Facial image publication with differential privacy
Zhang Xiaojian1, Fu Congcong1, Meng Xiaofeng2
1. School of Computer & Information Engineering, Henan University of Economics and Law, Zhengzhou 450046, China;
2. School of Informatica, Renmin University of China, Beijing 100872, China
Supported by: National Natural Science Foundation of China (61502146, 91646203, 91746115, 61572420); National Natural Science Foundation of Henan Province, China (162300410006); The Key Technologies R&D Program of Henan Province, China (172102310713)

Objective Facial image publication (FIP) in a direct way may lead to privacy leakage of individuals because facial images are inherently sensitive. To protect the private information in facial images, this paper proposes an efficient publishing algorithm called FIP that is based on Fourier transform combined with differential privacy, which is the state-of-the-art model to address privacy concerns. Method First, this algorithm uses the real-valued matrix to model the facial image, in which each cell corresponds to each pixel point of the image. Then, on the basis of the matrix, this algorithm relies on the Fourier transform technique to extract the Fourier coefficients (e.g., a pre-defined limit $k$ on the coefficients sampled) and then uses the Laplace mechanism to inject noise into each coefficient to ensure differential privacy. Finally, this algorithm uses Fourier inverse transform to reconstruct the noisy facial image. However, in the FIP algorithm, we encounter two sources of errors:1) the Laplace error (LE) due to the Laplace noise injected and 2) the reconstruction error (RE) caused by the lossy compression of Fourier transform. The selection of $k$ is a serious dilemma:for the FIP algorithm to produce the low LE, $k$ cannot be large, whereas a small $causes the RE to be extremely large. However, increasing$k$would cause RE to be small but LE to be extremely large. Furthermore,$ cannot be directly tuned on the basis of facial images; otherwise, the selection of $k$ itself reveals private information in facial images and violates differential privacy. Therefore, a differentially private $k$ value is vital in balancing the LE and RE in sanitized facial images. To remedy the deficiency of FIP, we present exponential mechanism-based $k$ coefficient sampling (EMK), a $k$ coefficient sampling algorithm that adopts exponential mechanism to select the suitable coefficients but eliminates the dependency on a pre-defined $k$. The core of EMK is to sample $k$ coefficients first by using a portion of the privacy budget in different candidate coefficients set via exponential mechanism and uses the Laplace noise to perturb the $k$ samples by utilizing the remaining budget. On the basis of the sequential composition of differential privacy, the two phases meet $\varepsilon$-differential privacy. The EMK algorithm, however, does not exploit the correlation over all coefficients, which may generate a large candidate sampling set and an inaccurate $k$ selection. We notice that the discrete real-valued Fourier coefficients are correlated as they are half-redundant. On the basis of this observation, a boosted EMK (BEMK) is proposed to address the problem in EMK. The main idea of BEMK is to use the conjugate symmetry of discrete real Fourier transform to compress the candidate set and adopt the exponential mechanism to select the $k$ coefficients in the compressed candidate set. Result On the basis of the SVM classification and principal component analysis technique, comprehensive experiments were conducted over four real facial image datasets ((CMU), (ORL), Yale, and YaleB) to evaluate the quality of the facial images generated from the BEMK, EMK, FIP, and LAP algorithms using a variety of metrics, including precision, recall, and F1 score. Our experiments show that the proposed BEMK, EMK, and FIP algorithms outperform LAP in terms of the abovementioned four metrics. BEMK applies to the four datasets and achieves better accuracy than EMK and FIP. For example, on the CMU dataset, we fix the matrix=128×128 and vary the privacy budget $\varepsilon$ (i.e., 0.1, 0.5, 0.9, and 1.4) to study the accuracy of each algorithm. Tables 1-12 show the results. As expected, the accuracy measures of all algorithms increase when $\varepsilon$ increases. When $\varepsilon$ varies from 0.1 to 1.4, BEMK still achieves a better precision, recall, and F1 score than the other algorithms. Their values are 88%, 90%, and 89%, respectively. Conclusion We provide both in-depth theoretical analysis and extensive experiments to compare BEMK with EMK, FIP, and LAP. Results show that the proposed algorithms can overcome the privacy leakage of FIP. BEMK significantly improves compared with the other three algorithms. Moreover, BEMK also maintains good robustness and generates high-quality synthetic facial images while still satisfying differential privacy.

facial image processing; privacy protection; differential privacy; Fourier transform

