张啸剑,付聪聪,孟小峰(河南财经政法大学计算机与信息工程学院, 郑州 450046;中国人民大学信息学院, 北京 100872)
目的 人脸图像蕴含着丰富的个人敏感信息，直接发布可能会造成个人隐私泄露。为了保护人脸图像中的隐私信息，提出3种基于矩阵分解与差分隐私技术相结合的人脸图像发布算法，即LRA（low rank-based private facial image release algorithm）、SRA（SVD-based private facial image release algorithm）和ESRA（enhanced SVD-based private facial image release algorithm）。方法 为了减少拉普拉斯机制带来的噪音误差，3种算法均将人脸图像作为实数域2维矩阵，充分利用矩阵低秩分解与奇异值分解技术压缩图像。在SRA和ESRA算法中，如何选择矩阵压缩参数r会直接制约由拉普拉斯机制引起的噪音误差以及由矩阵压缩导致的重构误差。SRA算法利用启发式设置参数r，然而r值增大导致过大的噪音误差，r值减小导致过大的重构误差。为了有效均衡这两种误差，ESRA算法引入一种基于指数机制的挑选参数r的方法，能够在不同的分解矩阵中挑选合理的矩阵尺寸来压缩人脸图像，然后利用拉普拉斯机制对挑选的矩阵添加相应的噪音，进而使整个处理过程满足ε-差分隐私。结果 基于6种真实人脸图像数据集，采用支持向量机（support vector machine，SVM）分类技术与信息熵验证6种算法的正确性。从算法的准确率、召回率、F1-Score，以及信息熵度量结果显示，提出的LRA、SRA与ESRA算法均优于LAP（Laplace-based facial image protection）、LRM（low-rank mechanism）以及MM（matrix mechanism）算法，其中ESRA算法在Faces95数据集上的准确率和F1-Score分别是LRA、LRM和MM算法的40倍、20倍和1倍多。相对于其他5种算法，ESRA算法对数据集大的变化相对稳定，可用性最好。结论 本文算法能够实现满足ε-差分隐私的敏感人脸图像发布，具有较好的可用性与鲁棒性，并且为灰度人脸图像的隐私保护提供了新的指导方法与思路，能有效用于社交平台和医疗系统等领域。
Private facial image publication through matrix decomposition
Zhang Xiaojian,Fu Congcong,Meng Xiaofeng(School of Computer and Information Engineering, Henan University of Economics and Law, Zhengzhou 450046, China;School of Information, Renmin University of China, Beijing 100872, China)
Objective Facial images are widely used in many applications such as social media, medical systems, and smart transportation systems. Such data, however, are inherently sensitive and private. Individuals' private information may be leaked if their facial images are released directly in the application systems. In social network platforms, attackers can use the facial images of individuals to attack their sensitive information. Many classical privacy-preserving methods, such as k-anonymous and data encryption, have been proposed to handle the privacy problem in facial images. However, the classical methods always rely on strong background assumptions, which cannot be supported in real-world applications. Differential privacy is the state-of-the-art method used to address the privacy concerns in data publication, which provides rigorous guarantees for the privacy of each user by adding randomized noise in Google Chrome, Apple iOS, and macOS. Therefore, to protect the private information in facial images, this paper proposes three efficient algorithms, namely, low rank-based private facial image release algorithm (LRA), singular value decomposition (SVD)-based private facial image release algorithm (SRA), and enhanced SVD-based private facial image release algorithm (ESRA), which are based on matrix decomposition combined with differential privacy. Method The three algorithms employed the real-valued matrix to model facial images in which each cell corresponds to each pixel point of facial images. Based on the real-valued matrix, the neighborhood of some facial images can be defined easily, which are crucial bases to use Laplace mechanism to generate Laplace noise. Then, LRA, SRA, and ESRA rely on low-rank decomposition and SVD to compress facial images. This step aims to reduce the Laplace noise and boost the accuracy of the publication of facial images. The three algorithms use the Laplace mechanism to inject noise into each value of the compressed facial image to ensure differential privacy. Finally, the three algorithms use matrix algebraic operations to reconstruct the noisy facial image. However, in the SRA and ESRA algorithms, two sources of errors are encountered:1) Laplace error (LE) due to Laplace noise injected and 2) reconstruction error (RE) caused by lossy compression. The two errors are controlled by r parameter, which is the compression factor in the SRA and ESRA algorithms. Setting the compact parameter r constrains the LE and RE. The SRA algorithm sets the parameter in a heuristic manner in which one may fix the value in terms of experiences. However, the choice of r in the SRA algorithm is a problem because a large r leads to excessive LE, while a small r makes the RE extremely large. Furthermore, r cannot be directly set based on the real-valued matrix; otherwise, the choice of r itself violates differential privacy. Based on the preceding observation, the ESRA algorithm is proposed to handle the problem caused by the selection of the parameter r. The main idea of the ESRA algorithm involves two steps:employing exponential mechanism to sample r elements in the decomposition matrix and injecting the Laplace noise into the elements. According to the sequential composition of differential privacy, the two steps in the ESRA algorithm meet ε-differential privacy. Result On the basis of the SVM classification and information entropy technique, two group experiments were conducted over six real facial image datasets (Yale, ORL, CMU, Yale B, Faces95, and Faces94) to evaluate the quality of the facial images generated from the LRA, SRA, ESRA, LAP(Laplace-based facial image protection), LRM(low-rank mechanism), and MM(matrix mechanism) algorithms using a variety of metrics, including precision, recall, F1 score, and entropy. Our experiments show that the proposed LRA, SRA, and ESRA algorithms outperform LAP, LRM, and MM in terms of the abovementioned six metrics. For example, based on the Faces95 dataset, ε=0.1 and matrix=200×180 were set to compare the precision of ESRA, LRM, LRA, and LAP. Result show that the precision of ESRA is 40 and 20 times that of LAP, LRA, and LRM. Based on the six datasets, ESRA achieves better accuracy than LRA and SRA. For example, on the Faces94 dataset, the matrix=200×180 was set and the privacy budget ε (i.e., 0.1, 0.5, 0.9, and 1.3) was varied to study the utility of each algorithm. Results show that the utility measures of all algorithms increase when ε increases. When ε varies from 0.1 to 1.3, ESRA still achieves better precision, recall, F1-score, and entropy than the other algorithms. Conclusion The oretical analysis and extensive experiments were conducted to compare our algorithms with the LAP, LRM, and MM algorithms. Results show that the proposed algorithms could achieve better utility and outperform the existing solutions. In addition, the proposed algorithms provided new ideas and technical support for further research on facial image release with differential privacy in several application systems.