Secure pattern matching using somewhat homomorphic encryption
08 Nov 2013-pp 65-76
TL;DR: This paper makes use of the somewhat homomorphic encryption scheme presented by Lauter, Naehrig and Vaikuntanathan (ACM CCSW 2011), which supports a limited number of both additions and multiplications on encrypted data and proposes a new packing method suitable for an efficient computation of multiple Hamming distance values onencrypted data.
Abstract: The basic pattern matching problem is to find the locations where a pattern occurs in a text. Recently, secure pattern matching has been received much attention in various areas, including privacy-preserving DNA matching and secure biometric authentication. The aim of this paper is to give a practical solution for this problem using homomorphic encryption, which is public key encryption supporting some operations on encrypted data.In this paper, we make use of the somewhat homomorphic encryption scheme presented by Lauter, Naehrig and Vaikuntanathan (ACM CCSW 2011), which supports a limited number of both additions and multiplications on encrypted data. In their work, some message encoding techniques are also presented for enabling us to efficiently compute sums and products over the integers. Based on their techniques, we propose a new packing method suitable for an efficient computation of multiple Hamming distance values on encrypted data. Our main extension gives two types of packed ciphertexts, and a linear computation over packed ciphertexts gives our desired results. We implemented the scheme with our packing method.Our experiments ran in an Intel Xeon at 3.07 GHz with our software library using inline assembly language in C programs. Our optimized implementation shows that the packed encryption of a text or a pattern, the computation of multiple Hamming distance values over packed ciphertexts, and the decryption respectively take about 3.65 milliseconds (ms), 5.31 ms, and 3.47 ms for secure exact and approximate pattern matching of a binary text of length 2048. The total time is about 12.43 ms, which would give the practical performance in real life. Our method gives both faster performance and lower communication than the state-of-the-art work for a binary text of several thousand bits in length.
Citations
More filters
24 Oct 2016
TL;DR: In this article, the authors proposed a new ORE scheme for small message spaces which achieves the "best-possible" notion of security for ORE, which is a generalization of OPE that allows for stronger security.
Abstract: In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to "inference attacks." In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the "best-possible" notion of security for ORE. Next, we introduce a "domain extension" technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no efficient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE. Finally, we examine the properties of our new ORE scheme and show how to use it to construct an efficient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes.
146 citations
Posted Content•
TL;DR: In this article, the authors proposed a homomorphic encryption scheme to encrypt all genomic data in the database and showed how basic genomic algorithms such as Pearson Goodness-of-Fit test, the D′ and r2-measures of linkage disequilibrium, the Estimation Maximization (EM) algorithm for haplotyping, and the Cochran-Armitage Test for Trend can work on encrypted data.
Abstract: A number of databases around the world currently host a wealth of genomic data that is invaluable to researchers conducting a variety of genomic studies. However, patients who volunteer their genomic data run the risk of privacy invasion. In this work, we give a cryptographic solution to this problem: to maintain patient privacy, we propose encrypting all genomic data in the database. To allow meaningful computation on the encrypted data, we propose using a homomorphic encryption scheme. Specifically, we take basic genomic algorithms which are commonly used in genetic association studies and show how they can be made to work on encrypted genotype and phenotype data. In particular, we consider the Pearson Goodness-of-Fit test, the D′ and r2-measures of linkage disequilibrium, the Estimation Maximization (EM) algorithm for haplotyping, and the Cochran-Armitage Test for Trend. We also provide performance numbers for running these algorithms on encrypted data.
141 citations
17 Sep 2014
TL;DR: This work proposes encrypting all genomic data in the database to maintain patient privacy, and proposes using a homomorphic encryption scheme to allow meaningful computation on the encrypted data.
Abstract: A number of databases around the world currently host a wealth of genomic data that is invaluable to researchers conducting a variety of genomic studies. However, patients who volunteer their genomic data run the risk of privacy invasion. In this work, we give a cryptographic solution to this problem: to maintain patient privacy, we propose encrypting all genomic data in the database. To allow meaningful computation on the encrypted data, we propose using a homomorphic encryption scheme.
112 citations
26 Jan 2015
TL;DR: In this article, the authors proposed a method to perform the edit distance algorithm on encrypted data to obtain an encrypted result, where the genomic data owner provided only the encrypted sequence, and the public commercial cloud can perform the sequence analysis without decryption.
Abstract: These days genomic sequence analysis provides a key way of understanding the biology of an organism. However, since these sequences contain much private information, it can be very dangerous to reveal any part of them. It is desirable to protect this sensitive information when performing sequence analysis in public. As a first step in this direction, we present a method to perform the edit distance algorithm on encrypted data to obtain an encrypted result. In our approach, the genomic data owner provides only the encrypted sequence, and the public commercial cloud can perform the sequence analysis without decryption. The result can be decrypted only by the data owner or designated representative holding the decryption key.
111 citations
TL;DR: Current developments toward using blockchain to address several problems in omics are introduced, and an outlook of possible future implications of the blockchain technology to life sciences is provided.
