Privacy-Preserving Image Watermark Embedding Method Based on Edge Computing

To solve the problem of privacy leakage and response latency in outsourced image watermark embedding in cloud computing, an efficient and privacy-preserving watermark embedding method for outsourced digital images was proposed by introducing edge computing technology. We had proposed a perturbing encryption method with homomorphism to ensure the information security and the correctness of discrete wavelet transformation in the encrypted domain. In addition, the framework was designed to guarantee the safety of singular value decomposition that edge server could not recover the original image matrix. The experimental results show that the proposed method is superior to similar secure watermarking schemes in terms of encryption/decryption time and ciphertext expansion. The proposed method enables the watermarking operation to be performed in an unsafe outsourced environment while achieving a watermarking effect similar to the plaintext equivalent.


I. INTRODUCTION
The development of artificial intelligence and big data has prompted an explosion of information. Every minute, 1.1 million tweets are sent, 684,478 contents are shared on Facebook, 3.2 million queries are searched on Google, and 48h of videos are uploaded to YouTube [1]. The creation and the dissemination of massive multimedia information leads to disputes over digital copyrights. It poses challenges to users with limited storage/computing resources in watermarking processing. Combining digital watermarking technology [2] and cloud computing technology is effective to alleviate these problems.
In recent years, the development of cloud servers with massive storage and powerful computation has made it possible to outsource large-scale data storage and processing. The task of watermark embedding massive images can now be transferred to the cloud, ensuring the user's copyright ownership and decreasing the amount of local computing/storage The associate editor coordinating the review of this manuscript and approving it for publication was Gerard-Andre Capolino. resources required [3]. However, outsourcing data often involves trade secrets and user sensitive data [4]. Therefore, it is necessary to construct a privacy-preserving outsourcing watermarking scheme that can protect the privacy and security of data while implementing watermark embedding in the cloud.
There are a lot of digital watermarking related work in recent years [5]- [8], [9]. In the plaintext domain, digital watermarking is a technology that embeds additional information into the host carrier to prove ownership. This process mainly includes spatial domain watermarking [10], [11] and transformation domain watermarking [12]. To date, many approaches have been developed for secure image watermarking, for example, the method of reversible data hiding (RDH) in the encrypted domain [13]. For example, Zhang [14] segmented image pixels into groups by blocks in the spatial domain, then encrypted them by the bit flip, and finally embedded secret bits into the least significant bits of the host image. To reduce the error rate of information extraction, Hong et al. [15] improved the algorithm in [14] by employing smoothness between each block and implementing a correlation of pixels at the block boundary. However, this improvement had little effect on performance. To facilitate information embedding, a novel embedding framework was proposed by reserving the space before encryption [16], [17]. However, this was not suitable for practical applications because content owners need to perform extra work, except for image encryption. For improved security and embedding rate, Zhang et al. [18] utilized a public key mechanism to encrypt the carrier image and used the homomorphism of encryption technology to embed secret information. Similar methods were found in the literature [19]- [22]. These methods were based on a public key mechanism, but suffered from data inflation and high computational complexity. Considering the potential value of different image file formats, some secure RDH schemes have been proposed for JPEG images [23] and 2-dim vector graphics [24], respectively. It is widely accepted that the ciphertext RDH technology can achieve secure watermark embedding. However, robustness has consistently been a major problem for schemes based on secure RDH. In [25], Peng et al. proposed a separable watermarking scheme to improve the robustness of the method. Based on chaotic encryption, Gao and Gao [26] proposed a novel verifiable image encryption, which not only protects the image information but also allows watermark data to be hidden and extracted. However, redundancy loss leads to difficulty in embedding watermarks, as well as the reduction of the capacity to embed watermarks. Yao et al. [27] proposed a scheme for embedding a visible watermark in the bit plane of the encryption domain. However, the visual impact of this watermark on the decrypted image was apparent and caused the use-value of the image to be highly susceptible to destruction. Literature [28] studied the watermark embedding of medical images in the encryption domain based on JPEG-LS, concluding that the watermark could be extracted in both the encryption and plaintext domains.