0 引言

1) 为了降低人脸图像中噪音的影响，提出一种基于离散傅里叶变换的图像压缩方法FIP(facial image publication)，针对所压缩的图像添加相应的拉普拉斯噪音；

2) 为了减少傅里叶变换带来的重构误差，提出了两种基于指数机制的傅里叶系数选择方法EMK(exponential mechanism-based k coefficients sampling)与BEMK(boosted exponential mechanism-based k coefficients sampling)。这两种算法利用指数机制在系数空间中挑选合适的k值进行图像压缩，并且使挑选k值的过程满足差分隐私。

3) 理论证明所提出的人脸图像发布方法满足$\varepsilon$-差分隐私。在4种真实的人脸库上验证了所提出方法的有效性与可用性。

2.1 差分隐私

 $\Delta f = \mathop {\max }\limits_{\mathit{\boldsymbol{W}},\mathit{\boldsymbol{W'}}} {\left\| {f\left( \mathit{\boldsymbol{W}} \right) - f\left( {\mathit{\boldsymbol{W'}}} \right)} \right\|_p}$ (2)

 $\begin{array}{*{20}{c}} {M\left( D \right)}=\\ {f\left( D \right) + \left\langle {la{p_1}\left( {\Delta f/\varepsilon } \right), \cdots ,la{p_d}\left( {\Delta f/\varepsilon } \right)} \right\rangle } \end{array}$ (3)

 $\begin{array}{*{20}{c}} {M\left( {\mathit{\boldsymbol{W}},k} \right) = }\\ {\left\{ {k\left| {\mathit{Pr}\left[ {k \in O} \right] \propto \exp \left( {\frac{{\varepsilon \times u\left( {\mathit{\boldsymbol{W}},k} \right)}}{{2\Delta u}}} \right)} \right.} \right\}} \end{array}$ (4)

 $DF{T^{{\rm{real}}}}\left( \mathit{\boldsymbol{W}} \right) = \left( {{F_0}, \cdots ,{F_q}} \right)$ (7)

2.3 问题描述

2) ${\mathit{\boldsymbol{F}}^k}$${\mathit{\boldsymbol{F}}^n} //取{\mathit{\boldsymbol{F}}^n}的前k×k个傅里叶系数 3) for r from 1 to k//r是矩阵的行 4) for c from 1 to k//c是矩阵的列 5) {{\mathit{\boldsymbol{\tilde F}}}^k}(r, c)←{{\mathit{\boldsymbol{\tilde F}}}^k}(r, c)+2×lap({{\Delta _1}{\mathit{\boldsymbol{F}}^k}/\varepsilon }) 6) {{\mathit{\boldsymbol{\tilde F}}}^k}$${{\mathit{\boldsymbol{\tilde F}}}^k}$${{\mathit{\boldsymbol{\tilde F}}}^k}(r, c) 7) {{\mathit{\boldsymbol{\tilde F}}}^n}←ZeroFilln({{\mathit{\boldsymbol{\tilde F}}}^k}) //对{{\mathit{\boldsymbol{\tilde F}}}^k}进行补0操作 8) return \mathit{\boldsymbol{\widetilde W}}$$IDFT$ (${{\mathit{\boldsymbol{\tilde F}}}^n}$)

 $RE\left( {\mathit{\boldsymbol{\tilde W}}} \right) = \sqrt {\sum\limits_{i = k + 1}^n {{{\left| {{F_{i - 1}}} \right|}^2}} }$ (9)

 $LE\left( {\mathit{\boldsymbol{\tilde W}}} \right) = {\rm{E}}\left( {\sqrt {\sum\limits_{i = 1}^k {\sum\limits_{i = 1}^k {4{{\left( {{\Delta _1}{\mathit{\boldsymbol{F}}^k}/\varepsilon } \right)}^2}} } } } \right)$

