A Novel Distributed Privacy Paradigm for Visual Sensor ...

Hindawi Publishing CorporationEURASIP Journal on Advances in Signal ProcessingVolume 2007, Article ID 21646, 17 pagesdoi:10.1155/2007/21646

Research ArticleA Novel Distributed Privacy Paradigm for Visual SensorNetworks Based on Sharing Dynamical Systems

William Luh, Deepa Kundur, and Takis Zourntos

Department of Electrical and Computer Engineering, 214 Zachry Engineering Center, Texas A&M University, College Station,TX 77843-3128, USA

Received 5 January 2006; Revised 29 April 2006; Accepted 30 April 2006

Recommended by Chun-Shien Lu

Visual sensor networks (VSNs) provide surveillance images/video which must be protected from eavesdropping and tampering enroute to the base station. In the spirit of sensor networks, we propose a novel paradigm for securing privacy and confidentialityin a distributed manner. Our paradigm is based on the control of dynamical systems, which we show is well suited for VSNs dueto its low complexity in terms of processing and communication, while achieving robustness to both unintentional noise andintentional attacks as long as a small subset of nodes are affected. We also present a low complexity algorithm called TANGRAMto demonstrate the feasibility of applying our novel paradigm to VSNs. We present and discuss simulation results of TANGRAM.

Copyright © 2007 Hindawi Publishing Corporation. All rights reserved.

1. INTRODUCTION

Visual data is an integral part of the interface between hu-mans and their environment. Visual data in the form of im-ages and video can be used to enhance a human operator’sability to reliably make crucial decisions in the face of alertsprovided by sensing mechanisms. For example, in a com-bat field, a sensor network can be deployed to sense temper-ature, toxins, vibrations/movement, and so forth. To reliablyassess whether a change in the sensed phenomena is dueto enemy infiltration or natural environmental and faunacauses, it is useful to obtain additional side information inthe form of an image. As another example, in health carefacilities [1, 2], one may measure a patient’s vital statistics,such as heart rate, using sensors. When such measured statis-tics indicate that the patient is in imminent danger, visualside information may quickly determine whether the mea-surements are valid or caused by misplaced or malfunction-ing sensors. Following this motivation, acquisition of visualdata in sensor networks can be used to enhance the qualityof service in surveillance applications in which a human op-erator interfaces at the sink of the network [3]. Such sensornetworks are called visual sensor networks (VSNs) or oftenmultimedia sensor networks [4]. The emergence of low-costportable off-the-shelf sensor devices has thrust forward thedevelopment of VSN architectures, systems, and testbeds [1–3, 5–12].

Acquisition and processing of visual data in sensor net-works come at a cost. First, visual data in the form of imagesor video require larger storage and transmission resourcesthan do traditional scalar data such as temperature or heartrate. These resource requirements are further bloated whenevery sensor is equipped to acquire and process images andvideo. Furthermore, image processing requires more powerto process than conventional scalar data, and hence VSNsmay not meet the resource constraints placed upon tradi-tional scalar-data-based sensor networks. This suggests thatvisual data should be acquired and processed judiciously,perhaps by one or two cameras within a confined area.However as we consider in this paper, from the perspectiveof resilience to physical and electronic attack, dense VSNsdemonstrate potential for security and surveillance applica-tions.

Visual data may be intercepted by illicit parties for usenot originally intended. For example, in a military scenario,interception of surveillance images can be used by an enemyto learn and counter the efforts of a mission. In a health-carescenario, interception of images by outsiders compromisespatient privacy rights. Therefore a means to protect these im-ages needs to be built into VSNs. In order to combat physicalattacks, electronic means are often employed in addition tomore robust ad hoc networking architectures. For example,the “one camera” architecture suggested above is vulnerableto physical attacks such as unlawful interception, tampering,

2 EURASIP Journal on Advances in Signal Processing

or capture of entities in the network. Instead of preventingsuch actions, it is more feasible to engineer information secu-rity mechanisms to deny illicit parties access to the semanticcontent of visual data.

Traditionally, to deny third parties access to content, en-cryption is employed [13]. However, recently it has beennoted that the use of these powerful cryptosystems on vi-sual data further exacerbates processing power (resource)requirements as mentioned above [14–16]. Measures havebeen taken to trade off security with processing complexity,and in this paper we follow this philosophy.

In the spirit of sensor networks, we opt for a densely dis-tributed architecture in which every sensor is equipped witha camera for visual acquisition, as well as some simple im-age processing capabilities. It is not difficult to envision thatphysical security based on a distributed infrastructure sharesall the same advantages as those in which sensor network re-search pioneers were drawn to. The principle of redundancycompensates for sensor failure either due to natural (i.e., bat-tery failure, noise in the environment, or sensor hardware) ormalicious causes. From a physical security standpoint, distri-bution offers safeguard against illicit capture of a few sensornodes and its cryptographic keys stored on-board [17, 18],which we term node capture. Attackers are hence forced tocapture all nodes or intercept all relevant node communiquein order to access semantic information. In this paper, wepropose a general paradigm for distributing security in a vi-sual sensor network.

1.1. Scope and contribution

We focus, in this paper, on presenting a novel distributedapproach to protect dense VSNs against eavesdropping at-tacks. Other security issues including authentication, mes-sage freshness and replay, key management, physical and ac-tuation attacks, and common denial-of-service attacks are,in part, considered by existing sensor network security liter-ature and are beyond the scope of the paper.

In [19], security for the IP-based video surveillance prob-lem is considered. In this paper we consider a distributedsecurity scheme for VSNs in which camera nodes work to-gether. We consider a VSN, which we define to be a collectionof sensor nodes each having image acquisition and process-ing capabilities. Within a VSN, a cluster of nodes is definedto be a subset of N nodes that are recording or capturing thesame scene at approximately the same camera orientation. Asecurity goal of each node in a cluster is to send partial visualinformation, which we call shares to a base station or multi-ple base stations, such that

(1) the base station(s) can reconstruct (or decrypt) an ap-proximation of the scene being recorded by the clusterwhen t + 1 or more shares are available;

(2) interception of t or fewer shares will not reveal thescene being recorded.

Secret sharing, popularized by Shamir [18], is the processby which a trusted central authority called the dealer createsand securely distributes N shares to N participants, such that

only certain subsets of participants can recover a secret keyK by amalgamating their shares. Our problem is similar tosecret sharing, except for the following differences:

(1) traditional secret sharing requires a trusted central au-thority to create the shares and distribute them se-curely; in our distributed VSN problem, a differentshare is created by each node of a cluster (with someminor coordination to guarantee robust recovery);

(2) we allow for t or fewer nodes to be captured, thus re-vealing any secret keys;

(3) we allow for t or fewer shares to be corrupted or tam-pered with.

We now point out other existing secret sharing works,and show how our work differs. In visual secret sharing (VSS)[20–23], the goal is similar; a dealer creates N transparenciesand securely distributes them to N participants. If a subset oftransparencies are overlaid upon one another, the secret im-age is revealed—this is the decryption process. In most VSSschemes, the decryption process (i.e., overlaying transparen-cies) has lower complexity than either creating the shares ortransmitting/storing them. This is due to the fact that extrainformation must be embedded into the transparencies inorder to support such trivial decryption. In sensor networks,this is not favorable; instead the opposite role is favored, be-ing that complexity is lower at the encrypting end (nodeend), and higher at the decrypting end (base station end)[24]. Of course VSS also suffers from the need for a trustedcentral authority as does secret sharing. Next, we point out adistributed encryption scheme that does not require a trustedcentral authority based on the RSA public-key cryptosystem[25, 26]. One draw-back of [25, 26] is that this public-keycryptography scheme was not developed for sensor networks(but rather for fault-tolerant distributed systems), hence thecomplexity at the node end is much higher. In addition, themethod is not always immune to node capture, particularlyif the so-called source node is captured, key information canbe used to reveal the secret.