By contrast, much less research has focused on secure watermarking in the transform domain. However, this method has a better robustness and higher embedding capacity [29]. This is especially true for mixing different transformations, such as the combination of discrete wavelet transformation (DWT) and singular value decomposition (SVD). Presently, the watermarking method that combines DWT and SVD can achieve an acceptable balance between robustness and invisibility under appropriate scaling factors, and it has become a common method of watermarking in the plaintext domain [30]. In summary, securely implementing DWT and SVD is imperative in an untrusted environment. The main challenge of the transform domain watermarking scheme in ciphertext is how to ensure a secure frequency transformation operation while obtaining the same effect as plaintext. Zheng and Huang [31] combined the Paillier cryptosystem [32] to propose a DWT transformation in the encrypted domain. However, their data reduction method presented some consistent pixel ciphertext that resulted in a risk of information leakage. Additionally, the discrete Fourier transform [33] and discrete cosine transform [34] of encrypted signals were studied. Inspired by Zheng and Huang's research [31], Xiang et al. [35] proposed a reversible watermark embedding scheme based on the Paillier cryptosystem and multi-level DWT decomposition in the encrypted domain. However, it was challenging to perform multiplication for the Paillier cryptosystem.
Compared to the ciphertext wavelet transformation, there were few studies on singular value decomposition in the encrypted domain. To design a secure outsourcing watermarking framework based on DWT-SVD that was more robust [29] , we advanced the encryption method from the literature [36] to encrypt image data and securely perform DWT. Additionally, a secure singular value decomposition framework was designed to compute outsourced SVD. The cloud server can process a large amount of data, but the transmission time is proportional to the amount of data. This implies that data processing outsourced to the cloud may cause a response delay [37]. To solve this problem, we introduced edge computing technology to propose a lightweight privacy-preserving digital watermarking method for outsourced host images.
The proposed scheme requires that the content owner (CO) encrypts the host and watermark images and uploads the encrypted data to the edge computing server. After obtaining the ciphertext, the server performs the watermark embedding method by combining the Haar DWT (HDWT) and SVD. The server then returns the encrypted host image containing the watermark to the authorized user who can then decrypt and obtain the corresponding plaintext of the image containing the watermark. This paper is summarized as follows: 1) The first contribution: A privacy-preserving color image watermarking framework was designed using edge computing technology. With this framework, the CO only needs to encrypt and upload the ciphertext. The edge computing server embeds the watermark into the host image without any interaction with the CO. In addition, a secure quadratic SVD framework was proposed to improve the watermark embedding effect.
2) The second contribution: An encryption algorithm that is able to perform the HDWT in an encrypted domain was designed. Compared with existing encryption algorithms commonly used for DWT in the encryption domain (such as the Paillier homomorphic encryption), the encryption and decryption times and storage costs were significantly improved. The SHA256 hash algorithm and logistic mapping (LM) fusion method were proposed to ensure the uniqueness of the watermark image key and protect the privacy information of the watermark image.
3) Experimental results showed that the proposed method was superior to other encrypted watermarking schemes in terms of encryption and decryption times and the extension rate of ciphertext. When encrypting the same 8-bit data using the proposed method, the ciphertext extension was approximately 50% of the Paillier cryptosystem. Compared with other methods that use the RSA algorithm, the encryption/decryption speed improved by 3.46 s/259.57 s under the same image condition. Compared with the same watermarking scheme in plaintext, the PSNR of the proposed scheme reduced slightly by approximately 0.05 dB on average, when the watermark embedding factor was 0.25. Additionally, less data were lost.

