Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LDP-Slicing: Local Differential Privacy for Images via Randomized Bit-Plane Slicing

Yuanming Cao, Chengqi Li, Wenbo He

TL;DR

This paper introduces LDP-Slicing, a lightweight, training-free framework that resolves domain mismatch in Local Differential Privacy by decomposing pixel values into a sequence of binary bit-planes and applying the LDP mechanism directly to the bit-level representation.

Abstract

Local Differential Privacy (LDP) is the gold standard trust model for privacy-preserving machine learning by guaranteeing privacy at the data source. However, its application to image data has long been considered impractical due to the high dimensionality of pixel space. Canonical LDP mechanisms are designed for low-dimensional data, resulting in severe utility degradation when applied to high-dimensional pixel spaces. This paper demonstrates that this utility loss is not inherent to LDP, but from its application to an inappropriate data representation. We introduce LDP-Slicing, a lightweight, training-free framework that resolves this domain mismatch. Our key insight is to decompose pixel values into a sequence of binary bit-planes. This transformation allows us to apply the LDP mechanism directly to the bit-level representation. To further strengthen privacy and preserve utility, we integrate a perceptual obfuscation module that mitigates human-perceivable leakage and an optimization-based privacy budget allocation strategy. This pipeline satisfies rigorous pixel-level $\varepsilon$-LDP while producing images that retain high utility for downstream tasks. Extensive experiments on face recognition and image classification demonstrate that LDP-Slicing outperforms existing DP/LDP baselines under comparable privacy budgets, with negligible computational overhead.

LDP-Slicing: Local Differential Privacy for Images via Randomized Bit-Plane Slicing

TL;DR

This paper introduces LDP-Slicing, a lightweight, training-free framework that resolves domain mismatch in Local Differential Privacy by decomposing pixel values into a sequence of binary bit-planes and applying the LDP mechanism directly to the bit-level representation.

Abstract

Local Differential Privacy (LDP) is the gold standard trust model for privacy-preserving machine learning by guaranteeing privacy at the data source. However, its application to image data has long been considered impractical due to the high dimensionality of pixel space. Canonical LDP mechanisms are designed for low-dimensional data, resulting in severe utility degradation when applied to high-dimensional pixel spaces. This paper demonstrates that this utility loss is not inherent to LDP, but from its application to an inappropriate data representation. We introduce LDP-Slicing, a lightweight, training-free framework that resolves this domain mismatch. Our key insight is to decompose pixel values into a sequence of binary bit-planes. This transformation allows us to apply the LDP mechanism directly to the bit-level representation. To further strengthen privacy and preserve utility, we integrate a perceptual obfuscation module that mitigates human-perceivable leakage and an optimization-based privacy budget allocation strategy. This pipeline satisfies rigorous pixel-level -LDP while producing images that retain high utility for downstream tasks. Extensive experiments on face recognition and image classification demonstrate that LDP-Slicing outperforms existing DP/LDP baselines under comparable privacy budgets, with negligible computational overhead.
Paper Structure (31 sections, 4 theorems, 43 equations, 11 figures, 7 tables)

This paper contains 31 sections, 4 theorems, 43 equations, 11 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Image obfuscation
  4. Differential Privacy for images
  5. Preliminaries
  6. Threat model
  7. Local Differential Privacy
  8. Methodology
  9. Perceptual obfuscation via wavelet pruning
  10. Pixel-level LDP via bit-plane randomization
  11. Utility-aware privacy budget optimization
  12. Privacy analysis
  13. Experiments
  14. Privatized image in downstream tasks
  15. Robustness against privacy attack
  16. ...and 16 more sections

Key Result

Theorem 1

Let $\mathcal{M}_1,\mathcal{M}_2$ be randomized algorithms that are $\varepsilon_1$- and $\varepsilon_2$‑LDP, respectively. Then their release $\mathcal{M}_{1,2}(x)\!=\!(\mathcal{M}_1(x),\mathcal{M}_2(x))$ is $(\varepsilon_1+\varepsilon_2)$‑LDP.

Figures (11)

  • Figure 1: The LDP-Slicing framework. Our method consists of two primary stages: (1) Perceptual obfuscation: the input image is transformed into the frequency domain via DWT, where the low-frequency (LL) band is pruned to remove human-perceptible information. (2) Bit-plane randomization: The obfuscated image is decomposed into binary bit-planes. A utility-aware randomized response mechanism is applied to each bit and enforces a strict $\varepsilon$-Local Differential Privacy guarantee before the final image is reconstructed.
  • Figure 2: Bit-plane slicing reveals the non-uniform distribution of structural information. An 8-bit image (left) is decomposed into its planes (right), from LSB (top-left) to MSB (bottom-right). This visualization shows that coarse structural information is concentrated in the high-order MSB planes, while low-order LSB planes consist primarily of noise-like texture. This motivates our non-uniform, utility-aware budget optimization strategy.
  • Figure 3: Visual justification for channel-aware allocation and perceptual obfuscation. This figure shows an original image (a) and its YCbCr components before and after LL-pruning. It validates two key decisions: (1) Channel Importance: The luma (Y) channel (b) contains the most structural information compared to the chroma channels (c,d). (2) Post-Pruning Signal: After LL-pruning (e), the resulting image (e) is perceptually obfuscated for human viewers. The Y-channel's MSB (f) still retains significant high-frequency detail for machine learning, unlike the less informative chroma MSBs (g,h).
  • Figure 4: Visual comparison between LL pruning (Bottom) versus without pruning (Top).(a)$\varepsilon_\text{total}=1$. (b)$\varepsilon_\text{total}=2.4$. (c)$\varepsilon_\text{total}=5.2$. (d)$\varepsilon_\text{total}=12$. (e)$\varepsilon_\text{total}=20$. (f)$\varepsilon_\text{total}=32$. (g)$\varepsilon_\text{total}=58$.
  • Figure 5: Resilience to a white-box reconstruction attack. The adversary has full knowledge of our pipeline and trains a specialized two-stage inversion model. From top to bottom $\varepsilon_{total}=5.2$, $\varepsilon_{total}=20$, $\varepsilon_{total}=58$(a) The original images. (b) original images after LL removed. (c) LDP-Slicing privatized images. (d) LL recovered images. (e) Final recovered images.
  • ...and 6 more figures

Theorems & Definitions (11)

  • Definition 1: Identity distinguishing attack
  • Definition 2: $\varepsilon$-Local Differential Privacy kasiviswanathan2010learnprivately
  • Definition 3: Randomized response randomrespnse
  • Theorem 1: Sequential composition DworkMNS06
  • Theorem 2: Closedness to postprocessingDworkMNS07
  • Theorem 3: LDP-Slicing satisfies pixel-level $\varepsilon_{\text{total}}$–LDP
  • proof : Proof sketch
  • Corollary 4: Total Variation bound under $\varepsilon$‑LDP
  • Definition 4: Reconstruction attack carlini2021
  • proof
  • ...and 1 more