 Proceedings
 Open Access
Private genome analysis through homomorphic encryption
 Miran Kim^{1}Email author and
 Kristin Lauter^{2}
https://doi.org/10.1186/1472694715S5S3
© Kim and Lauter. 2015
 Published: 21 December 2015
Abstract
Background
The rapid development of genome sequencing technology allows researchers to access large genome datasets. However, outsourcing the data processing o the cloud poses high risks for personal privacy. The aim of this paper is to give a practical solution for this problem using homomorphic encryption. In our approach, all the computations can be performed in an untrusted cloud without requiring the decryption key or any interaction with the data owner, which preserves the privacy of genome data.
Methods
We present evaluation algorithms for secure computation of the minor allele frequencies and χ^{2} statistic in a genomewide association studies setting. We also describe how to privately compute the Hamming distance and approximate Edit distance between encrypted DNA sequences. Finally, we compare performance details of using two practical homomorphic encryption schemes  the BGV scheme by Gentry, Halevi and Smart and the YASHE scheme by Bos, Lauter, Loftus and Naehrig.
Results
The approach with the YASHE scheme analyzes data from 400 people within about 2 seconds and picks a variant associated with disease from 311 spots. For another task, using the BGV scheme, it took about 65 seconds to securely compute the approximate Edit distance for DNA sequences of size 5K and figure out the differences between them.
Conclusions
The performance numbers for BGV are better than YASHE when homomorphically evaluating deep circuits (like the Hamming distance algorithm or approximate Edit distance algorithm). On the other hand, it is more efficient to use the YASHE scheme for a lowdegree computation, such as minor allele frequencies or χ^{2} test statistic in a casecontrol study.
Keywords
 Homomorphic encryption
 Genomewide association studies
 Hamming distance
 Approximate Edit distance
Introduction
The rapid development of genome sequencing technology has led to the genome era. We expect that the price of a whole genome sequence will soon be $1K in a day, which enables researchers to access large genome datasets. Moreover, many genome projects like the Personal Genome Project (PGP) [1] and the HapMap Project [2] display genotypic information in public databases, so genomic data has become publicly accessible.
While genome data can be used for a wide range of applications including healthcare, biomedical research, and forensics, it can be misused, violating personal privacy via genetic disease disclosure or genetic discrimination. Even when explicit identifiers (e.g., name, date of birth or address) are removed from genomic data, one can often recover the identity information [3–5]. For these reasons, genomic data should be handled with care.
There have been many attempts to protect genomic privacy using cryptographic methods. In particular, it has been suggested that we can preserve privacy through (partially) homomorphic encryption, which allows computations to be carried out on ciphertexts. Kantarcioglu et al. [6] presented a novel framework that allows organizations to support data mining without violating genomic privacy. Baldi et al. [7] proposed a cryptographic protocol to determine whether there exists a biological parentchild relationship between two individuals. Ayday et al. [8] recently conducted privacypreserving computation of disease risk based on genomic and nongenomic data. However, these methods used homomorphic computation involving a single operation on ciphertexts (e.g., either additions or multiplications, not both), thus they could support a limited set of genomic queries.
Fully homomorphic encryption (e.g., [9–11]) permits encrypted data to be computed on without decryption, so it allows us to evaluate arbitrary arithmetic circuits over encrypted data. Thus, we can privately perform all types of genome analysis using Homomorphic Encryption (HE) cryptosystems. Moreover, we can delegate intensive computation to a public cloud and store large amounts of data in it.
Recently, many protocols to conduct privacypreserving computation of genomic tests with fully homomorphic encryption have been introduced. Yasuda et al. [12] gave a practical solution for computation of multiple Hamming distance values using the LNV scheme [13] on encrypted data, so to find the locations where a pattern occurs in a text. Graepel et al. [14] and Bos et al. [15] applied HE to machine learning, and described how to privately conduct predictive analysis based on an encrypted learned model. Lauter et al. [16] gave a solution to privately compute the basic genomic algorithms used in genetic association studies. Cheon et al. [17] described how to calculate edit distance on homomorphically encrypted data.
In this paper, we propose efficient evaluation algorithms to compute genomic tests on encrypted data. We first consider the basic tests which are used in GenomeWide Association Studies (GWAS). They are conducted to analyze the statistical associations between common genetic variants in different individuals. In particular, we focus on the minor allele frequencies (MAFs) and χ^{2} test statistic between the variants of case and control groups. Secondly, we consider DNA sequence comparison which can be used in sequence alignment and gene finding. We show how to privately compute the Hamming distance and approximate Edit distance on encrypted data. We also adapt these methods to the practical HE schemes − BGV scheme [18] by Gentry, Halevi and Smart and YASHE scheme [19] by Bos, Lauter, Loftus and Naehrig. Finally, we compare the performance of the two encryption schemes in these contexts. In practice, we take advantage of batching techniques to parallelize both space and computation time together.
One possible scenario could be of interest in situations involving patients, a data owner (e.g., a healthcare organization or a medical center) and a public cloud. In our solution, a data owner wants to store large amounts of data in the cloud and many users may interact with the same data over time. The cloud can handle all that interaction through computation on encrypted data, so it does not require further interaction from the data owner. The patients can upload their encrypted data directly to the cloud using the public key. The genomic tests are performed on the cloud and the encrypted results are returned to the data owner. Finally, the data owner decrypts the results using the secret key to share it with the patient. All the computations in the cloud are performed on encrypted data without requiring the decryption key, so the privacy of genomic data can be protected by the semantic security of the underlying HE schemes.
Background
The iDASH (Integrating Data for Analysis, 'anonymization' and SHaring) National Center organized the iDASH Privacy & Security challenge for secure genome analysis. This paper is based on a submission to the iDASH challenge which consisted of two tasks: i) secure outsourcing of GWAS and ii) secure comparison between genomic data.
Two tasks for iDASH challenge
Given the encrypted genotypes of two groups of individuals over many single nucleotide variants (SNVs), the goal of the first task is to privately compute the MAFs in each group and a χ^{2} test statistic between the two groups on each site.
If we let N be the total number of people in a sample population, the total number of alleles in the sample is n_{ A } + n_{ B } = 2N, so we compute only one of two allele counts in encrypted form. The minimum can then easily be computed after decryption and we obtain the MAF by one division by 2N .
Allelic Contingency Table
Allele type  Total  