A. LOGISTIC MAPPING
Logistic mapping (LM) is a type of chaotic mapping [38] widely used in digital communication security, multimedia data security, and other domains. It is defined as follows: Specially, k = 0, 1, . . . , n, X (k) ∈ (−1, 1), u ∈ (0, 4). X (k) is the mapping variable, and u is the system parameter. When 0 < X (0) < 1 and 3.5699456 < u < 4, the mapping function is in a chaotic state, which is an unordered and unpredictable state.
represents an image matrix with n pixels. When encrypting M, the LM function requires n iterations to obtain a sequence of one-dimensional vectors of length n. The sequence is then normalized (such as Liu et al. [39]), and the result is mapped to the interval [0, 255] to obtain an encryption vector is the ciphertext of M, and is generated using pseudo random xor encryption as follows: In decryption processing, L is restored through the private key {X (0), u}, and the plaintext of M is obtained by the xor operation between L and E.

B. DISCRETE WAVELET TRANSFORM
DWT is a process of multiscale and frequency-domain decomposition of images [40]. In the watermarking scheme based on DWT, DWT decomposes the target image matrix into four sub-band matrices, which are often used for embedding watermarks. As shown in Fig.1, the low-frequency (LL) component represents the approximate image information.
Haar discrete wavelet transform (HDWT) is a type of DWT [41] and is the key technology used for the frequency domain of the host image in this study. As the calculation procedure of HDWT is simple, the image matrix encrypted by the proposed encryption method does not cause an excessive extension of the ciphertext during the calculation of HDWT. We briefly introduce the calculation process for HDWT and inverse-HDWT(IHDWT). Assuming that an image of size m×n is divided into non-overlapping 2×2 blocks , the elements of any block B i will be denoted from left to right and from top to bottom as a 1 , a 2 , a 3 and a 4 , and the coefficients of B i after HDWT will be calculated as (a 1 + a 2 + a 3 + a 4 )/2, (a 1 − a 2 + a 3 − a 4 )/2, (a 1 + a 2 − a 3 − a 4 )/2, and (a 1 − a 2 − a 3 + a 4 )/2, respectively. Based on these transformation coefficients, the IHDWT can be realized by performing the same calculation process. If the data are not changed, the inverse transformation can restore the original image data.

C. SINGULAR VALUE DECOMPOSITION
SVD [42] is a mathematical tool commonly used in signal and image processing. The calculation formula can be expressed as follows: Here, I is a matrix of size m × n. The matrices U and V have magnitudes of m × m and n × n, respectively. is a diagonal matrix of size m × n, and T is the transpose of the matrix. SVD has two commonly used properties.
According to (4), it is straightforward to get U, or V , by means of eigenvalue decomposition of I × I T or I T × I.

III. PRIVACY-PRESERVING WATERMARKING SCHEME
The privacy-preserving watermark outsourcing scheme proposed in this study is outlined in Fig.2, including content owners(COs), edge computing servers(S 1 , S 2 , S 3 ), a trusted third party(TTP), and an authorized-user(AU). TTP distributes key parameters, CO encrypts and uploads data to the edge server, the edge computing server performs secure HDWT and SVD, and AU decrypts the ciphertext to obtain the plaintext of the image with the watermark.

A. SYSTEM INITIALIZATION
The TTP generates the integer γ 1 and produces two large primes D and F, where F D. Specifically, |D| = γ 2 , |F| = γ 3 , γ 2 and γ 3 are the system parameters, and | · | indicates the number of binary bits of data. TTP then sends γ 1 , D, and F to the CO, AU, S 1 , and S 3 through the secure channel. The image encryption in our framework consists of host image encryption and watermark image encryption.

1) HOST IMAGE ENCRYPTION
The CO encrypts the host images as follows [36]: where p represents plaintext data, [·] indicates ciphertext encrypted by (5), c and y are random positive integers, and c, y ∈ (1, t), t = 2 γ 1 . For enhanced security, c and y can be selected as different positive integers for each pixel. The plaintext can be obtained by successively modulating D and F with ciphertext, as follows: To ensure that (5) can derive decimal and negative values, the following improvement treatments are proposed: when p is a decimal number, p expands into an integer with a certain proportion factor Q. Subsequently, an encryption operation is performed. When decrypting, Q is divided to obtain the original plaintext.
When the plaintext is negative, (5) can be rewritten as: Using (6) to decrypt (7), results in (p + D) < D as p is negative. Then, we can use (p+D)−D to restore the plaintext of p because (p + D) p. The encryption method in this study includes addition and multiplication homomorphisms. For example, To ensure accuracy of the subsequent wavelet decomposition process and the inverse decomposition process, the ciphertext of the host image I h is enlarged with [I] = I h Q 2 · β, and β becomes a multiple of two to counteract the two in the denominator in HDWT.

2) WATERMARK IMAGE ENCRYPTION
When the precondition for a chaotic state of the LM is satisfied, 0 < X (0) < 1, 3.5699456 < u < 4, and CO randomly selects the initial value for the LM, namely, the private key {X (0), u}. To increase the sensitivity and uniqueness of the private key, this study uses SHA256 to generate the hash value of the watermark image W and then divides the hash value into several non-overlapping bit vectors with a length of 8 bits. This method then generates an eight-dimensional vector using a vector-by-vector xor operation and finally normalizes it to the interval (0, 1), denoted by X W (0). By making X (0) = (X W (0) + X (0)) /2, the final private key becomes X (0), u , which generates the final encryption vector [L] that encrypts the watermark image to obtain the encrypted watermark image [W ] l . [·] l represents ciphertext encrypted by (2).