To this end, this paper offers a general paradigm forcreating shares in a VSN, and hence many algorithms canbe created based on the same principles. The use of dy-namic system theory for this purpose is novel and, aswe demonstrate, provides the following attractive charac-teristics: (a) dynamism and evolution to exploit the dis-tributed and collaborative nature of VSNs for share gener-ation, (b) robustness to compensate for sensor error and ma-licious tampering, (c) obfuscation in order to provide im-age/video scrambling with a more competitive compromisebetween security and practicality for VSNs, and (d) flexibil-ity and simplicity for lightweight implementation. The dy-namic system approach allows the creative incorporation ofthe many competing VSN objectives of robustness, secu-rity and practicality into a framework with well-developedmathematical background based on Lyapunov theory. Thishas the advantage of producing a solution that is dis-tributed and lower complexity and hence most appropri-ate for VSNs in comparison to the existing methods sur-veyed above. We analyze our proposed technique, called

William Luh et al. 3

TANGRAM, to demonstrate its potential performance andpracticality.

Finally, we note that our paradigm is geared towards vi-sual data, or any kind of data whose semantics are not de-stroyed by small perturbations. The inherent redundant na-ture of visual data offers both pros and cons. On the onehand, visual redundancy offers resiliency against errors. Onthe other hand, visual redundancy translates into highercommunication and storage costs. Hence a tradeoff betweenrobustness and compression is also considered in this paper.

This paper is separated into three parts. In Section 2, thegeneral paradigm is presented. Within this section we formu-late the problem, introduce notations and definitions, and fi-nally present the general architecture and guiding principlesused to design a solution. In Section 3, we present an algo-rithm using our paradigm. In Section 4, we present simula-tion results to verify visual security.

2. GENERAL PARADIGM

In this section we develop the general paradigm.1 First weformally present the problem and assumptions. Next we de-fine basic elements used in the framework, and finally wepresent the paradigm.

2.1. Problem formulation

Suppose a collection of N sensor nodes equipped with im-age acquisition and processing capabilities is deployed inclose physical proximity such that they all capture the samescene. To quantify this statement, let {I0, I1, . . . , IN−1} repre-sent the N grayscale images captured by the N nodes.2 HereIi, 0 ≤ i ≤ N − 1 are m × n matrices containing integervalues in the set {0, 1, . . . , 255}. Assume that these N im-ages are noisy versions of a representative image Ir , such thatIi = Ir +nr , where nr is a random matrix of integers based onsome distribution with zero-mean and small variance. Thisassumption allows us to approximate the different sensor ac-quisitions as the same image, that is, Ii ≈ Ir , which will sim-plify the computations. We will justify this assumption soonin the coming section.

We also assume that the VSN is capable of pairwise (be-tween two neighboring nodes) and individual (between nodeand base station) key distributions. In addition, each node iscapable of communications to neighboring nodes and to thebase station (possibly via multihop networking).

2.1.1. Goals of this paradigm

The goal is for each sensor node i to encrypt its image Ii, re-sulting in the share Ii, such that for some subset of shares

1 In this paper we generalize the paradigm previously developed in [27],hence encompassing a broader class of algorithms.

2 Color images can be treated in the same manner by defining accompany-ing color planes dependent on formats such as RGB, HSV, YCbCr, and soforth.

S ⊆ {I0, I1, . . . , IN−1}, and subset of sensor nodes3 T ⊆ {0, 1,. . . ,N − 1} corresponding to S

(1) if the cardinality of S is greater than t, that is, |S| > t,then a visual approximation of Ir can be derived fromS;

(2) if |S| ≤ t, then a visual approximation of Ir cannot bederived from S alone;

(3) if the sensor nodes of T with |T| ≤ t are physicallycaptured and removed from the network, any staticallystored information4 on these nodes along with the cor-responding shares in S will not help the attacker in de-riving a visual approximation of Ir ;

(4) key management in the form of rekeying or key up-dates is not necessary to deal with the particular issuesaddressed in this paper.

We will define the quantitative notion of visual approxima-tion in the coming subsection. Also we note that althoughexisting secret sharing algorithms can be adjusted to satisfypoint 3 through rekeying or key updating, our paradigmdoes not explicitly require key management leading to a morepractical solution for distributed VSNs.

2.1.2. Assumptions

We now impose the following assumptions on the attacker.

(1) The attacker has limited ability to employ physical at-tacks on the observation area. Specifically, the attackercannot deploy his own cameras to capture the samescene as the VSN nodes nor can he physically attackthe observation area such as block the scene.5 In addi-tion, the attacker can only physically capture and re-move nodes from the network, but cannot wiretap anode and eavesdrop on all activities on-board a sensornode.

(2) The attacker can only intercept or tamper the shares ofa subset of nodes of cardinality ≤ t.

(3) The attacker is less likely to intercept communica-tion between nodes without being detected due to thenodes being in close proximity; the attacker is morelikely to intercept communication between nodes andthe base station(s). See Figure 1.

We impose the following assumptions on the sensornodes.

(1) The VSN is aware when a node is removed from thenetwork, and will stop communicating with the roguenode.

(2) Every node can perform the duties of any other node.Hence when a node dies, the nodes within a clustercan reorganize their logistics. In addition, nodes are

3 In this paper, we denote N nodes by giving them unique integer identifiersstarting with 0.

4 By statically stored, we mean keys, codebooks, and so forth. Any valuescreated from computation would not be statically stored.

5 Physical actuation attacks considered in, for example, [28] are beyond thescope of this work.


replenished so that an area of observation is never leftstarved for nodes.

(3) We assume that the nodes are capable of reposition-ing collectively (i.e., rotating panoramically) to cap-ture different scenes in order to avoid the message re-send attack [29].

2.2. Preliminaries

In this section we define the basic elements used in ourparadigm. First we define an image space by converting animage matrix Ii into a (m · n) × 1 column vector xi, via acolumn-wise raster scan as shown in (1).

Ii =

⎛

⎜

⎜

⎜

⎜

⎜

⎜

⎜

⎜

⎜

⎜

⎜

⎝

x1,1 x1,2 · · · x1,n−1 x1,n

x2,1 x2,2 · · · x2,n−1 x2,n

......

. . ....

...

xm−1,1 xm−1,2 · · · xm−1,n−1 xm−1,n

xm,1 xm,2 · · · xm,n−1 xm,n

⎞

⎟

⎟

⎟

⎟

⎟

⎟

⎟

⎟

⎟

⎟

⎟

⎠

,

xi =(

x1,1 x2,1 · · · xm,1 x1,2 x2,2 · · · xm,2 · · · xm,n

)T.

(1)

The collection of all (m·n)×1 column vectors constitutesour image space, and each column vector is called a state.We note that although we defined an image to take on inte-ger values in the range 0 to 255, the image space includes all(m·n)×1 column vectors with real elements. This collectionalong with the usual operators is a vector space over the realfield.

Our notion of visual approximation is based on the normof a vector.6 The norm of a vector xi is the l2–norm de-noted by ‖xi‖. To quantify visual similarity or dissimilarityfor practical use, two variables ρ0 ≤ ρ1 are chosen as a func-tion of the (image) state xi in question, such that the annuluscentered about xi, as given in (2), completely defines the vi-sual similarity and dissimilarity:

Axi ={

x : ρ0 ≤∥

∥x − xi

∥

∥ ≤ ρ1}

. (2)

The complement of the annulus can be separated into tworegions: the region enclosed by the annulus is called the sim-ilar region, where the states in here share the semantics ofxi; the region outside the annulus is called the dissimilar re-gion, where the semantics of xi cannot be visually deducedfrom states in here. The annulus itself defines a fuzzy re-gion, which accounts for differences in individual perception.Figure 2 illustrates the partitioning of the image space into

6 We note that although this notion does not model the human visual sys-tem accurately, it is used often for reasons of simplicity in MPEG encod-ing, for example block matching [30].

Common scene

Node0

Node1

NodeN � 1

� � �

Cluster

Attack most likely en route to base station

Base station Base station Base station

Figure 1: Communication scheme, layout of a cluster, and the mostcommon point of attack.

Every state outside isperceptually dissimilar to xi

Every state in this region isperceptually similar to xi

“Fuzzy” region

xi

p1

p0

Figure 2: Separation of image space into perceptual similar, dissim-ilar, and fuzzy regions.

similar, dissimilar, and fuzzy regions. It is clear that the vari-ables ρ0 ≤ ρ1 depend on the human visual system, and henceis application-dependent.

