A remote image feature extraction and retrieval method based on sgx

By using SGX and a secret sharing scheme in a trusted execution environment on a cloud server, the problems of high computational power requirements and insufficient access control in encrypted image retrieval are solved, achieving efficient image feature extraction and retrieval.

CN115935426BActive Publication Date: 2026-06-30NORTHEASTERN UNIV CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NORTHEASTERN UNIV CHINA
Filing Date
2022-12-29
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing encrypted image retrieval schemes require data owners to extract image features and build indexes, which requires high computing power, cannot be implemented on resource-constrained devices, and cannot provide precise access control for third-party users.

Method used

By using trusted hardware SGX to transfer the data owner's computational operations to the trusted execution environment of the cloud server, and combining secret sharing and access control lists, access control for third-party users can be achieved.

Benefits of technology

It effectively reduces the computational and storage requirements for data owners, enables precise access control for third-party users, and provides an efficient encrypted image retrieval system.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115935426B_ABST
    Figure CN115935426B_ABST
Patent Text Reader

Abstract

This invention provides a remote image feature extraction and retrieval method based on SGX, relating to the field of encrypted image retrieval technology. This method utilizes trusted hardware SGX to offload computational operations such as image feature extraction and index construction to a trusted execution environment (enclave) on a cloud server. Within this trusted execution environment, a secret sharing scheme is used for key distribution, and access control lists are implemented to control access for third-party users. Compared to traditional encrypted image retrieval schemes, this invention effectively reduces the computational power requirements for data owners and enables precise access control for third-party users during the retrieval process.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of encrypted image retrieval technology, and in particular to a remote image feature extraction and retrieval method based on SGX. Background Technology

[0002] With the advent of the big data era, cloud services have rapidly developed and achieved tremendous success due to their convenience, flexibility, and low cost. More and more companies and individuals are choosing to store data on cloud servers, making users reliant on these servers for complete trust. However, the assumption that cloud servers are completely trustworthy is insecure, as the cloud is susceptible to failure, intrusion, or attacks at any time. Therefore, cloud-based systems employ cryptographic methods to encrypt data during transmission, processing, and storage. Consequently, cloud data encryption raises the crucial question of how to effectively utilize encrypted data while remaining unaffected by its encryption.

[0003] Searchable encryption requires cloud servers to execute user queries on encrypted data without disclosing user privacy during the query process. There are two types of searchable encryption: symmetric searchable encryption and asymmetric searchable encryption. The difference lies in the key difference: symmetric searchable encryption uses a symmetric key, while asymmetric searchable encryption uses an asymmetric key. Therefore, symmetric searchable encryption has advantages over asymmetric searchable encryption, such as lower computational overhead, simpler algorithms, and faster speed.

[0004] Trusted hardware execution environments (THE) protect computations and operations involving privacy data through hardware isolation. Without compromising the hardware, attackers cannot directly read privacy data and system keys, thus ensuring data confidentiality. Simultaneously, attackers cannot modify the hardware logic or hardware layer, ensuring the system is not maliciously tampered with during operation. Compared to privacy protection schemes implemented purely in software, solutions combining THE typically offer better performance and scalability.

[0005] In the context of today's big data era, research on encrypted image retrieval has become increasingly important. However, current encrypted image retrieval solutions still require data owners to perform tasks such as image feature extraction and index construction, placing certain computational demands on them. Therefore, they cannot be implemented on resource-constrained devices and lack precise access control for third-party users. By leveraging trusted execution environments provided by trusted hardware on cloud servers, not only can the computational operations of data owners be offloaded to the cloud server, reducing the computational demands on data owners, but also precise access control for third-party users can be achieved within the trusted execution environment by combining secret sharing and access control lists. Summary of the Invention

[0006] The technical problem to be solved by the present invention is to provide a remote image feature extraction and retrieval method based on SGX, which addresses the shortcomings of the prior art.

[0007] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is as follows:

[0008] By using trusted hardware (SGX), the computational operations of the data owner are transferred to the trusted execution environment of the cloud server, and access control for third-party users is achieved by combining secret sharing and access control lists in the trusted execution environment of the cloud server.