B. PRIVACY-PRESERVING HAAR DISCRETE WAVELET TRANSFORMATION
After receiving the encrypted data [I ], the server S 2 performs HDWT in the encryption domain.
As shown in II-B, HDWT involves subtraction. To ensure that the ciphertext is a positive integer for correct subsequent decryption, the generation mode of random numbers c and y in (5) is stipulated during encryption. Initially, the CO divides the host image into several blocks of size 2 × 2, that is, . The random number c is then marked in the four position pixels of each B i , denoted by c 1 , c 2 , c 3 and c 4 , which correspond to a 1 , a 2 , a 3 and a 4 in section II-B. Thereafter, random numbers are generated within the interval (1, t), which satisfy c 2 > c 4 > r 1 > r 2 > 0, c 1 = c 2 + r 1 and c 3 = c 4 +r 2 . Thus, the ciphertext of the frequency coefficient, after the HDWT in the encryption domain, is guaranteed to be a positive integer. The random number y is handled in a similar manner.
In this study, the watermark is embedded in the lowfrequency region coefficient LL after HDWT. Therefore, random numbers c and y in the subsequent re-encrypted LL ciphertext change, causing the result of the calculation to be negative and inadequate to carry out the inverse wavelet calculation directly. Consequently, the random number c g used for re-encryption of the inverse process in the lowfrequency region can be specified as c g > c 2 > c 4 > r 1 > r 2 and c g ∈ (t + 1, 2t). y g is handled in the same manner. Thus, it can be observed that the four ciphertext elements of any block, B re i , after recovery are all positive during IHDWT to ensure the correctness of the decryption. The flow of privacy-preserving Haar discrete wavelet transformation is shown in Fig.3.

C. SECURE WATERMARK EMBEDDING
The final effect of watermark embedding can be improved using a second SVD on the watermarked diagonal matrix , as confirmed by Liu et al. [39]. Therefore, in this study, a quadratic SVD mechanism is adopted to implement the watermarking operation in the encryption domain. The specific operations are as follows: Step1. When A 1 is received, S 1 decrypts A 1  are computed and sent to S 1 and S 3 , respectively. α is the scaling factor that controls the watermark intensity embedded in the host image, and [αQ] is obtained using (5) in CO.
Step3. S 1 decrypts [ n ] [ n ] T , and obtains U 2 and 2 using eigenvalue decomposition. S 1 encrypts U 1 · 2 · Q and sends it to S 2 . S 3 maintains V 2 after the eigenvalue decomposition of [ n ] T [ n ], and sends the encrypted The flow of secure watermark embedding is given in Fig.4.

D. IMAGE DECRYPTION AND WATERMARK EXTRACTION
In the encryption domain, inverse singular value decomposition is calculated by using S 2 to obtain the watermarked ciphertext in the low-frequency region: Step2. HDWT is performed for I W , and singular value decomposition is performed on the low-frequency coefficient Step3. The ciphertext of the watermark is extracted as W e = U 2 e2 V T 2 − 1 /α. Step4. The watermark image is restored using the initial condition of logistic mapping X (0), u to generate vector L = {l(i)} n i=1 and xor operations in the elements of W e in sequence. Fig.5 illustrates the flow of image decryption and watermark extraction.

IV. CORRECTNESS AND SECURITY ANALYSIS A. CORRECTNESS ANALYSIS
The decryption of the encryption system in this study uses modular operation, and the key bit length is affected by matrix multiplication. As a result, the bit length of the key {D, F} is required to meet certain conditions to decrypt correctly; that is, P must become a matrix, and o ij , p ij are the elements in the (i, j)-th position of [P] · [P] T and P, respectively. o ij can be calculated using a matrix multiplication algorithm.
(p ik + c ik D + y ik F) · (p jk + c jk D + y jk F)  (y ik p jk + y jk p ik + (c ik y jk + c jk y ik )D +y ik y jk F).
To ensure accurate execution of the modular operation, we need to ensure that the key F satisfies (10).
In (10), N p 2 + 2tpD + t 2 D 2 < |F| = γ 3 , p is the product of 8-bit pixel plaintext and extension coefficient Q 2 . We assume that p is the product of 255 and Q 2 , and let | · | represent the binary bit length of the data. Thus, the modular operation with F can be performed correctly.
In addition, the key D satisfies N k=1 p ik p jk < Np 2 < D, that is, Np 2 < |D| = γ 2 . Thus, a modular operation with D can be performed correctly.