Abstract: Genomics data introduce a substantial computational burden as well as data privacy and ownership issues. Data sets generated by high-throughput sequencing platforms require immense amounts of computational resources to align to reference genomes and to call and annotate genomic variants. This problem is even more pronounced if reanalysis is needed for new versions of reference genomes, which may impose high loads to existing computational infrastructures. Additionally, after the compute-intensive analyses are completed, the results are either kept in centralized repositories with access control, or distributed among stakeholders using standard file transfer protocols. This imposes two main problems: (1) Centralized servers become gatekeepers of the data, essentially acting as an unnecessary mediator between the actual data owners and data users; and (2) servers may create single points of failure both in terms of service availability and data privacy. Therefore, there is a need for secure and decentralized platforms for data distribution with user-level data governance. A new technology, blockchain, may help ameliorate some of these problems. In broad terms, the blockchain technology enables decentralized, immutable, incorruptible public ledgers. In this Perspective, we aim to introduce current developments toward using blockchain to address several problems in omics, and to provide an outlook of possible future implications of the blockchain technology to life sciences.
101 citations
Cites methods from "Secure pattern matching using somew..."
...Similarly, Yasuda et al. (2013) used somewhat homomorphic encryption for privacy-preserving DNA pattern matching....
[...]
References
More filters
[...]
40,330 citations
"Secure pattern matching using somew..." refers background in this paper
...• the NTRU encryption based schemes [30]....
[...]
...After Gentry’s breakthrough, FHE is expected to be applied to various areas including cloud computing, and a number of new schemes, improvements, and implementations have been proposed (see [7, 8, 12, 18, 21, 22, 30] for examples of recent work)....
[...]
02 May 1999
TL;DR: A new trapdoor mechanism is proposed and three encryption schemes are derived : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA, which are provably secure under appropriate assumptions in the standard model.
Abstract: This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
7,008 citations
"Secure pattern matching using somew..." refers background or methods in this paper
...Actually, typical applications of additively homomorphic encryption such as the Paillier scheme [34] are electronic voting and e-cash....
[...]
...Homomorphic encryption schemes proposed before 2000 can only support simple operations such as either additions or multiplications on encrypted data (see [15, 23, 34] for examples), and hence applications of these schemes are very...
[...]
...a text of 10, 000 and 100, 000 characters), in using the Paillier scheme [34] of 1024 bit key length and using the DNA alphabet as a character (the performance of 5PM increases linearly in the text size)....
[...]
31 May 2009
TL;DR: This work proposes a fully homomorphic encryption scheme that allows one to evaluate circuits over encrypted data without being able to decrypt, and describes a public key encryption scheme using ideal lattices that is almost bootstrappable.
Abstract: We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable.Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable.Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits.Unfortunately, our initial scheme is not quite bootstrappable -- i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.
5,770 citations
"Secure pattern matching using somew..." refers background in this paper
...In 2009, Gentry in [19] proposed a concrete construction of a fully homomorphic encryption (FHE) scheme supporting arbitrary computations on encrypted data....
[...]
...• ideal lattices based schemes [19, 20, 36], • integers based schemes [12, 14, 17], • the learning with errors (LWE) based schemes [8, 9, 10, 18], and...
[...]
08 Jan 2012
TL;DR: A novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011).
Abstract: We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry's bootstrapping procedure.Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2λ security against known attacks. For RLWE, we have:• A leveled FHE scheme that can evaluate L-level arithmetic circuits with O(λ · L3) per-gate computation -- i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure.• A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is O(λ2), independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes).We obtain similar results to the above for LWE, but with worse performance.Based on the Ring LWE assumption, we introduce a number of further optimizations to our schemes. As an example, for circuits of large width -- e.g., where a constant fraction of levels have width at least λ -- we can reduce the per-gate computation of the bootstrapped version to O(λ), independent of L, by batching the bootstrapping operation. Previous FHE schemes all required Ω(λ3.5) computation per gate.At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011).
1,924 citations
"Secure pattern matching using somew..." refers background or methods in this paper
...In particular, the polynomial-CRT packing method is used in the work [22] to evaluate the AES circuit homomorphically by the BGV scheme of [8]....
[...]
...After Gentry’s breakthrough, FHE is expected to be applied to various areas including cloud computing, and a number of new schemes, improvements, and implementations have been proposed (see [7, 8, 12, 18, 21, 22, 30] for examples of recent work)....
[...]
...the authors in [22] used σ ≈ 4 for evaluating the AES circuit homomorphically in the leveled FHE scheme of [8])....
[...]
...Our packing method makes use of the structure of the special ring Z[x]/(x + 1), and it can be applied to the BGV scheme of [8], and the scheme recently proposed by Fan and Vercauteren [18] (the performances in these schemes are estimated to be almost the same as in the scheme of [28] used in this paper)....
[...]
...• ideal lattices based schemes [19, 20, 36], • integers based schemes [12, 14, 17], • the learning with errors (LWE) based schemes [8, 9, 10, 18], and...
[...]
10 Feb 2005
TL;DR: A homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,...,xn and can evaluate quadratic multi-variate polynomials on ciphertexts provided the resulting value falls within a small set.
Abstract: Let ψ be a 2-DNF formula on boolean variables x1,...,xn ∈ {0,1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,...,xn. In other words, given the encryption of the bits x1,...,xn, anyone can create the encryption of ψ(x1,...,xn). More generally, we can evaluate quadratic multi-variate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system:
In a database of size n, the total communication in the basic step of the Kushilevitz-Ostrovsky PIR protocol is reduced from $\sqrt{n}$ to $\sqrt[3]{n}$.
An efficient election system based on homomorphic encryption where voters do not need to include non-interactive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient.
A protocol for universally verifiable computation.
1,754 citations
"Secure pattern matching using somew..." refers background or methods in this paper
...The first scheme supporting both additions and multiplications is the BGN scheme [6] proposed in 2005, which is based on pairings over elliptic curves....
[...]
...However, it cannot be applied to the BGN scheme [6] since it is based on pairings over elliptic curves....
[...]