2.3. Architecture and principles

Suppose that every sensor node records the representa-tive image Ir (i.e., the common scene), which correspondswith the representative state x. The central idea behind ourparadigm is that we design a discrete-time dynamical systemsuch that each node has an access to only a certain part ofthis dynamical system and not to its entirety. Identifiers 0 toN −1 are assigned to each of the N nodes. A node with iden-tifier k is then responsible for applying a control to move thestate at time k of the dynamical system closer to the desiredx. The node’s control is the node’s share. Since an attackerwho intercepts a subset of shares and/or physically captures


Require: Initial state x0 loaded into node 0 and partial system fi for each node i;all nodes capture common scene represented by xEnsure: Shares ui, 0 ≤ i ≤ N − 1

(1) for k = 0 to N − 1 do(2) {Each iteration is performed by a different node, i.e., node k}(3) if k �= 0 then(4) Receive ek−1,k from node k − 1(5) xk ⇐ DKk−1,k

(

ek−1,k) {Decrypt with pair-wise key shared with node k − 1}

(6) end if(7) uk ⇐ gk(xk , x) {To be designed to drive states to x}(8) if k �= N − 1 then(9) xk+1 ⇐ fk

(

xk , uk

)

(10) ek,k+1 ⇐ EKk,k+1

(

xk+1) {Encrypt with pair-wise key shared with k + 1}

(11) Destroy xk+1 {So if this node is captured, attacker does not have this}(12) Send ek,k+1 to node k + 1(13) end if(14) if k �= 0 then(15) Destroy xk {So if this node is captured, attacker does not have this}(16) end if(17) Send uk to the base station {This is node k’s share}(18) end for

Algorithm 1: Distributed encryption for VSN.

a subset of nodes only knows part of the dynamical system,7

the attacker cannot drive this partial dynamical system to thesecret x. In Section 2.4, we will discuss the motivation for us-ing this paradigm.

From the dynamical systems literature, let Σp be a user-designed plant that is described by a state equation (discrete-time difference equation) as in (3):

Σp : xk+1 = fk(

xk, uk, wk)

. (3)

Here, the vectors denoted by xk are called states, the vectorsdenoted by uk are external controls/inputs, and wk is a ran-dom vector noise term. Every node agrees ahead of time ona starting node, also called the source node [25], which con-tains a randomly generated initial state x0 (i.e., independentof Ir), either through preprogramming the node hardware,or some key distribution protocol.

Next we ensure that every node is endowed with only partof the plant or that there is a random component of whichonly one node is aware. For example, if the system is time-varying, each node is endowed with a unique set of the pa-rameters corresponding to each time instance. To be moreprecise, let the nodes be numbered 0 to N − 1. Then node iis endowed with fi, and for node i �= j, fi �= f j ; that is eachnode only knows part of the system. Finally each node runsan optimization algorithm whose goal is to drive any givenstate to x. The pseudocode is presented in the table entitled

7 This does not violate Kerckhoff ’s principle [13], which states that the se-curity of a system should only reside in the key, while the system can beknown. In practice, we can publish the system to be used, but keep secretthe system parameters, which can be regarded as keys.

Algorithm 1. Here we define ei, j to be the encrypted state,which is created by node i and sent to node j.

In Algorithm 1, each iteration of the loop reflects the ac-tivity of one particular node, namely the node associatedwith the loop index k. We see that the source node 0 startsoff the algorithm by applying a function g0 (line 7—to bedesigned) on the initial state x0 and the representative statex—this is the external input or the so-called control to theplant Σp. This control is then applied to the plant (line 9),and the result is encrypted using a pair-wise key shared withnode 1 (line 10), and sent to node 1 (line 12). Continuingwith the remaining iterations of the loop, each node here-after receives an encrypted state (line 4) from the previousnode, which is able to decrypt with its pair-wise key sharedwith the previous node (line 5). The node then uses this stateto derive a new control (line 7), which drives the states closerto the desired representative state x. The new state generatedby this control (line 9) is then encrypted with the pair-wisekey shared with the next node (line 10) and sent to the nextnode (line 12). The controls generated by each node consti-tute the set of shares, which are sent to the base station(s).An overview of the communication scheme is depicted inFigure 1. From an overall system perspective, the nodes canbe considered to cooperate to drive an initial state to the de-sired representative state x by applying a control (which is thenode’s share) to the system via the state created by a previousnode, and then relaying the updated state to the next node.

Since the controls drive the plant to x, the decryption al-gorithm is straight-forward as shown in Algorithm 2.

In order to decrypt, all the controls (or shares) and theentire plant/system must be known. Hence an attacker isforced to intercept all shares, or capture all nodes. Figure 3(a)illustrates how the initial state is driven to the desired rep-resentative state x. When a control is applied to a state, the


Require: All shares ui, 0 ≤ i ≤ N − 1 received by base station(s),and base station(s) have all fi, 0 ≤ i ≤ N − 1 and x0

Ensure: xN = x(1) {Loop performed by a central unit at the base station}(2) for k = 0 to N − 1 do(3) xk+1 ⇐ fk

(

xk , uk

)

(4) end for

Algorithm 2: Decryption at base station(s) for VSN.

dynamical system is moved to a new state. Controls are ap-plied successively to the dynamical system to drive the stateto x and hence reconstruct the representative image Ir .

Finally, each iteration in Algorithm 1 can be thought of asa round which adds confusion, hence Algorithm 1 mimics aniterated block cipher [31] with each round being performedby a single different node using a different key.

2.4. Motivation for this paradigm

There are many reasons why a dynamical systems approachis chosen for this problem. Such theory is well developed tohandle external disturbances. For our problem, this is use-ful to ensure that image decryption is robust to natural (un-intentional) system disturbances such as hardware noise, orintentional tampering. If we assume that the disturbance wi

is additive and constrained, for example bounded such that‖wi‖ < C, then control laws can be designed such that thetrajectory stays within some region around the desired rep-resentative state x as illustrated in Figure 3(b). If the ballaround x has radius ρ0 or less, where ρ0 is the variable ac-counting for perceptual similarity from Section 2.2, then de-cryption will still result in a good visual approximation of thedesired image.

2.5. Extensions

This robustness allows for some additional advantages. Thenumber of pair-wise keys that each sensor node carries to runthe proposed algorithm is always 2 (i.e., O(1)) regardless ofthe number of nodes in a cluster. This is because node k onlyneeds to receive the previous state from node k− 1 and mustsend its current state to node k + 1 requiring communica-tion only among these nodes. This is a memory advantagebecause, in contrast to the sharing scheme presented in [25],the number of key fragments per node is O(

√N), where N is

the number of nodes. Finally, if each node is regarded as avertex, and the communication between nodes is a directededge, then the VSN is a directed graph. The number of fan-outs, or outdegree of each node in our scheme is exactly 2(one for transmitting to the next node, and one for trans-mitting to the base station(s)) regardless of the number ofnodes in the cluster (i.e., O(1)). However, the outdegree pernode in [25] is again O(

√N). Also, the unidirectional nature

of the internode communication in our paradigm promotesan optical sensor network architecture [32], which has beenshown to be energy-efficient for communicating multimediathrough free space [33].

3. TANGRAM: ALGORITHM USING RANDOMNESS

In this section we present an algorithm based on random-ness (i.e., random vectors and random variables) and Lya-punov synthesis, which we call TANGRAM.8 In contrast tothe algorithm presented by the authors in [27], the algorithmpresented here is simpler lending itself more appropriatelyto distributed VSN security. Lyapunov synthesis provides aframework for generating the shares that drive an initial stateto a desired state for nonlinear dynamical systems in general.

We first review Lyapunov stability theory. The equilibriaof a discrete-time state space system in (3) are any solutionsxeq to (4):

xeq = fk(

xeq, uk)

. (4)

The goal is to design uk , such that starting from any ini-tial state x0, the system converges to the unique equilibriumxeq � x; when this is satisfied, x is said to be globally asymp-totically stable. A popular way to achieve this goal is via Lya-punov’s stability theorem [34].