[0009] The method provided by this invention includes three entities: the data owner, the data user, and the cloud server provider.

[0010] The data owner encrypts the image data using a symmetric key before outsourcing it to the cloud server; multiple data users can query the data and obtain valuable information; the cloud server provides ample storage and computing resources, a trusted execution environment, and responds to user requests. Furthermore, a secret sharing scheme is initialized among the three entities during system initialization.

[0011] The specific method of this invention comprises four parts: system initialization, data upload, user query, and policy update.

[0012] Step 1: System Initialization

[0013] Step 1.1 The data owner selects a symmetric key S for encrypting the image, and then selects the security parameter λ and the number of data users n, i.e., the number of users in the system at the time of initialization.

[0014] Step 1.2 initializes the secret sharing scheme, the purpose of which is to distribute the symmetric key S of the encrypted image data as a secret to the user and the trusted execution environment; specifically, two secret sharings are performed to ensure that the symmetric key S cannot be recovered by combining the secret shares of the user with the secret shares held by the trusted execution environment.

[0015] Step 1.2.1 Perform the first secret sharing by distributing the symmetric key S into sk. a and SK b ,sk a with sk b For the secret share to be distributed, where sk a Stored in a trusted execution environment, sk b It will be redistributed;

[0016] Step 1.2.2 Perform a second secret sharing, and share sk bDistributed as {sku0, sku1, ..., sku} n ,sku n+1}, sku0 to sku n+1 All are secret shares, of which SKU0 is stored in a trusted execution environment, SKU1 is held by the data owner, and SKU2 through SKU... n+1 Each is held by n data users;

[0017] Step 1.3 The data owner defines the access control policy pol, specifying the query permissions for each user. The access control policy pol is based on {(uid,cids)}. j The data is stored in the form of |j=1,…n}, where uid represents the user ID and cids is the set of image IDs authorized to that user;

[0018] Step 1.4: Two pairs of public and private keys {pk} will be generated in the trusted execution environment of the cloud server. msg ,sk msg} and {pk sign ,sk sign}, one pair is used for communication with data users, and another pair is used for returning the results of signature queries, where pk msg , pk sign public;

[0019] Step 1.5 The data owner and the trusted execution environment agree on a symmetric key sk comm sk is encrypted using this symmetric key. a The SKU0 and access control policy PO are sent to the trusted execution environment;

[0020] Step 2: Data Upload

[0021] Step 2.1 When the data owner intends to upload new image data, the data owner constructs a corresponding request token, which contains {id, ct} pic ,pol′,sku1}, where id is the image ID, ct pic The image is encrypted; sku1 represents the secret share held by the owner; pol' represents the newly specified access control policy; the data owner uses sk... comm Send the encrypted token to the cloud server;

[0022] Step 2.2 After receiving the request, the trusted execution environment decrypts the token to obtain {id, ct} pic ,pol′,sku1};

[0023] Step 2.2.1 Execute the secret reconstruction algorithm in the trusted execution environment to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image ct pic ;

[0024] Step 2.2.2: Process the plaintext image pt using a convolutional neural network. pic , and obtain its corresponding feature vector Feature_Vector;

[0025] Step 2.2.3 Use Locality Sensitive Hashing to process the image's Feature_Vector and obtain its corresponding hash bucket number (Bucket_ID);

[0026] Step 2.2.4 Update the access policy for data users using pol', which will trigger the access control policy update protocol;

[0027] Step 2.3 Update the encrypted image set and the corresponding encrypted index set stored on the cloud server;

[0028] Step 3 User Inquiry

[0029] Step 3.1 When a data user makes a query, a query token is first constructed. The token contains {sku} i ,pt pic ,c}, where sku i For the secret share of data users, pt pic Here, is the plaintext image to be queried, and 'c' is the freshness factor generated based on the query time; data users use 'pk'. msg The encryption token is sent to the cloud server;

[0030] Step 3.2 After receiving the request, the trusted execution environment decrypts it to obtain {sku} i ,pt pic ,c}, compare the freshness factor in the token with the freshness factor stored in the trusted execution environment to determine whether the request is legitimate;

