i\right)}\hfill & \mathrm{if}{\mathbf{k}}_{\left(i\right)}=0\hfill \end{array}\right.$$

  (6)

  where $L=256$ is the number of intensity levels and ${\mathbf{c}}_{(i-1)}$ is the previously encrypted pixel value. When encrypting the first pixel value ${\mathbf{p}}_{\left(0\right)}$, the ${\mathbf{c}}_{(i-1)}$ value is set as the last pixel value of the plain image.

• Decryption. The proposed encryption method is a symmetric key algorithm, and its corresponding decryption process to recover the original image is the inverse of Equation (6), given by

  $${\mathbf{p}}_{\left(i\right)}=\left\{\begin{array}{cc}\left({\mathbf{k}}_{\left(i\right)}\oplus {\mathbf{c}}_{\left(i\right)}\oplus {\mathbf{c}}_{(i-1)}+L-{\mathbf{k}}_{\left(i\right)}\right)\mathrm{mod}L\hfill & \mathrm{if}{\mathbf{k}}_{\left(i\right)}>0\hfill \\ {\mathbf{c}}_{\left(i\right)}\hfill & \mathrm{if}{\mathbf{k}}_{\left(i\right)}=0\hfill \end{array}\right.$$

  (7)

3.2.2. Image Retrieval System

Following [3], our image retrieval system consists of three main steps—feature extraction, feature vector representation and feature matching—as illustrated in Figure 1b. In the first step, an image is divided into tumor (ROI) and background regions, where local features are extracted by dividing the ROI into subregions. Next, feature vector representation using the Fisher kernel technique is applied to concatenate the local features into a single vector to obtain the image’s global features. Finally, a closed-form metric learning method is applied to find similar images in the database to the query image by matching their feature vectors. These steps are explained in detail below.

• Feature extraction. The first step is to segment images by differentiating the ROI (such as the tumor region) from the background. This segmentation aids the feature extraction function in representing an image in a high-dimensional feature space by taking the disease characteristics into account. Also, we use an augmented tumor region as the ROI to identify the tumor-surrounding tissues because they can provide important information for the identification of brain tumor types, as highlighted in [3]. Second, we implement the method proposed in [22] that considers the intensity distribution and spatial information to further divide the ROI into subregions. To define the image’s local features, we extract raw image patches from each subregion and apply principal component analysis (PCA) to reduce their dimensions. To give these feature vectors a single vector representation, we apply a Fisher kernel in the next step.
• Feature vector representation. For feature vector representation, we apply a Fisher kernel [23], which is defined as follows:

  $$K(X,Y)=G_{\lambda }^X{F}_{\lambda }^{-1}{G}_{\lambda }^Y,$$

  (8)

  where $F_{\lambda }$ is the Fisher information matrix of $u_{\lambda }$, expressed as

  $$F_{\lambda }=E_{x\sim u_{\lambda }}[{\nabla }_{\lambda }log{u}_{\lambda }\left(x\right){\nabla }_{\lambda }log{u}_{\lambda }{\left(x\right)}^{\top }].$$

  (9)

Given that $F_{\lambda }$ is symmetric and positive definite, it thus has a Cholesky decomposition ($F_{\lambda }^{-1}=L_{\lambda }^{\mathrm{T}}{L}_{\lambda }$). Therefore, the Fisher kernel $K(X,Y)$ can be written as ${\mathcal{G}}_{\lambda }^X$, a dot-product between normalized vectors, as shown in Equation (10):

$${\mathcal{G}}_{\lambda }^X=L_{\lambda }{G}_{\lambda }^X.$$

(10)

Here, $G_{\lambda }^X$ is the vector representation of a set $X=\{x_1,x_2,\dots ,x_T\}$ that contains T features extracted from an image, as proposed in [23]:

$$G_{\lambda }^X={\displaystyle \frac{1}{T}}{\nabla }_{\lambda }log{u}_{\lambda }\left(X\right).$$

(11)

The gradient of the log-likelihood describes the direction in which the model parameters should be changed to better fit X. Following [23], we assume that X is modeled by a generative model such as a Gaussian mixture model (GMM) using a probability density function $u_{\lambda }={\sum }_{k=1}^K{w}_k{u}_k$ with a set of parameters: the mixture weight ($w_k$), mean vector (${\mu }_k$) and diagonal covariance matrix (${\sigma }_k$), denoted as $\lambda =\{w_k,{\mu }_k,{\sigma }_k\}$.