Theorem 3.1 (global asymptotic stability). The equilibriumxeq is globally asymptotically stable if there exists a function V :Rm·n → R such that

(1) V(xeq) = 0;(2) there are continuous, strictly increasing functions α :

R→ R and β : R→ R, where α(0) = β(0) = 0, and

α(∥

∥x − xeq∥

∥

) ≤ V(x) ≤ β(∥

∥x − xeq∥

∥

)

(5)

for all x ∈ Rm·n;(3) V(x) →∞ as ‖x‖ → ∞;(4) V(xk+1)−V(xk) < 0 for all k ≥ 0.

In Lyapunov synthesis, one begins by choosing theLyapunov function V that satisfies criteria 2 and 3 inTheorem 3.1. The goal is then to design uk so that the equi-librium xeq is forced to be the desired x, which satisfies crite-rion 1, and the overall system with the control incorporatedsatisfies criterion 4.

In [27] a linear system was proposed by the authorswhere the system matrix Ak presented additional challengesas they had to be stored on-board the sensor nodes. Here wepropose the following straightforward linear system given by(6):

xk+1 = xk + uk. (6)

Although there are many ways to design uk = gk(xk, x), suchthat (6) is globally asymptotically stable with respect to thedesired equilibrium x, our goal is that of secrecy/security,and hence it seems natural and practical to use a random ap-proach.

Because we cannot expect to achieve global asymptoticstability in a purely random approach, we give Definition 3.2to quantify the systems behavior at a particular time instance.

8 The word “tangram” means a puzzle.


x

xN�1

x2

x1

x0

u0

u1

u2

uN�2

uN�1

Controls/shares(red)

States(blue)

...

(a)

x

xN�1

x2x1

x0

u0

u1 + w1

u2

uN�2

uN�1

...

(b)

Figure 3: (a) Initial state being driven to the desired representative state x by node controls; (b) noisy control/share causes offset in trajectorywhich stays within some ball.

Definition 3.2. We say a plant Σp with equilibrium xeq is be-having globally asymptotically stable at time j if criteria 1 to 3are satisfied in Theorem 3.1, and V(xk+1)−V(xk) < 0 for allk ≤ j.

Remarks 3.3. Definition 3.2 tells us that a system looks likea “promising” candidate for global asymptotic stability at aparticular time instance. We now propose a random controllaw in Theorem 3.4 and state its property.

Theorem 3.4. Let Σp be the plant whose state space equationis given by (6). Let

uk = − sgn(

xk − x) R+

k , (7)

where denotes element-wise multiplication, sgn is the signumfunction operating on each element of the vector

sgn(y) =

⎧

⎪

⎪

⎪

⎨

⎪

⎪

⎪

⎩

1 if y > 0,

0 if y = 0,

−1 if y < 0,

(8)

and R+k is a random vector taking on only nonnegative values

and whose mean vector E[R+k ] < ε · 2|xk − x| for ε > 0, where

“<” is taken element-by-element. Then Σp has equilibrium x,and is behaving globally asymptotically stable at iteration k (ornode k, keeping in mind starting at 0) with probability greaterthan (1− ε)k+1.

Remarks 3.5. The theorem provides a lower bound to theprobability that the system is behaving globally asymptoti-cally stable at a given time. The simulation results will showthat this lower bound is quite loose, meaning that decryptionwill result in images that fall in the similar region with muchhigher probability than this lower bound.

Proof. Without loss of generality,9 let us take the scalar case,in which we have

xk+1 = xk − sgn(

xk − x)

R+k . (9)

First we can verify that x is indeed the equilibrium by substi-tuting x into xk on the right-hand side. Next, let us define

V(x) = (x − x)2 (10)

which indeed satisfies criteria 1 to 3 of Theorem 3.1. Startingat k = 0, we see that

V(

x1)−V

(

x0) = V

(

x0 − sgn(

x0 − x)

R+0

)−V(

x0)

= (x0 − sgn(

x0 − x)

R+0 − x

)2 − (x0 − x)2

< 0(11)

if x0−sgn(x0−x)R+0 is closer to x than x0 is; denote this event

for k = 0 as E0. Then the probability of the complement isP(E0) = Pr{R+

0 ≥ 2|x0 − x|}, which we can bound usingMarkov’s inequality

Pr{

R+0 ≥ 2

∣

∣x0 − x∣

∣

} ≤ E[

R+0

]

2∣

∣x0 − x∣

∣

< ε, (12)

where the last inequality is due to E[R+k ] < ε · 2|xk − x|.

Therefore P(E0) > 1 − ε. Suppose that for some iterationk− 1, P(E0∩E1∩· · ·∩Ek−1) > (1− ε)k. Then we can showthat P(Ek) > (1−ε) the same way we showed for P(E0). Sincethe R+

k ’s are independent for all k, P(E0 ∩ E1 ∩ · · · ∩ Ek) >(1− ε)k+1, proving the theorem by induction.

9 TANGRAM operates pixel-by-pixel (or element-by-element), that is, onlyconfusion is introduced, hence we can restrict our analysis to a singlepixel/element.


Remarks 3.6. To see why P(E0) = Pr{R+0 ≥ 2|x0 − x|}, we

define two cases: x0 < x, and x0 > x. Noting that R+k is always

nonnegative (the superscript + denotes this fact), if x0 < x,then − sgn(x0 − x) = 1, hence − sgn(x0 − x)R+

0 is positive;when this quantity is added to x0, x0 is increasing positivelytowards x in the correct direction. The event E0 occurs whenthis quantity added is two times the distance that x0 is from x,that is, 2|x0 − x|. The other case follows the same argument.

3.1. Security analysis

Next we analyze the security of this scheme. We begin withthe notion of perfect secrecy. Given plaintext and ciphertextrandom variables P andC, respectively, a cipher provides per-fect secrecy if I(P;C) = 0, where I(·; ·) denotes mutual infor-mation. Ciphers that incorporate a great deal of randomness,such as the one-time pad are good candidates for perfect se-crecy. To show that TANGRAM satisfies perfect secrecy un-der certain conditions, we present Lemma 3.7, which is basedon TANGRAM parameters. Then we discuss how Lemma 3.7is related to TANGRAM.

Lemma 3.7. Let U = σ · R+ where R+ is a positive continuousrandom variable whose mean is E[U] = θ = |θ1 − θ2|, whereθ1, θ2 are positive continuous random variables, σ = sgn(θ1 −θ2). If h(θ) = h(θ1), then I(U ; θ2) = 0.

Proof. First we write h(U , θ | θ2, σ) in two ways using thechain rule

h(

U , θ | θ2, σ) = h

(

U | θ2, σ)

+ h(

θ | U , θ2, σ)

= h(

θ | θ2, σ)

+ h(

U | θ, θ2, σ)

.(13)

Next we can simplify all the quantities. Throughout we usethe fact that θ can be written as θ = |θ1−θ2| = sgn(θ1−θ2)·(θ1 − θ2) = σ · (θ1 − θ2):

h(

U | θ2, σ) = h

(

σ · R+ | θ2, σ) = h

(

R+ | θ2)

, (14)

h(

θ | U , θ2, σ) = h

(

σ · (θ1 − θ2) | σ · R+, θ2, σ

)

= h(

θ1 | R+) = h(

θ | R+),(15)

h(

θ | θ2, σ) = h

(

σ · (θ1 − θ2) | θ2, σ

)

= h(

θ1) = h(θ),

h(

U | θ, θ2, σ) = h

(

σ · R+ | θ, θ2, σ)

= h(

σ · R+ | θ, σ) = h

(

R+ | θ).

(16)

We have used the fact that h(θ) = h(θ1) in the last equalitiesof (15). For the second equality in (16), we used the fact thatθ is the true mean of R+, hence θ2 provides no additionalinformation since θ = |θ1 − θ2|. Now substituting (14)–(16)into (13), we get

h(

R+ | θ2)

+ h(

θ | R+) = h(θ) + h(

R+ | θ),h(

R+ | θ2) = h

(

θ,R+)− h(

θ | R+)

= h(

R+).

