Partial image encryption using format-preserving encryption in image processing systems for Internet of things environment

Concomitant with advances in technology, the number of systems and devices that utilize image data has increased. Nowadays, image processing devices incorporated into systems, such as the Internet of things, drones, and closed-circuit television, can collect images of people and automatically share them with networks. Consequently, the threat of invasion of privacy by image leakage has increased exponentially. However, traditional image-security methods, such as privacy masking and image encryption, have several disadvantages, including storage space wastage associated with data padding, inability to decode, inability to recognize images without decoding, and exposure of private information after decryption. This article proposes a method for partially encrypting private information in images using FF1 and FF3-1. The proposed method encrypts private information without increasing the data size, solving the problem of wasted storage space. Furthermore, using the proposed method, specific sections of encrypted images can be decrypted and recognized before decryption of the entire information, which addresses the problems besetting traditional privacy masking and image encryption methods. The results of histogram analysis, correlation analysis, number of pixels change rate, unified average change intensity, information entropy analysis, and NIST SP 800-22 verify the security and overall efficacy of the proposed method.


Introduction
With continuing advancements in the development of image processing equipment, image data, such as images of people, are increasingly being collected and used in various fields. Image processing equipments are also increasingly being connected to network environments. Images are intuitive and sensitive, which means that without proper privacy protection, data leaks, such as privacy breaches, and confidential information leaks can occur. [1][2][3][4][5][6][7] As such threats increase in severity and number, concerns about privacy are growing, spurring the requirement for image information to be stored and protected by encryption based on a security algorithm. [8][9][10][11][12][13][14][15][16][17][18][19][20] Privacy masking and image encryption are commonly applied as image data security measures. Privacy masking involves methods such as blurring, mosaic masking, removal, and deformation. Blurring of a specific area in an image makes it difficult to recognize objects. Mosaic masking is a technique that blurs a specific area of a picture by weighting it in a tile form. Removal and deformation involve deleting data in a specific area or modifying data using arbitrary values. These privacy masking techniques all involve overwriting data in the original image. Although they are fast and efficient because of the low performance load involved, they make it impossible to recover the original data. 21 This results in the problem of such methods only being applicable with images that do not need to be recovered, unless the original image is stored separately. There are two methods of encrypting image data: (1) full encryption, which encrypts the entire image using the likes of block-cipher-based and chaosmap-based encryption, and (2) partial encryption, which selectively encrypts only the sensitive parts of an image. Because of the nature of image file structures, it is difficult to encrypt only a portion of an image using image full encryption. Therefore, encrypted images cannot be recognized by users because all of the data must be encrypted-not only the data that would result in privacy violations if revealed. Private information in an image is defined as a visible face, part of the body, or vehicle registration number that could be used to identify an individual. When using a block cipher, which is typically used to encrypt text data for image encryption, the size of the encrypted image can be increased by padding. In particular, for an image, when the amount of data increases due to padding in every frame, storage space may be wasted. In this article, we propose a partial image encryption method using format-preserving encryption that can protect information requiring privacy and utilize images while overcoming these problems. Format-preserving encryption is an algorithm that is suitable for encryption of data that have a fixed length or format and characteristics that do not increase the length of the cryptogram. Therefore, it is possible to encrypt only the private information in an image, and because the data size does not increase, the encrypted data can be stored effectively without wasting storage space. The proposed method does not result in an increase in the amount of data due to the application of padding when encrypting only part of an image. In addition, the proposed method permits encrypted images to be recovered, addressing a problem associated with privacy masking. Furthermore, it allows encrypted images to be recognized by encrypting only private information. This article describes the proposed method and presents the results of comparisons of the method with existing video security methods. The remainder of this article is organized as follows. Section ''Related work'' gives an overview of image processing systems, traditional privacy masking methods, image encryption methods, and format-preserving encryption. Section ''Contribution'' introduces the advantages of the proposed method. Section ''Proposed method'' describes the proposed new method for encrypting parts of images using format-preserving encryption. Section ''Experiment evaluation'' compares the encryption results with traditional image security. Sections ''Performance'' and ''Optimal block size'' measure the encryption/decryption speed and derives the optimal encryption block size, respectively. Section ''Security evaluation'' presents the results of security analyses and other comparisons of the proposed method with existing image-security techniques. Conclusions are presented in section ''Conclusion.''