 $\begin{array}{*{20}{c}} {Error\left( {\mathit{\boldsymbol{\tilde W}}} \right) = {\rm{E}}{{\left\| {\mathit{\boldsymbol{\tilde W}} - \mathit{\boldsymbol{W}}} \right\|}_2} = {\rm{E}}\left( {\sqrt {\left\| {\mathit{\boldsymbol{\tilde W}} - \mathit{\boldsymbol{W}}} \right\|_2^2} } \right) \le }\\ {\sqrt {{\rm{E}}\left( {\left\| {\mathit{\boldsymbol{\tilde W}} - \mathit{\boldsymbol{W}}} \right\|_2^2} \right)} = \sqrt {{{\left( {RE\left( {\mathit{\boldsymbol{\tilde W}}} \right)} \right)}^2} + {{\left( {LE\left( {\mathit{\boldsymbol{\tilde W}}} \right)} \right)}^2}} \le }\\ {RE\left( {\mathit{\boldsymbol{\tilde W}}} \right) + LE\left( {\mathit{\boldsymbol{\tilde W}}} \right) = }\\ {\sqrt {\sum\limits_{i = k + 1}^n {{{\left| {{F_{i - 1}}} \right|}^2}} } + \sqrt {\sum\limits_{i = 1}^k {\sum\limits_{i = 1}^k {4{{\left( {{\Delta _1}{\mathit{\boldsymbol{F}}^k}/\varepsilon } \right)}^2}} } } = }\\ {\sqrt {\sum\limits_{i = k + 1}^n {{{\left| {{F_{i - 1}}} \right|}^2}} } + \frac{{2k{\Delta _1}{\mathit{\boldsymbol{F}}^k}}}{\varepsilon }} \end{array}$ (10)

 $\sum\limits_{i = 1}^n {\left| {{\mathit{\boldsymbol{\alpha }}_i}} \right|\left| {{\mathit{\boldsymbol{\beta }}_i}} \right|} \le {\left( {\sum\limits_{i = 1}^n {{{\left| {{\mathit{\boldsymbol{\alpha }}_i}} \right|}^p}} } \right)^{\frac{1}{p}}}{\left( {\sum\limits_{i = 1}^n {{{\left| {{\mathit{\boldsymbol{\beta }}_i}} \right|}^q}} } \right)^{\frac{1}{q}}}$ (11)

4) for $r$ from 1 to $k$//$r$是矩阵的行

5) for $c$ from 1 to $k$//$c$是矩阵的列

6) ${{\mathit{\boldsymbol{\tilde F}}}^k}\left({r, c} \right)$${\mathit{\boldsymbol{F}}^k}\left( {r, c} \right) = 2lap\left( {{\Delta _1}{\mathit{\boldsymbol{F}}^k}/\varepsilon } \right) 7) {\mathit{\boldsymbol{\tilde F}}}$${{\mathit{\boldsymbol{\tilde F}}}^k} \cup {{\mathit{\boldsymbol{\tilde F}}}^k}\left( {r, c} \right)$

8) ${{\mathit{\boldsymbol{\tilde F}}}^n}$←ZeroFilln(${{\mathit{\boldsymbol{\tilde F}}}^k}$)//对${{\mathit{\boldsymbol{\tilde F}}}^k}$进行补0操作

9) return $\mathit{\boldsymbol{\widetilde W}}$$IDFT ({{\mathit{\boldsymbol{\tilde F}}}^n}) EMK方法首先在{\mathit{\boldsymbol{F}}^n}向量中计算每个打分函数值(如步骤2))，然后采用指数机制以概率Pr(k)挑选合适的k值(如步骤3))，针对所挑选的k值，采用拉普拉斯机制对每个傅里叶系数进行噪音扰动(如步骤4)—7))，最后是ZeroFill补零与IDFT操作，进而获得\mathit{\boldsymbol{\widetilde W}} EMK方法利用指数机制实现k值的挑选。然而指数机制的关键之处是设计高效的打分函数。打分函数的优劣直接决定着所挑选k值的合理性。合理的k值能够均衡RE(\mathit{\boldsymbol{\widetilde W}})与LE(\mathit{\boldsymbol{\widetilde W}})。本文利用定理2中的总体误差来设计打分函数{U\left( {\mathit{\boldsymbol{W}}{\rm{, }}\mathit{k}} \right)}$${U\left( {\mathit{\boldsymbol{W}}{\rm{, }}\mathit{k}} \right)}$越大说明总体误差越小。具体公式为

 $U\left( {\mathit{\boldsymbol{W}},k} \right) = \sqrt {\sum\limits_{i = k + 1}^n {{{\left| {{F_{i - 1}}} \right|}^2}} } + \frac{{2k{\Delta _1}{\mathit{\boldsymbol{F}}^k}}}{\varepsilon }$ (12)

 $\begin{array}{*{20}{c}} {\mathit{Pr}\left( k \right) \propto \exp }\\ {\left( { - \varepsilon \left( {\sqrt {\sum\limits_{i = k + 1}^n {{{\left| {{F_{i - 1}}} \right|}^2}} } + \frac{{2k{\Delta _1}{\mathit{\boldsymbol{F}}^k}}}{\varepsilon }} \right)/2{\Delta _1}U} \right)} \end{array}$ (13)