(17)

Therefore I(R+; θ2) = h(R+)− h(R+|θ2) = 0.

Let us apply Lemma 3.7 to TANGRAM on a pixel-by-pixel or element-by-element basis. We only assume that theattacker has intercepted one share ui for some i, and that noneof the states xk nor the mean are known. Let θ1 = xi andθ2 = x, and also multiply the mean by 2ε. If the entropy of xiis equal to the entropy of the mean, then perfect secrecy of asingle pixel is achieved.

We note that the attacker does not have access to themean, and we can further enhance the security by loadingeach sensor node with different probability density func-tions (PDFs) for generating R+

k and not revealing them; thePDFs are a parameter of the algorithm, which can be consid-ered a node-dependent key. If the aforementioned entropiesare not equal, we give a more general but weaker result inLemma 3.8.

Lemma 3.8. Let U = σ · R+ where R+ is a positive continuousrandom variable whose mean is E[U] = θ = |θ1 − θ2|, whereθ1, θ2 are positive continuous random variables, σ = sgn(θ1 −θ2). Then

I(

θ2;U) = h

(

U | θ1)− h

(

U | θ). (18)

Proof. This time we write h(U , θ | θ1, σ) in two ways usingthe chain rule

h(

U , θ | θ1, σ) = h

(

U | θ1, σ)

+ h(

θ | U , θ1, σ)

= h(

θ | θ1, σ)

+ h(

U | θ, θ1, σ)

,

h(

U | θ1, σ) = h

(

σ · R+ | θ1, σ) = h

(

R+ | θ1)

,

h(

θ | U , θ1, σ) = h

(

σ · (θ1 − θ2) | σ · R+, θ1, σ

)

= h(

θ2 | R+),

h(

θ | θ1, σ) = h

(

σ · (θ1 − θ2) | θ1, σ

) = h(

θ2)

,

h(

U | θ, θ1, σ) = h

(

σ · R+ | θ, θ1, σ)

= h(

σ · R+ | θ, σ) = h

(

R+ | θ).

(19)

Combining the constituents

h(

R+ | θ1)

+ h(

θ2 | R+) = h(

θ2)

+ h(

R+ | θ),h(

R+ | θ1)− h

(

R+ | θ) = h(

θ2)− h

(

θ2 | R+)

= I(

θ2;R+).

(20)

Having provided analysis for the simplest case of a singleinterception, we give an analogy of taking a number τ andrandomly breaking it into N numbers τ0, τ1, . . . , τN−1 suchthat the sum of these N numbers is equal to τ. If we giveone or two of these τi to someone and ask them to guess theoriginal number τ, it would be as difficult as deducing anentire puzzle from one or two pieces alone.10

10 We note that our analogy partitions an image spatially, whereas in TAN-GRAM, partitioning is performed at the pixel level. This is because spatialpartitions may still reveal some semantic content of the image in question.


Require: Initial state x0 loaded into node 0, ε, σ2

Ensure: Shares ui, 0 ≤ i ≤ N − 1(1) for k = 0 to N − 1 do

(2) {Each iteration is performed by a different node, i.e., node k}(3) if k �= 0 then

(4) Receive ek−1,k from node k − 1

(5) xk ⇐ DKk−1,k

(

ek−1,k) {Decrypt with pair-wise key shared with node k − 1}

(6) end if

(7) μ⇐ 2ε∣

∣xk − x∣

∣

(8) uk ⇐ − sgn(

xk − x) rand-positive(μ, σ2)

(9) if k �= N − 1 then

(10) xk+1 ⇐ xk + uk

(11) ek,k+1 ⇐ EKk,k+1

(

xk+1) {Encrypt with pair-wise key shared with k + 1}

(12) Destroy xk+1 {So if this node is captured, attacker does not have this}(13) Send ek,k+1 to node k + 1

(14) end if

(15) if k �= 0 then

(16) Destroy xk {So if this node is captured, attacker does not have this}(17) end if

(18) Send uk to the base station {This is node k’s share}(19) end for

Algorithm 3: TANGRAM.

Let us consider the scalar case again. For the case of morethan one interception, assume that t shares (where this t isfrom the goals in Section 2.1) are intercepted. Then we wantto ensure that decryption using these t nodes falls in thedissimilar region with high probability. Since the shares aregenerated randomly, suppose that the first t shares are inter-cepted. Then this t should satisfy (21) for δ > 0:

Pr

{∣

∣

∣

∣

∣

x − x0 −t−1∑

k=0

uk

∣

∣

∣

∣

∣

> ρ1

}

> 1− δ. (21)

As we will see in Section 3.3, this criterion is coupled with ro-bustness constraints, which renders the closed-form deriva-tion of t intractable. Hence the determination of t will be leftto the devices of simulation found in Section 4.3.

3.2. Implementation

The particulars of the TANGRAM algorithm are summarizedin Algorithm 3 for ease of reference. We now examine theimplementation of the TANGRAM algorithm and show thatit is indeed cost efficient, robust, and suited for VSNs.

How efficient is Algorithm 3 in terms of share size? Thisquestion is inherently linked to the issue of compression. Ifwe look at this question at the pixel level, then the cost ofone pixel is its absolute value; hence the cost of all shares is|u0| + |u1| + · · · + |uN−1|. Intuitively, a pixel with smallerabsolute value will require fewer bits to encode than a pixelwith larger absolute value, and hence from this point of view,minimizing this cost achieves a crude form of compression.

Definition 3.9 (Optimal share size). The shares u0, u1, . . . ,uN−1 generated by Algorithm 3 achieve optimal share size if

∣

∣u0∣

∣ +∣

∣u1∣

∣ + · · · +∣

∣uN−1∣

∣ ≤ ∣∣x − x0∣

∣, (22)

where | · | is the element-wise absolute value.

Definition 3.9 is motivated by the fact that if the sharesovershoot the desired representative image, and oscillateabout the representative image, then they will effectively havetotal absolute size greater than if the shares never overshoot.Theorem 3.4 and its proof provides us with a result on opti-mal share size as stated in Corollary 3.10.

Corollary 3.10. The shares produced by Algorithm 3 achieveoptimal share size with probability greater than

(1− 2ε)N . (23)

Remarks 3.11. The factor 2 comes from the fact that in orderto achieve optimal share size, we require R+

k < |xk − x| for allk; see the proof for Theorem 3.4.

3.3. Robustness

In this section we assume that noise (either through unin-tentional sensor errors, miscalibrations, or intentional tam-pering) is added to the shares. If we use Algorithm 3, we canwrite decryption as x0 +

∑N−1k=0 (uk + wk) = (x0 +

∑N−1k=0 uk) +

∑N−1k=0 wk = x +

∑N−1k=0 wk, where we have also assumed that

imperfect decryption (i.e., all the shares and the initial state


do not add up to be the representative state) is incorporatedinto the noise vectors wk. From Section 2.2, if ‖∑N−1

k=0 wk‖ <ρ0 for the perceptual similarity constant ρ0, then decryp-tion will still reveal the semantics of x. This constraint maybe unreasonable under an intentional attack situation, how-ever our assumptions in Section 2.1.2 restrict the number ofshares attacked to no more than t, thus restricting the effecton the decrypted image.

We exercise this assumption and assume the worst casescenario, in which none of the t tampered shares may beused. Let S be the set of shares of cardinality t that are ru-ined. Then it is natural to use the complement S, resulting inx0 +

∑N−1k=0 IS(uk)uk, where

IA(x) =⎧

⎨

⎩

1 if x ∈ A,

0 if x /∈ A(24)

is the indicator function. If ‖x− (x0 +∑N−1

k=0 IS(uk)uk)‖ < ρ0,then decryption will reveal the semantics as desired. Thereare two questions that need to be answered. First, what is themaximum t = |S| for which a perceptually acceptable recon-struction is possible? Second, how does the base station(s)determine the set S?