Related work
Closed-circuit television camera system model A closed-circuit television (CCTV) camera system takes a picture of an image and stores it as data in a manner that a user can see. In a CCTV system, a CCTV camera is connected to an image recorder. A digital video recorder (DVR) processes the codec algorithm and analog image that fit the image sent from various types of CCTVs into the type and form that fits the intended purpose. The video is stored on a hard disk in the DVR machine and is transmitted to a video storage server using Secure Sockets Layer (SSL)-encrypted communication. The video storage server encrypts and stores all the video sent from the DVR to protect private information. Control room operators and external users can see the images saved in the data storage server with appropriate user authentication. Figure 1 shows a schematic illustration of the CCTV camera system model.

Privacy masking techniques
Privacy masking techniques, such as blurring, mosaic masking, removal, and deformation, protect sensitive or personal information by changing some data in an image so that the original information cannot be seen. When these methods are used, it is difficult to recover the original image. Blurring and mosaic masking techniques blur the original image so that it cannot be properly recognized. Removal and deformation methods delete original image pixel values or overwrite original image pixel values with different values using arbitrary values. Privacy masking methods do not permit recovery of the original image because the original image data are modified. Another disadvantage of such methods is that the original image must be inferred, although the exact original is unknown.

Image encryption
There are two ways to protect an image from eavesdropping and leakage: full encryption and partial encryption. Full image encryption-encryption of the entire imageis used when it is necessary to perform encryption efficiently and quickly. Symmetric key block-cipher-based or chaotic-map-based image encryption methods, as well as convolution operation-based and hyper-chaos-based encryption, are currently being studied. [22][23][24][25][26][27][28][29][30] Partial image encryption-also known as ''selective image encryption''-is used to protect sensitive information or sensitive information within an image. Partial image encryption includes a method for selective encryption of a specific spatial area [31][32][33][34][35][36] and another method used to encrypt part of an image based on unique attributes such as the frequency of the image. 37,38 Format-preserving encryption Format-preserving encryption is an encryption approach in which the image data length is the same as that of the plain text and the form is that of the cipher. 39 Based on the prefix cipher, cycle-walking cipher, generalized Feistel cipher, rank-then-encryption (RTE), and the tweak concept, practical approaches to format-preserving encryption have been proposed. 40,41 Standard format-preserving encryption methods that have been proposed include FF1 (FFX mode), FF2 (VAES3), and FF3 (BPS). [42][43][44][45][46] However, with the discovery of security vulnerabilities in FF2 and FF3, FF3-1, which is a modification of FF1 and FF3, has been established as the US National Institute of Standards and Technology (NIST) standard. 47,48 Standard format-preserving encryption requires three pieces of information for encryption: plain text, a key, and a tweak. It does not matter if the tweak is public. Even if the key is the same as the plain text, it is safe from codebook attack because the cipher text changes every time the tweak changes. The method proposed in this article uses FF1 and FF3-1, standard format-preserving encryption methods. Figure 2 shows the Feistel structure of FF1 and FF3-1.
FF1 and FF3-1 divide plain text into components A 0 and B 0 in the best possible balance. For example, if you divide 10-byte plain text, the first five bytes are A 0 and the last five bytes are B 0 . B 0 is encrypted using the advanced encryption standard (AES) encryption function F K , along with the byte length n, tweak T , and round number of the message. The key uses a 128-bit AES key. The encrypted value is added to A 0 , and then mod radix calculation is performed to make C 0 . C 0 becomes B 1 , B 0 becomes A 1 , and a round ends. This process is repeated 10 times in total. Finally, when A 10 and B 10 are concatenated, the encryption process ends.

Contribution
The proposed method has the following three advantages: Specific spatial image partial encryption is possible; The amount of image data does not increase as a result of padding; Images can be used without exposing information requiring privacy.
Traditional image protection methods include privacy masking, image full encryption, and image partial encryption. Privacy masking incurs a problem in that it cannot be decrypted. The image full encryption method encrypts all the pixels so that the image cannot be recognized at all until after decryption, and once decrypted, information requiring privacy cannot be protected. Traditional image partial encryption encrypts a large rectangular range that includes the area requiring protection. This incurs a problem in that even non-sensitive parts of the image are encrypted. In addition, the use of a block cipher causes problems because it produces an image file that does not conform to the structure determined by padding. The proposed method performs encryption by targeting a pixel range that specifically covers an area that the user wishes to encrypt. There are various methods for detecting objects to be encrypted in images, such as the use of deep learning, OpenCV, or software. 36,[49][50][51] The data can be recognized and used normally except for the encrypted area, such that images can still be used while protecting private information. For example, if the traditional image partial encryption was used to partially encrypt the license plate of a parked vehicle, and the person inside, as captured by CCTV, the entire image or the vehicle's license plate and the person to be encrypted must be encrypted with a rectangle. Encrypting an unnecessarily large image can adversely affect image recognition. In contrast, the proposed method allows encryption of just the license plate and the person in the car. Therefore, it is possible to collect images while solving the problem of invasion of citizens' privacy. In addition, privacy masking is not decrypted, but the proposed method has the advantage of allowing the decryption and use of an encrypted area as needed (such as in the case of a crime committed in the street). The format-preserving encryption used for encryption can encrypt even short-length data without padding. Therefore, there is no increase in the amount of data due to padding.