• Feature matching. Let ${\psi }_q=[{\psi }_{q\left(1\right)},{\psi }_{q\left(2\right)},\dots ,{\psi }_{q\left(M\right)}]$ be the feature vector for a query image q. The goal of a feature matching function is to return the template image $\acute{t}\in T$, where

  $$\delta ({\psi }_{\acute{t}},{\psi }_q)\le \underset{{\psi }_t\in {\psi }_T}{min}\delta ({\psi }_t,{\psi }_q),$$

  (12)

  with $\delta (.)$ being a distance metric. This can be posed as an optimization problem where the objective is to minimize the distance $\delta (.)$ between similar images while maximizing it between dissimilar images. This objective can be defined as follows [3]:

  $$\underset{L}{arg\; min}\mathrm{Tr}\left(L(M_S-M_D)L^{\top }\right)$$

  (13)

  where

  $$M_S={\displaystyle \frac{1}{\left|S\right|}}\sum _{(x_i,x_j)\in S}(x_i-x_j){(x_i-x_j)}^{\top },\mathrm{and}$$

  $$M_D={\displaystyle \frac{1}{\left|D\right|}}\sum _{(x_i,x_j)\in D}(x_i-x_j){(x_i-x_j)}^{\top }.$$

The S and D are two sets containing image pairs ($x_i,x_j$) and their corresponding labels ($y_{x_i},y_{x_j}$) (that is, $S=\left\{(x_i,x_j)\right|y_{x_i}=y_{x_j}\}$) contain pairs of similar images, and $D=\left\{(x_i,x_j)\right|y_{x_i}\ne y_{x_j}\}$ contains pairs of dissimilar images. Also, $\mathrm{Tr}(.)$ is the trace operation, L is a linear transformation matrix that projects the image features to a new feature space, and $M=L^{\top }L$ is a positive semi-definite matrix.

3.3. System Model

Figure 2 shows our system model for a secure brain tumor image retrieval application based on image encryption, while Figure 3 shows the end-to-end information flow in our proposed secure medical image retrieval application. This system has three main entities: image owner (IO), cloud server (CS), and image user (IU).

The image owner owns a collection of n images $\mathcal{P}=\{p_1,p_2,\dots ,p_n\}$ and wants to store it on the cloud server in the encrypted form $\mathcal{C}=\{c_1,c_2,\dots ,c_n\}$ to facilitate a secure medical image retrieval application. The encrypted images are obtained as $\mathcal{C}=h(\mathcal{P},\mathcal{K})$, where $\mathcal{K}=\{k_1,k_2,\dots ,k_n\}$ is a collection of secret keys and h is a searchable encryption function. The image owner first generates a mask $\mathcal{M}=\{m_1,m_2,\dots ,m_n\}$ for $\mathcal{P}$ by extracting the ROI regions in each image. Then, the tuple $\langle \mathcal{C},\mathcal{M}\rangle$ that consists of the cipher image collection $\mathcal{C}$ and the ROI masks $\mathcal{M}$ are uploaded to the cloud server.

Image users are the authorized entities that can request and retrieve images relevant to their query q from the cloud server. To request a search, the image user processes the query image using the same steps as the image owner. The user first generates a mask $m_q$ and $c_q=h(q_q,k_q)$ for q and then uploads both $m_q$ and $c_q$ as a tuple $\langle c_q,m_q\rangle$ to the cloud server. After the relevant images are returned, the user can decrypt them by requesting the corresponding secret key from the image owner.