To address the first question, let us consider the scalarcase. Without loss of generality, assume the last t shares areruined while the firstN−t shares are pristine. Since the sharesare generated randomly, given a δ > 0, maximize t such that

Pr

{∣

∣

∣

∣

∣

x − x0 −N−t−1∑

k=0

uk

∣

∣

∣

∣

∣

< ρ0

}

> 1− δ. (25)

This constraint probability can be written as

Pr

{

− ρ0 < x − x0 −N−t−1∑

k=0

uk < ρ0

}

= Pr

{

x − x0 − ρ0 <N−t−1∑

k=0

uk < x − x0 + ρ0

}

.

(26)

If we let Y = U1 + U2 + · · · ,UN−t−1 be the random variableaccounting for the sum of the random shares, and fY (y) itsPDF, then the problem for the scalar case is to maximize tsuch that

∫ x−x0+ρ0

x−x0−ρ0

fY (y)dy > 1− δ. (27)

Even for the scalar case, this problem is formidable, sincethe PDFs of the random variables Ui have unknown variablemeans, and hence is best suited for computational simula-tions.11

11 In addition to the constraint given by (27), (21) should also be satisfiedfor security reasons. But obviously this makes the problem even more dif-ficult.

The second problem can be rephrased as finding the set Ssuch that x0 +

∑N−1k=0 IS(uk)uk is closest to x. Without any side

information, this problem is nontrivial. In fact, this problemin general (without side information) is just as hard as theknapsack problem known to be NP-complete [35]. To makethis problem tractable, the usual device is to embed an au-thentication code (side information), such that the base sta-tion(s) can verify whether each share is pristine or corrupted.In this way, the base station(s) can construct the desired setS.

4. SIMULATION AND INTERPRETATION

In this section we present the simulation results and dis-cuss their meaning. We present results from two images. Thefirst image used is shown in Figure 4 and has dimensional-ity of 587 × 393 while the second image has dimensionalityof 512 × 512 and can be seen in Figure 12. The significanceof choosing different image dimensions in our work is todemonstrate that although the perceptual constants are typ-ically determined empirically for each image, they may alsobe reused for images of approximately the same dimensions.This property is desirable for sensor networks which are of-ten required to operate as autonomously as possible withouthaving to readjust its parameters.

4.1. Choosing ρ0 and ρ1

As one of the first steps in our implementation, we mustestimate values of the similarity and dissimilarity constantsρ0 and ρ1 respectively as discussed in Section 2.2. By addingzero-mean white Gaussian noise with different variances,and visually inspecting the outcomes, we find that with avariance of no more than 50, the image is still understand-able, while with a variance of at least 500, the image is in-comprehensible. To determine the norm, we ran several ex-periments with variances 50 and 500, and computed the av-erage norm of the noise, which turns out to be ρ0 = 24000and ρ1 = 37000, respectively.

4.2. Random distribution

TANGRAM is based on a positive continuous distribution. Inour simulations, we use the lognormal distribution, since themean and variance can be controlled independently.12 Thelognormal PDF is given in (28), and its mean μ and varianceσ2 are given in (29), respectively:

f (x) = 1s√

2π1xe−(ln(x)−m)2/2s2

, (28)

μ = em+s2/2,

σ2 = e2(m+s2) − e2m+s2.

(29)

12 Other one-sided continuous distributions such as exponential, chi-squared have PDFs based on one parameter which controls both the meanand variance in tandem.


(a) (b) (c)

Figure 4: (a) Original bus (© come.to/torontobus); (b) bus with AWGN σ2 = 50; (c) bus with AWGN σ2 = 500.

60555045403530252015105

Number of shares

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Sim

ilari

tyra

te

σ2 = 5σ2 = 15

(a)

60555045403530252015105

Number of shares

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Dis

sim

ilari

tyra

te

σ2 = 5σ2 = 15

(b)

Figure 5: (a) Similarity rate; (b) dissimilarity rate.

The mean is dependent on the parameter ε (see Algorithm3). In our simulations we use two values ε = 10−2 and 10−3.The variance can be defined by the user. In our simulations,we use two values for the variance, σ2 = 5 and 15. We willdiscuss the implications of ε and σ2 in Section 4.5.

4.3. Determining suitable N and t

Next we want to determine how many sensor nodes areneeded so that decryption is satisfactory. Figure 5(a) showsthe rate (or simulated probability) that decryption will resultin an image that falls in the similar region characterized by ρ0.We see that at least 40 shares are necessary before a decryptedimage falls in the similar region with high probability.

The value of t, that is, the total number of intercep-tions allowed, can be stated as the number of shares an at-tacker can intercept before decryption (using this number ofshares) results in an image that no longer falls in the dissim-ilar region (i.e., it either falls in the fuzzy or similar region).Figure 5(b) shows the rate (or simulated probability) that de-cryption will result in an image that falls in the dissimilar re-gion. We see that 20 shares or less will result in an image that

falls in the dissimilar region with high probability. Since thedetermination of ρ1 was empirical, we choose a conservativet, which is half of 20, giving t = 10.

Since we require at least 40 nodes for decryption, but al-low 10 nodes to be intercepted, we choose N = 40 + 10 = 50as the number of nodes in a cluster. Figure 6 shows an ex-ample of a share, decryption using 10 shares, and decryptionusing 40 shares. Images have been scaled appropriately forhighest perceptual quality.

4.4. Convergence and security

In Section 4.3 we presented the simulated probability of de-cryption falling in the similar and dissimilar regions depend-ing on the number of shares. An important question to askis the following: how does decryption transition between thesimilar, fuzzy, and dismilar regions as the number of sharesavailable is varied? This question not only addresses conver-gence, but also security from the point of view that if an at-tacker is able to intercept one extra share, how does this ad-ditional interception improve his ability to comprehend thedecrypted image.


(a) (b) (c)

Figure 6: (a) Sample share; (b) decryption using t = 10 shares; (c) decryption using 40 shares.

60555045403530252015105

Number of shares

1.5

2

2.5

3

3.5

4

4.5

5

5.5�104

�

decr

ypte

d

�

(x)�

Average (σ2 = 5, ε = 10�2)Average (σ2 = 15, ε = 10�2)Average (σ2 = 5, ε = 10�3)

Minimum (σ2 = 5, ε = 10�2)Minimum (σ2 = 15, ε = 10�2)Minimum (σ2 = 5, ε = 10�3)

(a)

60555045403530252015105

Number of shares

0.93

0.94

0.95

0.96

0.97

0.98

0.99

1

1.01

Pro

babi

lity

ofop

tim

alpi

xels

har

esi

ze

σ2 = 5σ2 = 15

Lower bound

(b)

Figure 7: (a) ‖x0+∑n

k=0 uk−x‖ as a function of the number of shares n; (b) Pr{∑nk=0 |uk|≤|x−x0|} as a function of the number of shares n.

Figure 7(a) shows the average and minimum distancesbetween the decrypted image and the representative image.We see that with more shares, the distance becomes closer,that is, decryption results in a better visual approximation ofthe representative image. Furthermore, we see that this phe-nomenon happens linearly. From a security point of view,each share intercepted linearly improves the attackers abil-ity to comprehend the secret image. However, as long as thenumber of shares intercepted by an attacker does not exceedt, decryption will fall in the dissimilar region. In terms ofrobustness, each share that is lost or damaged will degradethe decrypted image linearly. Again if no more than t sharesare lost or damaged, decryption will not suffer provided thatthese t shares are not used in decryption when they are dam-aged.

Finally, Figure 7(b) shows the probability that the pixelsin a collection of shares have optimal share size as definedin Definition 3.9. We see that the lower bound provided by

Corollary 3.10 is rather modest, and in fact pixels are likelyto achieve optimal share size with high probability.

4.5. Effect of ε and σ2

In the plots above, we have shown the results for varying εand σ2. From Algorithm 3, we know that the mean of thedistribution is a function of ε. The smaller we make ε, thesmaller the mean is. From Figure 7(a), we see that whenε = 10−3, the decrypted image is far from the representa-tive image. Since this ε = 10−3 is smaller than ε = 10−2, themean is smaller, and hence each share size is smaller, and ittakes many more shares to result in a good visual approxima-tion.