[0031] Step 3.2.1 Process the image pt using a convolutional neural network. pic , and obtain its corresponding feature vector Feature_Vector;

[0032] Step 3.2.2 Use Locality Sensitive Hashing to process the image's Feature_Vector and obtain its corresponding hash bucket number (Bucket_ID);

[0033] Step 3.2.3 Obtain the query feature vector set Index_Set1 within the hash bucket corresponding to Bucket_ID;

[0034] Step 3.2.4 After filtering out the data that is not authorized to be accessed in Index_Set1 using the access control policy pol, obtain the feature vector index set Index_Set2;

[0035] Step 3.2.5 Calculate the Euclidean distance between feature vectors and filter out features with a distance greater than the threshold ∝, and obtain the feature vector index set Index_Set3;

[0036] Step 3.2.6 Obtain the corresponding encrypted image set ct based on the index set Index_Set3. pic ;

[0037] Step 3.2.7 Execute the secret reconstruction algorithm to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image pt pic ;

[0038] Step 3.2.8 Generate a symmetric key sk based on the queried user's identity. respond Use this key to re-encrypt the plaintext image set pt pic Obtain the encrypted image set ct pic ;

[0039] Step 3.2.9 Sign the query result and paste the signature (Sign) and result (ct). pic Return them to the user together;

[0040] Step 3.3 After receiving the returned data, the user can verify whether the result has been tampered with by signing the signature. If the verification is successful, the encrypted image ct can be decrypted. pic Get plaintext results (pt) pic ;

[0041] Step 4: Strategy Update

[0042] There are three types of policy updates: updating access control policies (pol), adding users, and deleting users.

[0043] Step 4.1 Update the access control policy.

[0044] Step 4.1.1 The data owner formulates a new access control policy (pol) and sends it to the cloud server in encryption;

[0045] Step 4.1.2 Decrypt the Trusted Execution Environment to obtain the new access control policy pol and use it to overwrite the original access control policy pol;

[0046] Step 4.2 Add User

[0047] Step 4.2.1 New users select their own secret share S n+2 ,calculate And send R n+2 To the data owner;

[0048] Step 4.2.2 The data owner selects an ID for the new user. n+2and calculate

[0049] Step 4.2.3 The data owner will (R n+2 ID n+2 ) will be published and Add to MSG;

[0050] Step 4.3 Delete user

[0051] Step 4.3.1 Delete user P i The corresponding (R) i ID i ) and MSG

[0052] The beneficial effects of adopting the above technical solution are as follows: The remote image feature extraction and retrieval method based on SGX provided by this invention uses trusted hardware to transfer client operations to a cloud server, and employs methods such as secret sharing and access control lists in the trusted execution environment of the cloud server. This effectively reduces the requirements for the computing and storage capabilities of data owners in traditional solutions, and also allows for precise access control for third-party users. Furthermore, it provides a corresponding encrypted image retrieval system application, through which users can accurately and efficiently retrieve encrypted images. Attached Figure Description

[0053] Figure 1 This is a schematic diagram of the solution architecture provided in this embodiment of the present invention;

[0054] Figure 2 This is an architecture diagram of the secret sharing scheme provided in this embodiment of the present invention;

[0055] Figure 3 This is a flowchart of the data upload process provided in this embodiment of the present invention;

[0056] Figure 4 This is a user query flowchart provided in this embodiment of the present invention;

[0057] Figure 5 This is an example of the feature extraction and index calculation results provided in this embodiment of the present invention;

[0058] Figure 6 This is an example of some of the search results provided in this embodiment of the present invention;

[0059] Figure 7 This is a flowchart illustrating the strategy update process provided in this embodiment of the present invention. Detailed Implementation

[0060] The specific embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples. The following examples are for illustrative purposes only and are not intended to limit the scope of the invention.

[0061] This invention provides a scheme for remote image feature extraction and retrieval based on SGX, such as... Figure 1 As shown, it includes three entities: the data owner, the data user, and the cloud server provider.

[0062] This method specifically includes four parts: system initialization, data upload, user query, and policy update.