The cloud server implements a feature extractor to extract features $\mathcal{F}=\{f_1,f_2,\dots ,f_n\}$ from the image owner’s data collection $\langle \mathcal{C},\mathcal{M}\rangle$. Both the features $\mathcal{F}$ and encrypted images $\mathcal{C}$ are stored on the cloud server. Also, when a user submits a request with $\langle c_q,m_q\rangle$, the cloud server first extracts features $f_q$ from the user query. Then, to search similar images in the database, the cloud server implements a retrieval model that matches the extracted features $f_q$ from the query image with the stored features $\mathcal{F}$. Finally, the retrieval results are returned to the origin of query.

In this system model, the retrieval application’s computation and storage are carried out directly on the cipher images. Therefore, the secret key information is kept from the cloud-server. It is noteworthy that a secure image retrieval system should allow the encryption of template and query images using different keys when the image owner and user are two different entities. The three modules of this system—image encryption, feature extraction, and image retrieval—are based on the methods outlined in Section 3.

3.4. Threat Model

For security in the proposed secure CBIR scheme, we considered a data recovery attack in which an adversary $\mathcal{A}$ tries to recover the dataset contents from $\mathcal{C}$ by devising a function $\{h^{-1}:\mathcal{C}\to \widehat{\mathcal{P}}\approx \mathcal{P}\}$ to minimize the dissimilarity metric $\delta (\mathcal{P},\widehat{\mathcal{P}})$.

4. Simulation Results

4.1. Retrieval Performance Analysis

• Dataset. Although different medical image modalities, such as Positron Emission Tomography (PET), Computed Tomography (CT), and Magnetic Resonance Imaging (MRI) scans can be used to create images of the brain, MRI remains the primary diagnostic modality for brain tumors because it is highly sensitive in visualizing soft tissues within the brain compared with other modalities. Therefore, we used an MRI dataset in our experiments. It is worth mentioning that our proposed secure retrieval scheme can be readily implemented for other types of image modalities. In simulations, we evaluated the performance of different brain tumor retrieval schemes on a public brain tumor MRI dataset available from [3]. This dataset contains 3064 T1-weighted, contrast-enhanced images $512\times 512$ in size from 233 patients with three kinds of brain tumors: meningioma (708 slices), glioma (1426 slices), and pituitary (930 slices). The images in the dataset were split into five subsets for fivefold cross-validation. Among these subsets, one was used as query images, while the rest of them were used as template images. Also, it was ensured that slices from the same patient did not appear simultaneously in the template and query images. Figure 4 shows an example image from the dataset for each brain tumor type in plain and encrypted form. The cipher images were obtained by encrypting the plain images using our proposed PE algorithm. In the cipher images, pixel values which were substituted during encryption appear as white noise for the key value $\mathbf{k}>0$ in Equation (6).

  Figure 4. Example images from the dataset for each brain tumor type. (a–c) Plain-images and (d–f) their corresponding cipher images obtained from our proposed encryption technique. The tumor region (ROI) in each image is enlarged and shown below it. This information is visually unrecognizable in the cipher images.

  Figure 4. Example images from the dataset for each brain tumor type. (a–c) Plain-images and (d–f) their corresponding cipher images obtained from our proposed encryption technique. The tumor region (ROI) in each image is enlarged and shown below it. This information is visually unrecognizable in the cipher images.
• Retrieval performance evaluation metric. The precision metric is one of the most commonly used metrics to evaluate an image retrieval system’s performance. It measures the retrieval performance in terms of how many retrieved images are relevant. Let ${\mathcal{D}}^l$ and ${\mathcal{D}}^r$ denote the sets of similar and retrieved images, respectively. The precision (P) is defined as follows:

  $$P={\displaystyle \frac{|{\mathcal{D}}^l\cap {\mathcal{D}}^r|}{|{\mathcal{D}}^r|}}.$$