Partial image encryption using format-preserving encryption
This article proposes an image partial encryption method based on format-preserving encryption. It was implemented and tested using FF1 and FF3-1. The proposed method, which can be used to select and encrypt a portion of an image while preserving the data size, consists of three steps: (1) selection of the encryption area, (2) encryption of image pixel values using format- preserving encryption, and (3) storage of encrypted image pixel values. First, to select the area to be encrypted in a video, the area that corresponds to private information that can identify an individual, such as a face, a part of a body, or a vehicle number, must be identified. The X and Y coordinate values of all pixels in the selected area are checked, and the pixel values are stored in the byte array. For example, a red-green-blue (RGB)-format image stores three bytes of pixel values per pixel, while a gray-format image stores one byte of pixel values per pixel. The proposed method can be applied to both RGB-and gray-format images. The pixel values stored in the byte array are encrypted using format-preserving encryption. When encrypting using format-preserving encryption, data can be divided by block size. In this article, the block size is set to 24 bytes for FF1 and 32 bytes for FF3-1. Details of the block size setting are described in section ''Optimal block size.'' The encryption process requires plain text, a key, and a tweak. The plain text is the pixel value of the selected area, and the key uses a 128-bit AES key. The tweak uses the X and Y coordinates of all of the pixel data in the block to be encrypted. Format-preserving encryption use a tweak in the encryption and decryption process, unlike ordinary block ciphers. If the pixel values are encrypted using the same tweak, one can visually infer the original image because the same pixel value becomes the same cipher text. In this case, the correlation between pixels may be vulnerable to known and selective plain text attacks. 52,53 To solve this problem, the tweak must be a constantly changing value. The proposed method uses tweak as the value obtained by concatenating the X and Y coordinates of the pixel value to be encrypted. The final step in the process is encrypting of all the pixel values in the selected area. The decryption process is the reverse of the encryption process. Table 1 summarizes the fields and functions used in the encryption/decryption process of the proposed method. Figure 3 shows the entire process of encrypting pixel values in an RGB-format image using the proposed method. Algorithm 1 shows the process of dividing the pixel value into predetermined block units before the encryption process of the proposed method is applied. Algorithm 2 calculates tweak T values used in fpeEncryption and fpeDecryption. Algorithms 3 and 4 detail the fpeEncryption and fpeDecryption processes of the proposed method, respectively. Figure 4 presents an example of the encryption process used in the proposed method.
As shown in Figure 3, we select the X and Y coordinates and the pixel values of the privacy information in the image. Then, a PixelArray is created by concatenating the selected pixel values in 24 bytes. PixelArray values are computed with the fpeEncryption and fpeDecryption functions, respectively, according to encryption/decryption. As a result, the pixel data EncPixel value encrypted in the generated C are stored as the pixel values of the existing X and Y coordinates. As Figure 4 shows, only the area selected as the private information in the original image is encrypted. In addition, the private information can be encrypted and protected, and users can use encrypted images.

Application scenario
The proposed method can be used in various applications such as CCTV camera systems and image drone systems. Figure 5 is an activity diagram of a scenario in which the proposed method is applied to a CCTV camera system.
As shown in the figure, a CCTV camera shoots the video, which is then transmitted to the storage server. The server encrypts the privacy information of the video received from the CCTV camera using the proposed method and stores the video in the server. Security officers and general users can view the videos with privacy information encrypted by connecting to the server or over the Internet. Figure 6 shows a CCTV camera system incorporated with improved security and applicability provided by the proposed method.

Experimental results
The proposed method was applied to images ( Representation of X as a byte string of s bytes AES K (X) Function for AES encryption of X using key K PRF(X) Function to perform initialization vector operation for CBC process HTD(X) Function to convert hexadecimal data to decimal data DTH r (X) Function to convert decimal data to hexadecimal data of length r AES: advanced encryption standard; CBC: cipher block chaining.
SIPI database of various formats and sizes. Figure 7 shows the original image, while Figures 8-10 show the results of full image encryption using AES, FF1, and FF3-1, respectively. Figures 11 and 12 show the results of encrypting only the information requiring privacy in the image using the proposed method.