[0063] Step 1: System Initialization

[0064] Step 1.1 The data owner selects a symmetric key S for encrypting the image, and then selects the security parameter λ and the number of data users n, i.e., the number of users in the system at the time of initialization.

[0065] Step 1.2 initializes the secret sharing scheme, the purpose of which is to distribute the symmetric key S for encrypting the image data as a secret to users and the trusted execution environment; the specific scheme architecture is as follows: Figure 2 As shown, the scheme involves two secret sharing operations to ensure that the symmetric key S cannot be recovered by combining the secret shares of users with those of users. The symmetric key S can only be recovered when the secret shares of users are combined with the secret shares held by the trusted execution environment.

[0066] Step 1.2.1 Perform the first secret sharing by distributing the symmetric key S into sk. a and SK b ,sk a with sk b For the secret share to be distributed, where sk a Stored in a trusted execution environment, sk b It will be redistributed;

[0067] Step 1.2.2 Perform a second secret sharing, and share sk b Distributed as {sku0, sku1, ..., sku} n ,sku n+1}, sku0 to sku n+1 All are secret shares, of which SKU0 is stored in a trusted execution environment, SKU1 is held by the data owner, and SKU2 through SKU... n+1 Each is held by n data users;

[0068] Step 1.3 The data owner defines the access control policy pol, specifying the query permissions for each user. The access control policy pol is based on {(uid,cids)}. jThe data is stored in the form of |j=1,…n}, where uid represents the user ID and cids is the set of image IDs authorized to that user;

[0069] Step 1.4: Two pairs of public and private keys {pk} will be generated in the trusted execution environment of the cloud server. msg ,sk msg} and {pk sign ,sk sign}, one pair is used for communication with data users, and another pair is used for returning the results of signature queries, where pk msg , pk sign public;

[0070] Step 1.5 The data owner and the trusted execution environment agree on a symmetric key sk comm sk is encrypted using this symmetric key. a The SKU0 and access control policy PO are sent to the trusted execution environment;

[0071] Step 2: Data upload, the process is as follows: Figure 3 As shown;

[0072] Step 2.1 When the data owner intends to upload new image data, the data owner constructs a corresponding request token, which contains {id, ct} pic ,pol′,sku1}, where id is the image ID, ct pic The image is encrypted; sku1 represents the secret share held by the owner; pol' represents the newly specified access control policy; the data owner uses sk... comm Send the encrypted token to the cloud server;

[0073] Step 2.2 After receiving the request, the trusted execution environment decrypts the token to obtain {id, ct} pic ,pol′,sku1};

[0074] Step 2.2.1 Execute the secret reconstruction algorithm in the trusted execution environment to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image pt pic ;

[0075] Step 2.2.2: Process plaintext images (pt) using the VGG convolutional neural network. pic , and obtain its corresponding 1024-dimensional feature vector Feature_Vector;

[0076] Step 2.2.3 uses 10 locality-sensitive hashing functions to process the image's feature vector. Each hash function outputs a binary value, and all the values ​​are concatenated to form its corresponding hash bucket number, Bucket_ID.

[0077] Step 2.2.4 Update the access policy for data users using pol', which will trigger the access control policy update protocol;

[0078] Step 2.3 Update the encrypted image set and the corresponding encrypted index set stored on the cloud server;

[0079] Step 3: User query, the process is as follows Figure 4 As shown;

[0080] Step 3.1 Construct a query token;

[0081] Step 3.2 After receiving the request, the trusted execution environment decrypts it to obtain {sku} i ,pt pic The freshness factor in the token is compared with the freshness factor stored in the trusted execution environment to determine whether the request is valid. Figure 5 ;

[0082] Step 3.2.1 Extract image feature vectors;

[0083] Step 3.2.2 Calculate the hash bucket number corresponding to the image;

[0084] Step 3.2.3 Obtain the query feature vector set Index_Set1 within the hash bucket corresponding to Bucket_ID;

[0085] Step 3.2.4 After filtering out the data that is not authorized to be accessed in Index_Set1 using the access control policy pol, obtain the feature vector index set Index_Set2;

[0086] Step 3.2.5 Calculate the Euclidean distance between feature vectors and filter out features with a distance greater than the threshold ∝ = 5, and obtain the feature vector index set Index_Set3;