A  B  
Case  n _{ A }  n _{ B }  R = 2N 
Control  ${n}_{A}^{\prime}$  ${n}_{B}^{\prime}$  S = 2N 
Total  $G={n}_{A}+{n}_{A}^{\prime}$  $K={n}_{B}+{n}_{B}^{\prime}$  T = 4N 
Algorithm 1 Hamming Distance Algorithm
1: h ← 0
2: for i ∈ $\mathcal{L}$ do
3: if ('x_{ i }.sv' or 'y_{ i }.sv') in {'INS', 'DEL'} then
4: h_{ i } ← 0
5: else if ((x_{ i } or y_{ i }) == '∅') or
6: ((x_{ i }.ref == y_{ i }.ref) and (x_{ i }.alt ! = y_{ i }.alt)) then
7: h_{ i } ← 1
8: else
9: h_{ i } ← 0
10: end if
11: h ← h + h_{ i }
12: end for
13: return h
Let ${n}_{A}^{\left(j\right)}$ and ${{n}^{\prime}}_{A}^{(j)}$ denote the allele counts of A at SNV j in the case group and control group, respectively. As discussed above, it suffices to compute $\left({n}_{A}^{\left(j\right)}+{{n}^{\prime}}_{A}^{(j)}\right)$ and $\left({n}_{A}^{\left(j\right)}{{n}^{\prime}}_{A}^{(j)}\right)$ over encrypted data.
The goal of the second task is to privately compute the Hamming distance and approximate Edit distance between the encrypted genome sequences. Suppose that two participants have Variation Call Format (VCF) files which summarize their variants compared with the reference genome (e.g., insertion, deletion, or substitution at a given position of a given chromosome). If there is only one record in the VCF files at a specified location, the other one is considered to be an empty set ('∅'). Let $\mathcal{L}$ be a list indexed by the positions of two participants. Then we can define the Hamming distance as described in Algorithm 1, where "x_{ i }.sv" denotes the type of structural variant relative to the reference, "x_{ i }.ref " the reference bases and "x_{ i }.alt" the alternate nonreference alleles.
The standard dynamic programming approach to compute the full WagnerFischer Edit distance [20] is computed in a recursive way, so the multiplicative depth of the circuit to be homomorphically evaluated is too large. Recently, Cheon et al. [17] presented an algorithm to compute the WF Edit distance over packed ciphertexts but it took about 27 seconds even on length 8 DNA sequences. On the other hand, in this task we are given the distance to a public human DNA sequence (called the reference genome), which allows us to efficiently approximate the Edit distance using Algorithm 2. It is calculated based on the set difference metric, which enables parallel processing in computation.
Algorithm 2 Approximate Edit Distance Algorithm
1: e ← 0
2: for $i\in \mathcal{L}$ do
3: if x_{ i } == '∅' then
4: D(x_{ i }) ← 0
5: else if 'x_{ i }.sv' == 'DEL' then
6: D(x_{ i }) ← len(x_{ i }.ref)
7: else
8: D(x_{ i }) ← len(x_{ i }.alt)
9: end if
10: Define D(y_{ i }) with the same way as D(x_{ i })
11: if ((x_{ i }.ref == y_{ i }.ref) and (x_{ i }.alt == y_{ i }.alt)) then
12: e_{ i } ← 0
13: else
14: e_{ i } ← max{D(x_{ i }), D(y_{ i })}
15: end if
16: e ← e + e_{ i }
17: end for
18: return e
Practical homomorphic encryption