B. SECURITY ANALYSIS
This scheme assumes that edge computing servers are honest, curious, and abide by predetermined protocols. However, edge servers may use obtained intermediate data to infer information about private data. This hypothesis model has been widely used in outsourcing data security processing. This study also assumes that participants do not collude with each other [43]. Based on the information obtained by the edge server, two threat models are considered: known ciphertext model and known background knowledge model [44]. The following analyses show that the edge server cannot infer the original data from the obtained data under these two threat models.

1) KNOWN CIPHERTEXT MODEL
In this model, the edge server S 2 knows the ciphertext of the host and watermark images, as well as the ciphertext data associated with the calculation. However, for ciphertext of the form [p] = p + c · D + y · F, it is impossible to obtain any knowledge of the original plaintext data without knowing the random positive integer c, y and the private key {D, F}. Moreover, the watermark image is encrypted by Logistic Mapping, and its decryption requires the key X (0), u . Otherwise, the decryption vector L = {l(i)} n i=1 cannot be generated and plaintext W cannot be recovered.

2) KNOWN BACKGROUND KNOWLEDGE MODEL
Under this stronger threat model, the server obtains additional statistical information. Assuming I = U V T , the server S 1 obtains the plaintext I ·I T by decrypting [I]·[I] T , and obtains U and through singular value decomposition: Although S 1 can determine whether I has occurred through decryption, S 1 only has U and , which cannot recover the original I without the help of additional information. This is because the possible value of the unitary matrix V is close to infinity. Similarly, the server S 3 cannot recover the original matrix I . In addition, this scheme allows the random positive integer c, y chosen to encrypt each plaintext to be different to ensure the server S 2 is unable to determine the correlation between plaintext and ciphertext. That is, encrypting the same plaintext may generate different ciphertexts. For the ciphertext of watermark images, S 2 cannot infer plaintext content from the ciphertext data by statistical means. This is mainly because the scheme adopts a mechanism that binds the logistic mapping key and the watermark image. SHA256 hash technology is used to generate a logistic mapping key for each image, which makes the plaintext independent of the ciphertext of the watermark image. Therefore, the watermark image encryption mechanism in this study can resist knownciphertext and chosen-plaintext attack.

V. EXPERIMENTAL RESULTS AND DISCUSSIONS
In this study, color images of size 512 × 512 are used as host images, such as Lena and Airplane. We used the Fuzhou University gray logo of size 256 × 256 as a watermark image. The B channel of the host image is chosen to perform the ciphertext watermark embedding operation because the B channel has little effect on the color image. The R and G channels are encrypted and stored in the edge server. The experimental parameters are set as follows: Q = 10 3 , β = 10, t = 2 21 .
In Fig.6, (a) is the host image and (d) is the watermark image. Fig.6(b)-(c) and (e)-(g) show sample images of the running results of the proposed framework at each stage. To facilitate the effect display, the display method shown in Fig.6(b) molds the ciphertext data of the encrypted Lena image with 256 to ensure that the data can be mapped to the range [0, 255] for display. Fig.6(e) is the ciphertext of the watermark image after logistic chaos mapping, where the initial key is X (0) = 0.5, u = 3.9654. Fig.6(c) is the watermarked host diagram obtained by decrypting the encrypted host image after embedding the encrypted watermark in Fig.6(e) with the embedding factor α = 0.01. Fig.6(g) is the watermark image obtained by decrypting the ciphertext watermark. From the experimental results, the encryption method used in this study does not possess the risk of visual information leakage. Fig.7(a)-(d) are the histograms corresponding to the B channel of the original host, watermark, encrypted watermark, and embedded watermark images, respectively. The horizontal axis represents the value of the B channel in the image, and the vertical axis represents the number of pixels. In general, both the image and the distribution of the number of pixels changes. Fig.7(a) and (d) show that the embedded watermark has an insignificant influence on the host image, indicating that the watermark embedding scheme in this study is imperceptible. As shown in Fig.7(c), the watermark image presents an approximately uniform distribution after logical scrambling encryption, and the specific content of the encrypted image cannot be analyzed using histogram statistics, meaning that it can resist a histogram statistics attack.