  (14)

Aside from the precision metric, we also evaluated the retrieval performance using the average precision (AP) metric, which measures the retrieval performance in terms of how well relevant images are ranked within the list of retrieved images for a single query. The AP score for a query image (q) is calculated as follows:

$${\mathrm{AP}}_q={\displaystyle \frac{1}{|{\mathcal{D}}^l|}}\sum _{k=1}^{|{\mathcal{D}}^r|}(P@k\times rel@k).$$

(15)

Here, $@k$ means at position k within the list of retrieved images, and $rel@k$ is a binary variable that takes a value of one if the retrieved result is relevant; otherwise, it takes a value of zero. The AP is a single-query evaluation metric, and therefore we extended its concept to calculate the mean AP (mAP) across all of the query images. The mAP score of a retrieval system that consists of Q total query images is defined by

$$\mathrm{mAP}={\displaystyle \frac{1}{Q}}\sum _{q=1}^{Q}A{P}_q.$$

(16)

These metric values lie in the range $[0,1]$, where one indicates the best performance of an image retrieval system.

• Retrieval results. To analyze the efficiency of proposed technique, we implemented the different PE techniques proposed in [25,26,27] and analyzed their impact on the image retrieval system. For all techniques, analyses were carried out on the same dataset with fivefold cross-validation. Following [3], throughout our experiments, image dilation with a disk-shaped structuring element with a radius of 24 was used to augment the ROI region, and the size of the raw image patches was set to be nine for the local features. Also, for all encryption techniques, we considered encrypting all images with the same and different keys.

Table 1. Impact of different perceptual encryption schemes on brain tumor image retrieval performance in comparison with that of plain images. The metric scores are reported as mean and standard deviation values (i.e., mean ± std %). D is the feature dictionary size.

D	Methods		mAP (%)	Prec@5 (%)	Prec@10 (%)
16	Non-secure	[3]	89.89 ± 1.00	87.16 ± 1.52	87.16 ± 1.45
	Secure $k_i=k_j$	[25]	81.82 ± 1.39	80.26 ± 1.18	80.39 ± 1.30
		[26]	86.66 ± 0.80	83.79 ± 1.13	83.95 ± 1.03
		[27]	81.65 ± 0.91	77.51 ± 1.55	77.50 ± 1.32
		Ours	87.06 ± 0.99	83.89 ± 1.53	83.84 ± 1.43
	Secure $k_i\ne k_j$	[25]	74.57 ± 1.46	72.57 ± 2.38	72.79 ± 2.15
		[26]	80.17 ± 2.66	75.98 ± 3.31	75.96 ± 3.39
		[27]	77.96 ± 2.16	72.61 ± 3.26	72.64 ± 3.18
		Ours	83.52 ± 1.29	80.05 ± 2.49	80.19 ± 2.45
32	Non-secure	[3]	92.49 ± 0.89	90.14 ± 0.96	90.10 ± 0.96
	Secure $k_i=k_j$	[25]	84.86 ± 0.91	82.37 ± 0.56	82.40 ± 0.55
		[26]	88.84 ± 0.74	85.99 ± 1.31	85.88 ± 1.22
		[27]	86.00 ± 1.08	81.47 ± 1.76	81.51 ± 1.67
		Ours	89.44 ± 1.33	86.40 ± 2.00	86.43 ± 1.99
	Secure $k_i\ne k_j$	[25]	77.55 ± 1.64	74.16 ± 2.36	74.06 ± 2.73
		[26]	83.42 ± 2.43	78.38 ± 3.70	78.47 ± 3.58
		[27]	80.38 ± 1.55	74.25 ± 2.35	74.30 ± 2.26
		Ours	86.32 ± 1.23	82.15 ± 2.14	82.22 ± 2.04
64	Non-secure	[3]	94.02 ± 0.88	91.75 ± 1.17	91.80 ± 1.18
	Secure $k_i=k_j$	[25]	86.51 ± 1.16	83.44 ± 0.85	83.32 ± 0.93
		[26]	90.72 ± 1.08	87.93 ± 1.63	87.97 ± 1.63
		[27]	88.80 ± 1.50	85.03 ± 1.78	85.05 ± 1.77
		Ours	91.41 ± 1.34	88.38 ± 1.54	88.44 ± 1.56
	Secure $k_i\ne k_j$	[25]	79.71 ± 2.19	74.69 ± 2.74	74.63 ± 2.73
		[26]	85.48 ± 2.23	81.21 ± 3.01	81.15 ± 3.02
		[27]	84.26 ± 1.94	79.09 ± 2.84	79.11 ± 2.84
		Ours	88.56 ± 1.82	85.22 ± 2.19	85.17 ± 2.23