[0087] Step 3.2.6 Obtain the corresponding encrypted image set ct based on the index set Index_Set3. pic Some search results are as follows: Figure 6 As shown;

[0088] Step 3.2.7 Execute the secret reconstruction algorithm to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image pt pic ;

[0089] Step 3.2.8 Re-encrypt;

[0090] Step 3.2.9 Sign the query result and paste the signature (Sign) and result (ct). pic Return them to the user together;

[0091] Step 3.3 After receiving the returned data, the user can verify whether the result has been tampered with by signing the signature. If the verification is successful, the encrypted image ct can be decrypted. pic Get plaintext results (pt) pic ;

[0092] Step 4: Strategy update, the process is as follows: Figure 7 As shown.

[0093] There are three types of policy updates: updating access control policies (pol), adding users, and deleting users.

[0094] Step 4.1 Update the access control policy.

[0095] Step 4.1.1 The data owner formulates a new access control policy (pol) and sends it to the cloud server in encryption;

[0096] Step 4.1.2 Decrypt the Trusted Execution Environment to obtain the new access control policy pol and use it to overwrite the original access control policy pol;

[0097] Step 4.2 Add User

[0098] Step 4.2.1 New users select their own secret share S n+2 ,calculate And send R n+2 To the data owner;

[0099] Step 4.2.2 The data owner selects an ID for the new user. n+2 and calculate

[0100] Step 4.2.3 The data owner will (R n+2 ID n+2 ) will be published and Add to MSG;

[0101] Step 4.3 Delete user

[0102] Step 4.3.1 Delete user P i The corresponding (R) i ID i ) and MSG

[0103] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope defined by the claims of the present invention.

Claims

1. A method for remote image feature extraction and retrieval based on SGX, characterized in that, Includes the following steps: Step 1: System Initialization Step 1.1 The data owner selects a symmetric key S for encrypting the image, and then selects the security parameter λ and the number of data users n, i.e., the number of users in the system at the time of initialization. Step 1.2 Implement key distribution; Step 1.3 The data owner defines the access control policy pol, specifying the query permissions for each user. The access control policy pol is based on {(uid, cids)}. j The data is stored in the form of |j = 1, ..., n}, where uid represents the user ID and cids is the set of image IDs authorized to that user; Step 1.4: Two pairs of public and private keys {pk} will be generated in the trusted execution environment of the cloud server. msg ,sk msg } and {pk sign ,sk sign }, one pair is used for communication with data users, and another pair is used for returning the results of signature queries, where pk msg , pk sign public; Step 1.5 The data owner and the trusted execution environment agree on a symmetric key sk comm sk is encrypted using this symmetric key. a The SKU0 and access control policy PO are sent to the trusted execution environment; Step 2: Data Upload Step 2.1 When the data owner intends to upload new image data, the data owner constructs a corresponding request token, which contains {id, ct} pic ,poi′,sku1}, where id is the image number, ct pic The image is encrypted, sku1 is the secret share held by the owner, and poi′ is the newly specified access control policy; the data owner uses sk comm Send the encrypted token to the cloud server; Step 2.2 After receiving the request, the trusted execution environment decrypts the token to obtain {id, ct} pic ,pol′,sku1}; Step 2.2.1 Execute the secret reconstruction algorithm in the trusted execution environment to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image pt pic ; Step 2.2.2 Extract image feature vectors; Step 2.2.3 Calculate the hash bucket number corresponding to the image; Step 2.2.4 Update the access policy for data users using pol', which will trigger the access control policy update protocol; Step 2.3 Update the encrypted image set and the corresponding encrypted index set stored on the cloud server; Step 3 User Inquiry Step 3.1 Construct a query token; Step 3.2 After receiving the request, the trusted execution environment decrypts it to obtain {sku} i pt pic ,c}; Step 3.2.1 Extract image feature vectors; Step 3.2.2 Calculate the hash bucket number corresponding to the image; Step 3.2.3 Obtain the query feature vector set Index_Set1 within the hash bucket corresponding to Bucket_ID; Step 3.2.4 After filtering out the data that is not authorized to be accessed in Index_Set1 using the access control policy pol, obtain the feature vector index set Index_Set2; Step 3.2.5 Calculate the Euclidean distance between feature vectors and filter out features with a distance greater than the threshold ∝, and obtain the feature vector index set Index_Set3; Step 3.2.6 Obtain the corresponding encrypted image set ct based on the index set Index_Set3. pic ; Step 3.2.7 Execute the secret reconstruction algorithm to recover the symmetric key S, and use it to decrypt the ciphertext image ct. pic Obtain plaintext image pt pic ; Step 3.2.8 Re-encrypt; Step 3.2.9 Sign the query result and paste the signature (Sign) and result (ct). pic Return them to the user together; Step 3.3 After receiving the returned data, the user can verify whether the result has been tampered with by signing the signature. If the verification is successful, the encrypted image ct can be decrypted. pic Get plaintext results (pt) pic ; Step 4: Strategy Update There are three types of policy updates: updating access control policies (pol), adding users, and deleting users. Step 4.1 Update the access control policy. Step 4.1.1 The data owner formulates a new access control policy (pol) and sends it to the cloud server in encryption; Step 4.1.2 Decrypt the Trusted Execution Environment to obtain the new access control policy pol and use it to overwrite the original access control policy pol; Step 4.2 Add a user; Step 4.3 Delete the user.

2. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The method involves three entities: the data owner, the data user, and the cloud server provider; The data owner encrypts the image data using a symmetric key before outsourcing it to a cloud server; multiple data users can query the data and obtain valuable information from it. The cloud server provides ample storage and computing resources, a trusted execution environment, and responds to user requests; during system initialization, the three entities also initialize a secret sharing scheme.

3. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 1.2 are as follows: The purpose of initializing the secret sharing scheme is to distribute the symmetric key S of the encrypted image data as a secret to users and the trusted execution environment. Specifically, two secret sharing operations are performed to ensure that the symmetric key S cannot be recovered by combining the secret shares held by users. The symmetric key S can only be recovered by combining the secret shares held by users with the secret shares held by the trusted execution environment. Step 1.2.1 Perform the first secret sharing by distributing the symmetric key S into sk. a and SK b ,sk a with sk b For the secret share to be distributed, where sk a Stored in a trusted execution environment, sk b It will be redistributed; Step 1.2.2 Perform a second secret sharing, and share sk b Distributed as {sku0, sku1, ..., sku} n sku n+1 }, sku0 to sku n+1 All are secret shares, of which SKU0 is stored in a trusted execution environment, SKU1 is held by the data owner, and SKU2 through SKU... n+1 Each is held by n data users.

4. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 2.2.2 are as follows: Image processing using convolutional neural networks (pt) pic The output of its fully connected layer is obtained as the feature vector corresponding to the image. This step of the calculation operation is performed in the trusted execution environment of the cloud server.

5. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 2.2.3 are as follows: The feature vector of the image is processed using Locality Sensitive Hash (LSH). The output of each hash function is concatenated to form its corresponding hash bucket number (Bucket_ID). This calculation operation is performed in the trusted execution environment of the cloud server.

6. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 3.1 are as follows: When a data user makes a query, a query token is first constructed, which contains {sku} i pt pic c}, where sku i For the secret share of data users, pt pic is the plaintext image to be queried, and c is the freshness factor generated based on the query time; Data users use PK msg The encryption token is sent to the cloud server.

7. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in 3.2.8 are as follows: Generate a symmetric key sk based on the queried user's identity. respond Use this key to re-encrypt the plaintext image set pt pic Obtain the encrypted image set ct pic .

8. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 4.2 are as follows: Step 4.2.1 New users select their own secret share S n+2 ,calculate And send R n+2 To the data owner; Step 4.2.2 The data owner selects an ID for the new user. n+2 and calculate Step 4.2.3 The data owner will (R) n+2 ID n+2 ) will be published and Add to MSG.

9. The method for remote image feature extraction and retrieval based on SGX according to claim 1, characterized in that, The specific steps in section 4.3 are as follows: Delete user P i The corresponding (R) i ID i ) and MSG