Increasing data size in videos
A video is data in which multiple frames are collected. When a captured video is encrypted in real time, the image data size may increase due to padding. Table 2 summarizes the increase in the data size over time when all the frames of a captured video are encrypted in real time. The data size increases as a result of the addition of 16 bytes padding data to every frame under various frame conditions. The units are Mb. For CCTV, which involves the continuous recording of video, the size of the video may increase over time such that storage space is wasted. As the number of CCTV cameras capturing video increases, the wastage of server storage space worsens.

Comparison with traditional image-security methods
The proposed method was compared with the traditional image-security methods to assess the possibility of decryption, the degree to which file sizes increase, and the possibility of recognizing encrypted images. The following problems arise when the traditional image-security approach is applied to an image processing system. Privacy masking prevents decoding because the original data are lost by modifying pixel values. Full image encryption using a block encryption method, such as AES, does not permit encryption of a part of an image; the entire image must be encrypted. Therefore, the image cannot be used until decoding is performed, and private information is exposed when the decoding is performed. In addition, because of the characteristics of the block code, the size of the image is invariably increased by padding. Figure 13 shows the results of encryption using privacy masking, image full encryption, and the proposed method. Figure 13(b) shows that private information can be inferred when mosaic masking is used and is not decrypted. Figure 13(b) shows mosaic image using the pixelate of Adobe Photoshop. Figure 13(c) shows the image encrypted for all pixel data using AES-128 CBC mode. The encrypted image is unrecognizable, and the data size is increased by padding. Figure 13  PixelArrya i = SelectPixel q + 1 Á Á Á q + 8 ½ 6: end for 7: PixelArray m = SelectPixel 8(m À 1) + 1 Á Á Á n ½ 8: Return PixelArray = PixelArray 1 k PixelArray 2 k Á Á Á k PixelArray m 9: end procedure Algorithm 2. Tweak schedule 1 : end for 7: Return T = T 1 k T 2 k Á Á Á k T m 8: end procedure the images while private information remains protected, without decrypting the data. In general, no decryption is required, so no key exchange is required, and because no padding is required for encryption, storage space is not wasted. Table 3 compares the results of the proposed method and traditional image-security methods in three respects: whether image decryption is permitted, whether and how file size is increased, and whether encrypted images can be recognized. The proposed method solves the problems associated with privacy masking (i.e. that encrypted images cannot be decrypted) and encryption using block ciphers (i.e. increased file size and wasted storage space). The proposed method improves security by encrypting only private information in the image and improves the availability of images to users by providing image information other than private information.

Speed
We verified the performance of the proposed scheme by measuring the encryption/decryption rates for Figures  8-12. The experimental results are listed in Table 4.

Optimal block size
To improve the encryption/decryption speed of the proposed scheme, we determined the optimal block size when encrypting with the FF1 and FF3-1 algorithms.
FF1 and FF3-1, as used in the proposed method, do not have a fixed block length because they must be able to encrypt various lengths. As the time required to encrypt an image varies depending on the length of the block, the length of a block suitable for encryption/ decryption should be set. Figure 14 is a graph showing the encryption times for FF1 and FF3-1 according to block length using Figure 7(c) and (d). As the length of the block increases, the encryption speed of FF1 also ½u mod(256) 1 k ½n 4 k ½t 4 7: for i in 0 to 9 do 8: S be the first d bytes of the following string of dd=16e block: 11: ½u mod(256) 1 k ½n 4 k ½t 4 7: for i in 9 to 0 do 8: S be the first d bytes of the following string of dd=16e block: 11:      increases, but it is slightly slower at 25 bytes. FF1 was the fastest from a length of 25 + (32 3 a) bytes (e.g. 25, 57, 89). FF3-1 gets faster as the block length increases. Because of the characteristics of the algorithm, the block length of FF3-1 was set to a maximum of 32 bytes and tested. As a result, it can be seen that 32 bytes is the most efficient block length. Therefore, in the encryption process of the proposed method, FF1 encrypts the plain text into 24-byte units and FF3-1 encrypts it into 32 bytes.

Security evaluation
To evaluate the security of the proposed method, histogram, correlation coefficient, number of pixels change

Histogram analysis
A histogram analysis graphically illustrates the weights of the pixel values in an image. The more uniform the histogram distribution value, the better the security. Figure 15 shows the histogram results for Figures 7-12.
The histogram distributions of the original images are all unbalanced. However, for full encryption, AES, FF1, and FF3-1 all produce balanced histogram graphs.