compares all retrieval techniques in terms of their mAP and precision scores by varying the feature dictionary size between 16, 32, and 64. Also, the precision score was computed for different numbers of retrieved images. The metric scores are reported as the mean across the whole dataset. It can be observed that the retrieval performance of all of the techniques improved as the feature dictionary size increased in both the same keys and different keys scenarios. For a given dictionary size, the proposed scheme delivered a better performance difference between plain image and cipher image retrieval compared with the existing techniques. This difference was especially prominent when different keys were used in the cryptosystem. Furthermore, it can be observed that varying the number of retrieved images had no significant impact on the precision scores of any techniques.

As mentioned earlier, the metric scores reported thus far are the mean values across different tumor types. Therefore,

Table 2. Retrieval performance of proposed method for different brain tumor types in comparison with non-secure technique and best-performing existing secure technique [26]. The metric scores are reported as ($k_i=k_j\mid k_i\ne k_j$) for secure techniques, and $\sigma$ is the standard deviation. D is the feature dictionary size. T1, T2 and T3 correspond to meningioma, glioma and pituitary brain tumors, respectively.

D	Methods	Type	mAP (%)	Prec@5 (%)	Prec@10 (%)
16	Non-secure ([3])	T1	82.75	84.60	84.11
		T2	94.04	89.16	89.41
		T3	88.88	86.00	86.00
		$\sigma$	5.65	2.34	2.69
	Secure ([26])	T1	76.52 ∣ 70.42	79.66 ∣ 72.07	79.47 ∣ 72.10
		T2	92.75 ∣ 88.38	86.05 ∣ 79.55	86.63 ∣ 79.97
		T3	85.39 ∣ 75.43	83.92 ∣ 73.86	83.73 ∣ 73.11
		$\sigma$	8.13 ∣ 9.27	3.25 ∣ 3.91	3.60 ∣ 4.28
	Secure (Ours)	T1	76.05 ∣ 73.36	79.24 ∣ 75.31	78.59 ∣ 74.98
		T2	92.90 ∣ 91.00	86.21 ∣ 83.58	86.58 ∣ 84.11
		T3	86.85 ∣ 80.38	84.36 ∣ 78.85	84.09 ∣ 78.78
		$\sigma$	8.54 ∣ 8.88	3.61 ∣ 4.15	4.09 ∣ 4.59
32	Non-secure ([3])	T1	82.75	84.60	84.11
		T2	94.04	89.16	89.41
		T3	88.88	86.00	86.00
		$\sigma$	5.65	2.34	2.69
	Secure ([26])	T1	76.52 ∣ 70.42	79.66 ∣ 72.07	79.47 ∣ 72.10
		T2	92.75 ∣ 88.38	86.05 ∣ 79.55	86.63 ∣ 79.97
		T3	85.39 ∣ 75.43	83.92 ∣ 73.86	83.73 ∣ 73.11
		$\sigma$	8.13 ∣ 9.27	3.25 ∣ 3.91	3.60 ∣ 4.28
	Secure (Ours)	T1	76.05 ∣ 73.36	79.24 ∣ 75.31	78.59 ∣ 74.98
		T2	92.90 ∣ 91.00	86.21 ∣ 83.58	86.58 ∣ 84.11
		T3	86.85 ∣ 80.38	84.36 ∣ 78.85	84.09 ∣ 78.78
		$\sigma$	8.54 ∣ 8.88	3.61 ∣ 4.15	4.09 ∣ 4.59
64	Non-secure ([3])	T1	88.06	86.05	86.05
		T2	97.14	94.91	95.01
		T3	93.75	91.24	91.25
		$\sigma$	4.59	4.45	4.50
	Secure ([26])	T1	82.29 ∣ 75.89	80.55 ∣ 72.89	80.61 ∣ 72.98
		T2	95.48 ∣ 92.34	91.60 ∣ 86.77	91.71 ∣ 86.92
		T3	90.21 ∣ 82.72	88.30 ∣ 79.47	88.24 ∣ 79.02
		$\sigma$	6.64 ∣ 8.26	5.67 ∣ 6.94	5.68 ∣ 6.99
	Secure (Ours)	T1	83.53 ∣ 80.22	81.91 ∣ 77.90	81.60 ∣ 77.71
		T2	95.39 ∣ 94.49	91.59 ∣ 90.65	91.85 ∣ 90.79
		T3	91.74 ∣ 86.51	85.22 ∣ 83.38	89.01 ∣ 83.14
		$\sigma$	6.07 ∣ 7.15	5.01 ∣ 6.40	5.29 ∣ 6.57