3) ${\mathit{\boldsymbol{F}}^k}$${\mathit{\boldsymbol{F}}^q}$$\forall 1 \le k \le q$//取前$k$×$k$个系数

4) for $k$ from 1 to $q$

5) 计算$U\left( {\mathit{\boldsymbol{W}}{\rm{, }}\mathit{k}} \right) = \sqrt {\sum\limits_{i = k + 1}^q {2{{\left| {{F_{i-1}}} \right|}^2}} } + \frac{{2k{\Delta _1}{F^k}}}{\varepsilon }$

6) 以概率$\mathit{Pr}\left( k \right)$${\rm{exp}}\left( {-\frac{{\varepsilon U\left( {\mathit{\boldsymbol{W}}{\rm{, }}\mathit{k}} \right)}}{{2{\mathit{\Delta }_1}U}}} \right)选择一个合适的k 7) for r from 1 to k//r是矩阵的行 8) for c from 1 to k //c是矩阵的列 9) {{\mathit{\boldsymbol{\tilde F}}}^k}\left( {r, c} \right)$${\mathit{\boldsymbol{F}}^k}\left( {r, c} \right) + 2lap\left( {{\Delta _1}{\mathit{\boldsymbol{F}}^k}/\varepsilon } \right)$

10) ${{\mathit{\boldsymbol{\tilde F}}}^k}$${{\mathit{\boldsymbol{\tilde F}}}^k}$${{\mathit{\boldsymbol{\tilde F}}}^k}\left( {r, c} \right)$

11) ${{\mathit{\boldsymbol{\tilde F}}}^n}$←ZeroFilln(${{\mathit{\boldsymbol{\tilde F}}}^k}$) //对${{\mathit{\boldsymbol{\tilde F}}}^k}$进行补0操作

12) return $\mathit{\boldsymbol{\widetilde W}}$$IDFT ({{\mathit{\boldsymbol{\tilde F}}}^n}) BEMK算法首先利用{DF{T^{{\rm{real}}}}}操作对原始图像W进行变换(如步骤1)2)所示)。步骤3)—6)，与EMK算法一致，也是挑选合适的k值，只是挑选k值的空间变成了[1, q]。步骤7)—10)是对所挑选的傅里叶系数添加拉普拉斯噪音。步骤11)与步骤12)分别利用ZeroFill补零与IDFT操作获得\mathit{\boldsymbol{\widetilde W}} 定理5 LAP算法、FIP算法、EMK以及BEMK算法满足\varepsilon -差分隐私。 证明：根据定理1可知，LAP算法与FIP算法满足\varepsilon -差分隐私。接下来证明EMK与BEMK算法满足\varepsilon -差分隐私。 假设EMK算法步骤3)所需要的隐私预算为\varepsilon 1，则根据指数机制(如式(4)所示)可知每个k值被选择的概率为  \mathit{Pr}\left( k \right) = \frac{{\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k} \right)}}{{2{\Delta _1}U}}} \right)}}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }} (16) 给定\mathit{\boldsymbol{W}}及其近邻{\mathit{\boldsymbol{W'}}}，对于任意k值(k$$O$)，根据式(16)可得

 $\begin{array}{*{20}{c}} {\frac{{\mathit{Pr}\left( {{E^{{\rm{EMK}}}}\left( {\mathit{\boldsymbol{W}},k} \right)} \right)}}{{\mathit{Pr}\left( {{E^{{\rm{EMK}}}}\left( {\mathit{\boldsymbol{W'}},k} \right)} \right)}} = \frac{{\frac{{\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k} \right)}}{{2{\Delta _1}U}}} \right)}}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}}}{{\frac{{\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W'}},k} \right)}}{{2{\Delta _1}U}}} \right)}}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W'}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}}} = }\\ {\left( {\frac{{\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k} \right)}}{{2{\Delta _1}U}}} \right)}}{{\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W'}},k} \right)}}{{2{\Delta _1}U}}} \right)}}} \right) \times \left( {\frac{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W'}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}} \right) \le }\\ {\exp \left( {\frac{{{\varepsilon _1}}}{2}} \right) \times \left( {\frac{{\sum\limits_{k' \in O} {\exp \left( {\frac{{{\varepsilon _1}}}{2}} \right)} \times \exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)}}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}} \right) \le }\\ {\exp \left( {\frac{{{\varepsilon _1}}}{2}} \right) \times \exp \left( {\frac{{{\varepsilon _1}}}{2}} \right) \times \left( {\frac{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}{{\sum\limits_{k' \in O} {\exp \left( { - \frac{{{\varepsilon _1}U\left( {\mathit{\boldsymbol{W}},k'} \right)}}{{2{\Delta _1}U}}} \right)} }}} \right) = }\\ {\exp \left( {{\varepsilon _1}} \right)} \end{array}$