A. CONTRAST EXPERIMENT OF ENCRYPTION PERFORMANCE
Paillier and RSA have a superior effect on watermarking in the encryption domain. To reflect the advantages of the scheme in this paper, the Paillier algorithm commonly employed in the DWT and RSA algorithms used by Liu et al. [39] are compared in terms of time cost of encryption, decryption, and ciphertext expansion. To ensure the security of the encryption algorithm in this study, to fulfil the requirement of key bit length in Section IV-A is fulfilled, we set |F| = γ 3 = 1024 to meet the requirement of [45] for symmetric encryption security key length. The RSA encryption algorithm requires a random selection of prime numbers p and q to compute n = pq. For comparison purposes, n is assumed to be 1024-bit, and the two prime numbers p and q are 512-bit. The same is performed for n, p, and q in Paillier's encryption system. The key F in the proposed scheme is set to 1024-bit.
The experimental data are listed in Table 1. The image size is 256 × 256. It can be observed that the algorithm in this study has shorter encryption and decryption times compared to the other two schemes. Compared with that of Liu et al. [39], the decryption time of the algorithm in this study is decreased by approximately 259.57 s. However, Paillier presents longer encryption and decryption times, which VOLUME 10, 2022 are proportional to the amount of encrypted/decrypted data. As shown in Fig.8, the Paillier cryptosystem used in [35] increases with an increase in the encrypted/decrypted data. In the proposed scheme, the encryption/decryption times do not increase with an increase in the amount of information data, and the growth is close to 0. For a 256 × 256 image, the encryption/decryption time in the proposed framework is approximately 0.0139 s/0.0355 s, respectively. However, Paillier encryption takes more than 4.505 s when the number of encryptions is 500 pixels, and the decryption time is close to 11.284 s. Given the same 8-bit data to be encrypted, it can be observed from Table 1 that the data extension caused by the proposed scheme is significantly smaller than the Paillier cryptosystem and slightly worse than the RSA algorithm. This is, for the most part, because a random positive integer, y, in the encryption of (5) is introduced. Meanwhile, RSA cannot support HDWT calculations in the encrypted domain. As a result, the proposed scheme has an excellent time consumption performance for encryption and decryption and achieves secure HDWT operation with low data extension.

B. LOSS OF WATERMARKED IMAGE IN PLAINTEXT AND ENCRYPTION DOMAIN
The peak signal-to-noise ratio (PSNR) is commonly used to measure the peak error between the original image and the image embedded with additional information. In this study, the PSNR value of the Y channel is calculated after converting the RGB image into a YUV image, which is general practice for calculating the PSNR of the RGB image.
(13) represents the PSNR formula, where MSE is the mean square error Z ij is the value of channel Y derived from the original RGB host image, andZ ij is the value of channel Y derived from decrypted and watermarked RGB image. PSNR is measured in dB. The larger the PSNR value, the smaller the distortion, and the better the image quality.  Table 2 uses a different embedding factor, α, to embed watermarks in six color images of 512 × 512 sizes, such as Lena in Fig.9. The watermark image to be embedded is shown in Fig.6(d) with a size of 256 × 256. The PSNR value between the watermarked image and the original image is shown in Table 2. When α is 0.01, 0.05, 0.15, and 0.25, the corresponding average PSNR is 52, 49, 38, and 32 dB, respectively. When the scaling factor α is 0.01, only the PSNR of the Airplane in the six images is below 50 dB. Overall, the PSNR is generally stable.
The PSNR value of each host image gradually decreases with an increase in α. The PSNR value of the color image Splash reaches the maximum value among the six images when α is 0.01. When α increases to 0.25, the PSNR becomes the lowest among all images. The main reason for this is that the Splash image is mostly smooth, and the watermark embeds the low-frequency region of the DWT. According to the principle that human vision is more sensitive to low-frequency than high-frequency information, the low-frequency information distortion of the host image is minimized, and the PSNR of the image is relatively high when α is small. However, when α is amplified, the lowfrequency region of the image changes significantly, resulting in visual differences and a significant decrease in the PSNR. To demonstrate that the proposed privacy-preserving watermarking scheme can maintain a PSNR value similar to that of the same scheme in plaintext and has little influence on the decrypted watermarked image, the PSNR values of the six color images in Fig.9 are compared under different values of α.
As shown in Fig.10, an increase of the watermark scaling factor α affects the PSNR value of the host image to varying degrees. However, the PSNR value of the image embedded by the proposed privacy-preserving watermark embedding scheme is similar to the plaintext PSNR value of the same embedding method, with a maximum difference of approximately 1 dB. Therefore, the proposed scheme has an insignificant influence on plaintext data. Fig.10 also shows that the higher the value of α, the smaller the PSNR. This denotes  that the imperceptibility of the watermark is weakened, and the robustness of the watermark is improved simultaneously. The user can control the balance between robustness and imperceptibility by selecting the appropriate α according to the needs of a specific practical application.