Similarly, when the variance is increased, we see that thesimulation with the larger σ2 = 15 also converges slowerthan σ2 = 5. This is demonstrated in Figure 5(a), whichshows that slightly more shares are required for decryption


(a)

(b)

(c)

Figure 8: (a) Unintentional tampering: decrypted result of unreg-istered shares; (b) intentional tampering: Lena masked; (c) decryp-tion using 40 shares resists tampering and discloses Lena’s face.

to land in the similar region for the σ2 = 15 case. Of courseat the same time, we can allow attackers to intercept moreshares before leaving the dissimilar region when σ2 is largeras shown in Figure 5(b).

4.6. Tampering

In this section we briefly examine the effects of unintentionaland intentional tampering. Figure 8(a) is the visually accept-able result of combining 40 shares that are not registered;that is, the 40 nodes each have different representative im-ages that are random rotations of one another over a uni-form distribution of −2.5 degrees to 2.5 degrees. Such mis-alignments may be caused by misaligned cameras for exam-ple, and hence we classify them as unintentional tampering.Figure 8(b) shows Lena’s face being intentionally masked bya mandrill’s face. Five nodes were given this tampered repre-sentative image, and the result of decrypting with 40 shares

(a)

(b)

Figure 9: (a) 2-level Haar wavelet decomposition; (b) a share cre-ated from the Haar wavelet domain.

is shown in Figure 8(c). Intuitively, since the majority of theshares are unaffected, this majority visually overwhelms thetampered minority. However this resilience against tamper-ing comes at the cost of redundancy in the network, as alarge majority is needed. This agrees with Sections 4.3 and4.4 in that N is always much larger than t, implying only asmall number of shares can be compromised compared tothe total number of shares in the network, thus completingour insight into the tradeoff between resilience and redun-dancy.

Up to this point, we have considered sharing the pix-els of an image. Image compression usually takes place ina domain other than the pixel domain, that is, a frequencydomain [30]. In this section we use a 2-level Haar waveletdecomposition, which can be seen in Figure 9(a). In addi-tion, we exercise rudimentary compression by discarding thediagonal high frequency subbands in both levels (i.e., thelower right corners of both levels in Figure 9(a)) to demon-strate the feasibility of extending TANGRAM to incorporatemore standard compression techniques. Each node first ap-plies a 2-level Haar wavelet decomposition to its represen-tative image, and then TANGRAM proceeds exactly as out-lined in Algorithm 3 on the wavelet subbands with the ex-ception that the diagonal high frequency subbands in bothlevels are discarded. At the base station(s), the discarded sub-bands are replaced by zeros, and then Algorithm 2 is appliedon all subbands. Finally the inverse wavelet transform is per-formed, resulting in a good visual approximation as shown


(a)

(b)

Figure 10: (a) Decryption of Haar wavelet compressed shares;(b) decryption of unregistered Haar wavelet compressed shares.

in Figure 10(a). We will refer to this extension as wavelet-TANGRAM.

Next we compare wavelet-TANGRAM to TANGRAM fora few special attacks to demonstrate the feasibility of ex-tending TANGRAM. If an attacker arbitrarily intercepts onewavelet-TANGRAM share and performs the appropriate in-verse wavelet transform, then the resulting image is unintel-ligible as shown in Figure 9(b); this is expected and anal-ogous to Figure 6(a). If the representative images are mis-aligned as described in Section 4.6, decryption with 40 shareswill still result in a good visual approximation as shown inFigure 10(b).

5. CONCLUSIONS

This paper provides a paradigm for distributing privacy andconfidentiality in a visual sensor network. We have presenteda simple algorithm, TANGRAM, which meets low complex-ity requirements of VSNs, hence allowing for other applica-tions to coexist on-board each sensor. In addition, we haveprovided simple metrics for measuring perceptual similar-ity, robustness, security, and the optimality of share sizes. Wehave provided a comprehensive simulation and discussion ofthe results encompassing significant aspects of the problem.Future work will look at combining the proposed algorithmwithin an image/video compression algorithm compatiblewith VSNs as well as developing general design insights for

60555045403530252015105

Number of shares

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Sim

ilari

tyra

te

σ2 = 5σ2 = 15

(a)

60555045403530252015105

Number of shares

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1D

issi

mila

rity

rate

σ2 = 5σ2 = 15

(b)

Figure 11: (a) Similarity rate; (b) dissimilarity rate.

the generation of secure shares in deterministic and randomcases.

APPENDIX

A. ADDITIONAL SIMULATION RESULTS

Although the perceptual constants ρ0 and ρ1 were gener-ated empirically for the bus image, we show in this sectionthat highly similar results are achieved for a different imageof similar dimensions using these constants. This demon-strates that we can choose N and t ahead of time if the image


(a) (b) (c)

Figure 12: (a) Sample share; (b) decryption using t = 10 shares; (c) decryption using 40 shares.

60555045403530252015105

Number of shares

1.5

2

2.5

3

3.5

4

4.5

5

5.5�104

�

decr

ypte

d

�

(x)�

Average (σ2 = 5, ε = 10�2)Average (σ2 = 15, ε = 10�2)Average (σ2 = 5, ε = 10�3)

Minimum (σ2 = 5, ε = 10�2)Minimum (σ2 = 15, ε = 10�2)Minimum (σ2 = 5, ε = 10�3)

(a)

60555045403530252015105

Number of shares

0.93

0.94

0.95

0.96

0.97

0.98

0.99

1

1.01

Pro

babi

lity

ofop

tim

alpi

xels

har

esi

ze

σ2 = 5σ2 = 15

Lower bound

(b)

Figure 13: (a) ‖x0 +∑n

k=0 uk − x‖ as a function of the number of shares n; (b) Pr{∑nk=0 |uk| ≤ |x − x0|} as a function of the number of

shares n.

dimensions are approximately as those used in the simula-tions presented here in Figures 11, 12, and 13.

REFERENCES

[1] J. Wickramasuriya, M. Datt, S. Mehrotra, and N. Venkata-subramanian, “Privacy protecting data collection in mediaspaces,” in Proceedings of the 12th ACM International Confer-ence on Multimedia, pp. 48–55, New York, NY, USA, October2004.

[2] D. Agathangelou, B. P. L. Lo, J. L. Wang, and G.-Z. Yang, “Self-configuring video-sensor networks,” in Proceedings of the 3rdInternational Conference on Pervasive Computing, pp. 29–32,Munich, Germany, May 2005.

[3] G. Kogut, M. Blackburn, and H. R. Everett, “Using video sen-sor networks to command and control unmanned ground ve-hicles,” in Proceedings of AUVSI Unmanned Systems in Interna-tional Security, London, UK, September 2003.

[4] D. Kundur and W. Luh, “Multimedia sensor networks,” in En-cyclopedia of Multimedia, p. TBD, Springer, New York, NY,USA, 2006.

[5] M. Gerla and K. Xu, “Multimedia streaming in large-scale sen-sor networks with mobile swarms,” ACM SIGMOD Record,vol. 32, no. 4, pp. 72–76, 2003.

[6] W.-C. Feng, J. Walpole, W.-C. Feng, and C. Pu, “Moving to-wards massively scalable video-based sensor networks,” in Pro-ceedings of Workshop on New Visions for Large-Scale Networks:Research and Applications, Washington, DC, USA, March2001.


[7] W.-C. Feng, B. Code, E. Kaiser, M. Shea, W.-C. Feng,and L. Bavoil, “Panoptes: scalable low-power video sensornetworking technologies,” in Proceedings of the ACM Inter-national Multimedia Conference, pp. 562–571, Berkeley, Calif,USA, November 2003.

[8] R. Holman, J. Stanley, and T. Ozkan-Haller, “Applying videosensor networks to nearshore environment monitoring,” IEEEPervasive Computing, vol. 2, no. 4, pp. 14–21, 2003.

[9] A. Basharat, N. Catbas, and M. Shah, “A framework for intelli-gent sensor network with video camera for structural healthmonitoring of bridges,” in Proceedings of 3rd IEEE Interna-tional Conference on Pervasive Computing and Communica-tions Workshops (PERCOM ’05), pp. 385–389, Kauai Island,Hawaii, USA, March 2005.