evaluates the retrieval performance of the proposed method for different types of brain tumors and compares it with that of the non-secure and best-performing conventional encryption techniques [26]. It can be observed that the performance trend across all tumor types remained the same (i.e., it improved as the dictionary size increased for all techniques). In addition, the variance in retrieval performance of the proposed method across different tumor types was smaller compared with that in [26].

Finally, for visual analysis, Figure 5 shows an example query image and its corresponding retrieval results for both the non-secure and proposed secure retrieval techniques (where $k_i\ne k_j$). Though, most of the images retrieved using a cipher image query were different from those retrieved using plain image retrieval, inter-class discrimination was still preserved in the encrypted domain, as shown by the correct retrieval results.

4.2. Encryption Efficiency Analysis

• Key space analysis. In general, the key space of an encryption algorithm should be larger than $2^{100}$ to resist brute-force attacks. The secret key of our proposed scheme is generated using three random sequences by varying the control parameter of the SSLM. Considering a precision of ${10}^{14}$, the key space size can be determined to be ${\left({10}^{14}\right)}^3={10}^{42}\approx 2^{140}$, which is larger than the recommended value to resist a brute-force attack.
• Comparison with existing PE techniques. Similar to the proposed technique, the conventional PE techniques proposed in [25,26] modify only half of the pixel values. Their encryption function is an identity map for ${\mathbf{k}}_{\left(i\right)}=0$, while a cipher pixel value was computed to be ${\mathbf{p}}_{\left(i\right)}\oplus 255$ in [25] and ${\mathbf{p}}_{\left(i\right)}\oplus {\mathbf{k}}_{\left(i\right)}$ in [26] for ${\mathbf{k}}_{\left(i\right)}>0$. Consequently, each pixel is independently encrypted in them, which may make them vulnerable to select plaintext attacks. On the other hand, a PE technique was proposed in [27] where each pixel substitution is dependent on all previously encrypted pixels. Their encryption function is closely related to ours, given in Equation (6), with a difference in that the ${\mathbf{k}}_{\left(i\right)}=0$ term computes ${\mathbf{c}}_{\left(i\right)}$ as ${\mathbf{p}}_{\left(i\right)}\oplus {\mathbf{c}}_{(i-1)}$, as opposed to our identity map. This can achieve better security efficiency but at the cost of the downstream application performance, as given in Table 1.
• Robustness against ciphertext-only attacks. For this analysis, we considered a threat model where an adversary (for example, a semi-honest cloud service owner) performed a ciphertext-only attack (COA) to decrypt a cipher image without access to the secret key. A popular example of such COAs against PE was proposed in [28], where the goal was to recover partial information from a cipher image to identify its contents. This attack works by guessing the leading bit of each pixel value with respect to the neighboring pixels, and hence it is also named the “leading bit attack”. Figure 6 shows an example image (https://sipi.usc.edu/database/, accessed on 30 October 2024) recovered by performing a leading bit attack on the cipher images of different PE techniques. Here, the example is of a natural image, as it is easy to understand visually meaningful information in such images. It can be observed that the image recovered from the proposed cipher image did not reveal any information. On the contrary, a PE technique that simply inverts pixel values in an image is more susceptible to such an attack; that is, its contents can be recovered with high visibility, as shown in Figure 6b.
• Time complexity analysis. To analyze the computational overhead of the proposed PE scheme on the client side,