Correlation coefficient analysis
Correlation coefficient analysis indicates the independence of two images through correlation calculation between pixels. If the correlation value is linear, the independence of the two images is not good. The more nonlinear the correlation values, the more independent the two images. In other words, the higher the correlation between the two images, the closer the absolute value of the weight is to 1; conversely, the higher the independence, the closer the absolute value of the weight is to 0. Formula (1) is used to calculate the correlation value, where x and y are the mean pixel values of the two images and N is the total number of pixels   cov(x, y) = 1 N Table 5 shows the correlation coefficient weight values for RGB and gray images with respect to the original image for AES and the proposed method. These results show that the proposed method yields a correlation coefficient weight value similar to those obtained by image encryption with AES.

NPCR and UACI analysis
The resistance to a chosen plain text attack (differential attack) was evaluated using NPCR and UACI for an image encrypted using the proposed method and block cipher encryption. NPCR is the pixel variation rate between the plain text and the encrypted image, and UACI is the average variation intensity of plain text and the encrypted image. This analysis method can reveal whether the change in the original image affects encryption. If the original image is greatly changed in comparison with the encrypted image, it can be said to have good resistance to a chosen plain text attack (differential attack). NPCR and UACI are calculated using formulas (5)-(7) 54,55 Figure 15. Results of histogram analysis.
In formula (6), C 1 denotes a plain image, C 2 denotes an encrypted image, and w and h are the horizontal and vertical sizes of the image, respectively. F is a value that represents the maximum support pixel value compatible with the image format of the cipher text, and the image of the 8-bit format is 255. Tables 6 and 7 present the NPCR and UACI values, respectively, obtained for images in RGB and gray formats with  These results show that the proposed method yields NPCR and UACI values similar to those obtained through image encryption using block cipher (AES). In other words, the proposed method is as safe as image encryption using a block cipher (AES).

Information entropy analysis
Information entropy analysis is used to measure the complexity of the encrypted data. The encrypted data must be complex enough to prevent information on the original data from being obtained. The optimal entropy value of the RGB and gray images used is 8. Table 8 lists the entropy values for the original images in RGB and gray formats and those achieved by encrypting the images using the proposed method and full encryption.
The results in Table 8 show that the proposed method and image encryption using a block cipher Table 5. Results of correlation coefficient analysis.  Table 6. Results of NPCR analysis.

NIST SP 800-22 tests
NIST SP 800-22 tests were used to test the cipher randomness. 56 The goal of those tests is to analyze the randomness of the encrypted image data. The analysis consisted of 15 tests. For the experimental results obtained in this study, tests were performed on the data for the encrypted region in the 1024 3 1024 size image of Figures 11 and 12, and all the tests were passed to verify the randomness. The test results are listed in Table 9.

Security analysis comparison
To evaluate the security level of images encrypted with AES and with the proposed method, histogram, correlation, NPCR, UACI, information entropy analysis, and NIST SP 800-22 were performed as described above.
The distribution of the histogram and correlation coefficient of the proposed method is good, and the results of NPCR and UACI are very close to those obtained with encryption using AES. In addition, the value of the information entropy is as close to the optimal value as that of the AES-encoded image. Finally, all the NIST SP 800-22 tests were passed. Therefore, the proposed method can be said to be a safe means of using both FF1 and FF3-1.

Conclusion
In this article, we proposed a method for partially encrypting private information, such as faces and body parts, in images using the format-preserving encryption standards FF1 and FF3-1. Traditional image protection technology has problems such as increasing data by padding and storage space wastage over time. Furthermore, as the entire image is encrypted, the image cannot be recognized before decryption and, once decrypted, information requiring privacy is exposed. Traditional partial image encryption incurs a problem in that unnecessary portions are encrypted by encrypting a rectangular area that covers the information requiring privacy. The proposed method solves this  Figure 11 7.3347614 6.4000599 7.218075 7.5697277 7.858972 6.8655011 Figure 12 7.3287123 6.3991863 7.2180681 7.5699342 7.8589302 6.8651993 Table 9. Results of NIST SP 800-22 tests.  problem. The proposed method has no padding, so there is no increase in the data size, and the information requiring privacy can be specifically set and encrypted.
In this study, we measured the encryption and decryption speed of the proposed method and determined the most suitable block unit for encryption to improve the encryption and decryption speed of the image part. The security of the proposed method was evaluated through analysis of histograms, correlation coefficients, NPCR, UACI, information entropy, and NIST SP 800-22. We verified through experiments that the proposed method is as secure as encryption using AES. The proposed method can be used in various environments that use images, such as Internet of things (IoT), drones, and CCTV, and can be useful in responding to image leakage threats, such as privacy invasion and confidential information leakage.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National