[10] K. Obraczka, R. Manduchi, and J. J. Garcia-Luna-Aveces,“Managing the information flow in visual sensor networks,”in Proceedings of 5th International Symposium on Wireless Per-sonal Multimedia Communications (WPMC ’02), vol. 3, pp.1177–1181, Honolulu, Hawaii, USA, October 2002.

[11] J. Pan, Y. T. Hou, L. Cai, Y. Shi, and S. X. Shen, “Locating base-stations for video sensor networks,” in Proceedings of 58th IEEEVehicular Technology Conference (VTC ’04), vol. 5, pp. 3000–3004, Orlando, Fla, USA, October 2003.

[12] D. A. Fidaleo, H.-A. Nguyen, and M. Trivedi, “The networkedsensor tapestry (NeST): a privacy enhanced software architec-ture for interactive analysis of data in video-sensor networks,”in Proceedings of the ACM 2nd International Workshop on VideoSureveillance and Sensor Networks (VSSN ’04), pp. 46–53, NewYork, NY, USA, October 2004.

[13] D. R. Stinson, Cryptography: Theory and Practice, Chapman &Hall, New York, NY, USA, 1st edition, 1995.

[14] L. Tang, “Methods for encrypting and decrypting MPEG videodata efficiently,” in Proceedings of the 4th ACM InternationalConference on Multimedia, pp. 219–229, Boston, Mass, USA,November 1996.

[15] L. Qiao and K. Nahrstedt, “Comparison of MPEG encryptionalgorithms,” Computers and Graphics, vol. 22, no. 4, pp. 437–448, 1998.

[16] C. Shi and B. K. Bhargava, “A fast MPEG video encryptionalgorithm,” in Proceedings of the 6th ACM International Con-ference on Multimedia, pp. 81–88, Bristol, England, September1998.

[17] G. R. Blakley, “Safeguarding cryptographic keys,” in Proceed-ings of the AFIPS 1979 National Computer Conference (NCC’79), vol. 48, pp. 313–317, Arlington, Va, USA, June 1979.

[18] A. Shamir, “How to share a secret,” Communications of theACM, vol. 22, no. 11, pp. 612–613, 1979.

[19] Z. Liu, D. Peng, Y. Zheng, and J. Liu, “Communication pro-tection in IP-based video surveillance systems,” in Proceedingsof 7th IEEE International Symposium on Multimedia (ISM ’05),pp. 69–78, Irvine, Calif, USA, December 2005.

[20] M. Naor and A. Shamir, “Visual cryptography,” in Proceedingsof Advances in Cryptology - EUROCRYPT ’94, Workshop on theTheory and Application of Cryptographic Techniques, pp. 1–12,Perugia, Italy, May 1995.

[21] G. Ateniese, C. Blundo, A. De Santis, and D. R. Stinson, “Vi-sual cryptography for general access structures,” Informationand Computation, vol. 129, no. 2, pp. 86–106, 1996.

[22] R. Ito, H. Kuwakado, and H. Tanaka, “Image size invariantvisual cryptography,” IEICE Transactions on Fundamentals ofElectronics, Communications and Computer Science, vol. E82-A, no. 10, pp. 2172–2177, 1999.

[23] C.-C. Lin and W.-H. Tsai, “Secret image sharing with capabil-ity of share data reduction,” Optical Engineering, vol. 42, no. 8,pp. 2340–2345, 2003.

[24] Z. Xiong, A. D. Liveris, and S. Cheng, “Distributed sourcecoding for sensor networks,” IEEE Signal Processing Magazine,vol. 21, no. 5, pp. 80–94, 2004.

[25] A. Postma, W. de Boer, A. Helme, and G. Smit, “Distributedencryption and decryption algorithms,” Memoranda Infor-matica 96-20, University of Twente, Enschede, The Nether-lands, December 1996.

[26] A. Postma, Classes of Byzantine fault-tolerant algorithms fordependable distributed systems, Ph.D. thesis, University ofTwente, Enschede, The Netherlands, 1998.

[27] W. Luh and D. Kundur, “Distributed privacy for visual sensornetworks via Markov shares,” in Proceedings of 2nd IEEE Work-shop on Dependability and Security in Sensor Networks and Sys-tems (DSSNS ’06), pp. 23–34, Columbia, Md, USA, April 2006.

[28] A. Czarlinska and D. Kundur, “Distributed actuation attacks inwireless sensor networks: implications and countermeasures,”in Proceedings of 2nd IEEE Workshop on Dependability and Se-curity in Sensor Networks and Systems (DSSNS ’06), pp. 3–12,Columbia, Md, USA, April 2006.

[29] T. A. Berson, “Failure of the McEliece public-key cryptosys-tem under message-resend and related-message conditions,”in Advances in Cryptology-Proceedings of Crypto ’97, B. Kaliski,Ed., vol. 1294 of Lecture Notes in Computer Science, pp. 213–220, Springer, New York, NY, USA, 1997.

[30] Y. Q. Shi and H. Sun, Image and Video Compression for Multi-media Engineering: Fundamentals, Algorithms, and Standards,CRC Press, Boca Raton, Fla, USA, 2003.

[31] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Hand-book of Applied Cryptography, CRC Press, Boca Raton, Fla,USA, 1st edition, 1996.

[32] U. N. Okorafor and D. Kundur, “Efficient routing protocols fora free space optical sensor network,” in Proceedings of 2nd IEEEInternational Conference on Mobile Adhoc and Sensor SystemsConference, pp. 251–258, Washington, DC, USA, November2005.

[33] D. Kundur, W. Luh, and U. Okorafor, “Security and rightsmanagement for multimedia sensor networks,” in MultimediaSecurity Technologies for Digital Rights Management, Elsevier,New York, NY, USA, 2006.

[34] M. Vidyasagar, Nonlinear Systems Analysis, Prentice-Hall, En-glewood Cliffs, NJ, USA, 2nd edition, 1993.

[35] R. M. Karp, “Reducibility among combinatorial problems,” inComplexity of Computer Computations, R. E. Miller and J. W.Thatcher, Eds., pp. 85–104, Plenum Press, New York, NY, USA,1972.

William Luh received the B.A.S. degree incomputer engineering in 2002 from theUniversity of Toronto, Canada, and the M.S.degree in electrical engineering in 2004from Texas A&M University. He is currentlypursuing his Ph.D. degree in electrical en-gineering at Texas A&M University underDr. Deepa Kundur. His research interests in-clude multimedia and sensor network secu-rity, digital rights management, watermark-ing/fingerprinting, and steganography.


Deepa Kundur received the B.A.S., M.A.S.,and Ph.D. degrees all in electrical & com-puter engineering in 1993, 1995, and 1999,respectively, from the University of Toronto,Canada. In January 2003, she joined the De-partment of Electrical & Computer Engi-neering at Texas A&M University where sheleads the SeMANTIC (Sensor Media Algo-rithms & Networking for Trusted IntelligentComputing) Research Group of the Wire-less Communications Laboratory. Before joining Texas A&M, shewas an Assistant Professor in the Department of Electrical andComputer Engineering at the University of Toronto where she wasthe Bell Canada Junior Chair-holder in Multimedia and an Asso-ciate Member of the Nortel Institute for Telecommunications. Herresearch interests include security and privacy for scalar and broad-band sensor networks, multimedia security, digital rights manage-ment, steganalysis for computer forensics, and dynamical systemstheory. She has given tutorials in the area of information securityat ICME-2003 and Globecom-2003, and was a Guest Editor of theJune 2004 Proceedings of the IEEE Special Issue on Enabling Se-curity Technologies for Digital Rights Management. She currentlyserves as the Vice-Chair for the Security Interest Group of the IEEEMultimedia Communications Technical Committee and is an As-sociate Editor for the IEEE Communication Letters.

Takis Zourntos received the B.A.S., M.A.S.,and Ph.D. degrees from the University ofToronto, Canada. His research interests arein the areas of nonlinear control and systemtheory, analog computation for roboticsand optimization and integrated circuit im-plementation. He is currently an AssistantProfessor with the Department of Electricaland Computer Engineering at Texas A&MUniversity, USA.

A Novel Distributed Privacy Paradigm for Visual Sensor ...

Documents

Transcript of A Novel Distributed Privacy Paradigm for Visual Sensor ...