  Table 3. Comparison of encryption and decryption times in seconds of proposed scheme with existing techniques.

  Step	[25]	[26]	[27]	Ours
  Encryption	0.0118	0.0107	0.1429	0.0861
  Decryption	0.0119	0.0107	0.1434	0.0834

  compares its execution time with those of the schemes proposed in [25,26,27]. For this analysis, we chose 2124 images from our dataset, which were uniformly distributed among the three tumor types and each image was 512 × 512 in size. The time was reported in seconds as a mean across all of the images. It can be observed from Table 3 that a PE technique such as the one proposed in [25,26], which processes each pixel independently, had a shorter encryption time, as it is highly parallelizable. However, this can also lead to certain security vulnerabilities, such as data reconstruction attacks. On the other hand, in proposed method, only half of the current pixel processing is dependent on the previously encrypted pixel values to deliver a desirable level of security in an acceptable execution time.

4.3. Discussions

Figure 7 shows the mAP performance as a function of the dictionary size. It can be observed that the retrieval performance for the non-secure and secure methods improved similarly as the dictionary size increased. Compared with the existing techniques, our proposed scheme delivered a better performance difference between plain and cipher image retrieval in the same and different key scenarios. Though there was a difference in plain and cipher image retrieval performance, the proposed scheme outperformed the existing techniques. For example, when considering the dictionary size to be 64, the difference in the non-secure and proposed secure techniques’ mAP scores was 2.61% when $k_i=k_j$ (best case) and 5.46% when $k_i\ne k_j$ (worst case). The errors were 0.69% (best case) and 3.08% (worst case), which was less than that of the conventional best technique [26]. Therefore, the efficiency of the proposed secure system was more significant when using different keys, which is important for enabling applications where the image owner and users are not the same.

Despite achieving a better trade-off between security and retrieval performance, the limitation of the proposed secure image retrieval system comes with the extraction of an ROI and its correctness. First, the ROI needs to be extracted in the plain domain, thus necessitating computation on the client side, which could be challenging, especially in resource-constrained environments. Second, although it is not necessary to precisely segment the tumor region, as we used an augmented ROI, mislabeled tumor areas could still lead to inaccurate retrieval results.

5. Conclusions

In this work, we proposed a one-stage secure CBIR system for retrieving different types of brain tumor images in an outsourced database. In this system, the image protection algorithm belongs to perceptual encryption that preserves an image’s intrinsic characteristics while hiding only perceivable information in them. Simulation analysis demonstrated that our proposed system reduced the difference in non-secure and secure retrieval performance (both mAP and precision scores) on the same dataset using the same retrieval algorithm compared with its other secure counterparts.

In this work, similar images to a query image were retrieved by matching features extracted only from the ROI. Therefore, future research will be focused on two aspects. First, considering the selective image encryption principle in our proposed secure image retrieval scheme can further reduce the encryption time. Second, proposing a computationally efficient segmentation technique will ease the burden on the client side.