4.2 实验分析

Table 1 Precision

 $\varepsilon$ 方法 CMU ORL Yale YaleB LAP 0.07 0.02 0.08 0.04 FIP 0.07 0.03 0.08 0.04 0.1 EMK 0.23 0.34 0.37 0.25 BEMK 0.58 0.47 0.43 0.32 Non-Privacy 0.97 0.88 0.96 0.83 LAP 0.06 0.03 0.07 0.03 FIP 0.26 0.11 0.23 0.16 0.5 EMK 0.48 0.41 0.33 0.28 BEMK 0.68 0.73 0.45 0.56 Non-Privacy 0.97 0.88 0.96 0.83 LAP 0.03 0.04 0.07 0.04 FIP 0.64 0.12 0.60 0.44 0.9 EMK 0.33 0.58 0.65 0.38 BEMK 0.81 0.73 0.56 0.64 Non-Privacy 0.97 0.88 0.96 0.83 LAP 0.05 0.05 0.05 0.03 FIP 0.85 0.33 0.84 0.66 1.4 EMK 0.60 0.64 0.64 0.54 BEMK 0.88 0.80 0.70 0.71 Non-Privacy 0.97 0.88 0.96 0.83 注：加粗字体表示BEMK方法相对其他3种方法比较接近Non-Privacy方法。

Table 2 Recall

 $\varepsilon$ 方法 CMU ORL Yale YaleB LAP 0.34 0.75 0.90 0.87 FIP 0.71 0.80 0.49 0.68 0.1 EMK 0.65 0.84 0.58 0.57 BEMK 0.77 0.71 0.72 0.51 Non-Privacy 0.97 0.91 0.97 0.91 LAP 0.51 0.77 0.74 0.64 FIP 0.64 0.85 0.57 0.42 0.5 EMK 0.75 0.71 0.76 0.50 BEMK 0.79 0.80 0.84 0.70 Non-Privacy 0.97 0.91 0.97 0.91 LAP 0.51 0.77 0.61 0.90 FIP 0.72 0.72 0.71 0.58 0.9 EMK 0.60 0.80 0.83 0.50 BEMK 0.85 0.87 0.86 0.72 Non-Privacy 0.97 0.91 0.97 0.91 FIP 0.90 0.76 0.92 0.77 1.4 EMK 0.78 0.79 0.76 0.70 BEMK 0.90 0.88 0.80 0.84 Non-Privacy 0.97 0.91 0.97 0.91 注：加粗字体表示BEMK方法相对其他3种方法比较接近Non-Privacy方法。

Table 3 F1-Score ($\varepsilon$= 0.1)

 $\varepsilon$ 方法 CMU ORL Yale YaleB LAP 0.12 0.04 0.15 0.08 FIP 0.13 0.06 0.14 0.08 0.1 EMK 0.34 0.48 0.45 0.35 BEMK 0.66 0.57 0.54 0.39 Non-Privacy 0.97 0.90 0.96 0.87 LAP 0.11 0.06 0.13 0.06 FIP 0.37 0.19 0.33 0.23 0.5 EMK 0.59 0.52 0.46 0.36 BEMK 0.72 0.76 0.59 0.62 Non-Privacy 0.97 0.90 0.96 0.87 LAP 0.06 0.08 0.13 0.08 FIP 0.68 0.21 0.65 0.50 0.9 EMK 0.43 0.67 0.73 0.43 BEMK 0.83 0.79 0.68 0.68 Non-Privacy 0.97 0.90 0.96 0.87 LAP 0.09 0.09 0.09 0.06 FIP 0.89 0.46 0.88 0.68 1.4 EMK 0.68 0.71 0.70 0.61 BEMK 0.89 0.84 0.75 0.77 Non-Privacy 0.97 0.90 0.96 0.87 注：加粗字体表示BEMK方法相对其他3种方法比较接近Non-Privacy方法。