C. IMAGE ATTACK EXPERIMENT
In this study, Lena and Splash are used to test the performance of the scheme-based watermark embedding method under different image attacks; Lena has abundant details, while Splash does not. The scaling factor α is 0.01. As shown in Fig.11, the image quality is clearly affected by an increase in α. The scaling factor of 0.01 indicates high imperceptibility and thus is suitable for practical applications. High levels of imperceptibility is helpful in evaluating the ability of the scheme to resist attack. Various common attacks are employed: Mean filtering, Median filtering, Gaussian noise, Salt & Pepper noise, Rotation, Crop, Mean Blur, Gaussian  Blur is (3,3). The JPEG Compression attack employed different compression ratio with 0.6 and 0.7. In general, normalized cross-correlation (NCC) can intuitively evaluate the quality of extracted data, and can be used to measure the similarity between the original watermark and the watermark extracted from the image. This calculation is given in (15).
where W (x, h) is the original watermark, andW (x, h) is the extracted watermark. Additionally, W (x, h) andW (x, h) are normalized into the range of {−1, 1}. The NCC value ranges from 0 to 1; the larger the value, the better the performance of the watermarking scheme. Table 3 shows the NCC value of the extracted watermark from the host image after different attacks. Table 3 shows that decrypted images of the privacypreserving watermarking scheme proposed in this study can more effectively resist a median filtering attack after image decryption than a rotation attack (except in cases of 90 • and 180 • rotation as there is no information loss), and its NCC  value after being subjected to a median filtering attack can be maintained at approximately 0.65. Fig.12 further verifies that the proposed scheme can effectively resist a median filtering attack, and the extracted watermark image remains visible. In other attacks, the extracted watermark can also display a rough image and determine ownership disputes. We use three images (Lena, Airplane, Splash) to test the robustness, and average the NCC values of watermarks extracted from host images after different attacks and compare NCC with the other two schemes. Table 4 shows the robustness comparisons of the proposed watermarking scheme with the schemes of [46] and [47] with embedding intensity of 0.01; the NCC is used for comparison. Our proposed scheme is more robust than other two schemes in Median filtering, Rotation (90 • ), Salt & Peeper noise and Crop (100,100). In [47], the watermark was embedded into the low-frequency sub-band of the host image after DWT. Additionally, [46] hides the watermark in the middle frequency band of the host image. In the proposed algorithm, the sub-band was further decomposed by SVD and watermark was embedded into the singular value of the sub-bands. As singular value has the property of geometric invariance, the low frequency sub-bands of DWT are not sensitive to various noises. This indicates that the proposed algorithm performs better when subjected to various types of attacks.

VI. CONCLUSION
In this paper, a Haar discrete wavelet transform scheme in the encryption domain was initially proposed. A watermark embedding framework based on edge computing for privacy protection was subsequently proposed, which successfully implements the watermark embedding process of privacy preservation in an insecure outsourcing environment, to achieve an embedding effect similar to that of plaintext domain. Compared with the Paillier cryptosystem commonly used in DWT in the encryption domain, the proposed scheme presents a significant improvement in encryption and decryption rates. Compared with Paillier, the data extension is reduced by about 50% in the ciphertext, which makes it feasible for practical applications. WANXI YAN is currently pursuing the master's degree with the School of Mathematics and Statistics, Fuzhou University, Fuzhou, China. Her current research interest includes privacy-preserving image retrieval.