Fully Homomorphic cryptosystems allow us to homomorphically evaluate any arithmetic circuit without decryption. However, the noise of the resulting ciphertext grows during homomorphic evaluations, slightly with addition but substantially with multiplication. For efficiency reasons for tasks which are known in advance, we use a more practical Somewhat Homomorphic Encryption (SHE) scheme, which evaluates functions up to a certain complexity. In particular, two techniques are used for noise management of SHE: one is the modulusswitching technique introduced by Brakerski, Gentry and Vaikuntanathan [21], which scales down a ciphertext during every multiplication operation and reduces the noise by its scaling factor. The other is a scaleinvariant technique proposed by Brakerski [22] such that the same modulus is used throughout the evaluation process.
Let us denote by [·]_{ q } the reduction modulo q into the interval $\left(q/2,q/2\right]\cap \mathbb{Z}$ of the integer or integer polynomial (coefficientwise). For a security parameter λ, we choose an integer m = m(λ) that defines the mth cyclotomic polynomial Φ_{ m }(x). For a polynomial ring $R=\mathbb{Z}\left[x\right]/\left({\mathrm{\Phi}}_{m}\left(x\right)\right)$, set the plaintext space to R_{ t } := R/tR for some fixed t ≥ 2 and the ciphertext space to R_{ q } := R/qR for an integer q = q(λ). Let χ = χ(λ) denote a noise distribution over the ring R. We use the standard notation $a\leftarrow \mathcal{D}$ to denote that a is chosen from the distribution $\mathcal{D}$. Now, we recall the BGV scheme [18] and the scaleinvariant YASHE scheme [19].
The BGV scheme
Gentry, Halevi and Smart [18] constructed an efficient BGVtype SHE scheme. The security of this scheme is based on the (decisional) Ring Learning With Errors (RLWE) assumption, which was first introduced by Lyubashevsky, Peikert and Regev [23]. The assumption is that it is infeasible to distinguish the following two distributions. The first distribution consists of pairs (a_{ i }, u_{ i }), where a_{ i }, u_{ i } ← R_{ q } uniformly at random. The second distribution consists of pairs of the form (a_{ i }, b_{ i }) = (a_{ i }, a_{ i }s + e_{ i }) where a_{ i } ← R_{ q } drawn uniformly and s, e_{ i } ← χ . Note that we can generate RLWE samples as (a_{ i }, a_{ i }s+te_{ i }) where t and q are relatively prime. To improve efficiency for HE, they use very sparse secret keys s with coefficients sampled from {−1, 0, 1}.
Here is the SHE scheme of [18]:

ParamsGen: Given the security parameter λ, choose an odd integer m, a chain of moduli q_{0} < q_{1} < ⋯ < q_{L−1 }= q, a plaintext modulus t with 1 < t < q_{0}, and discrete Gaussian distribution χ_{ err }. Output (m, {q_{ i }}, t, χ_{ err }).

KeyGen: On the input parameters, choose a random s from {0, ± 1}^{φ(m) }and generate an RLWE instance (a, b) = (a, [as + te]_{ q }) for e ← χ_{ err }. We set the key pair: (pk, sk) = ((a, b), s) with an evaluation key $evk\in {R}_{P\cdot {q}_{L2}}^{2}$ for a large integer P.

Encryption: To encrypt m ∈ R_{ t }, choose a small polynomial v and two Gaussian polynomials e_{0}, e_{1} over Rq . Then compute the ciphertext given by Enc(m, pk) = (c_{0}, c_{1}) = (m, 0) + (bv + te0, av +te_{1}) ∈ ${R}_{q}^{2}$.

Decryption: Given a ciphertext ct = (c_{0}, c_{1}) at level l, output $\mathsf{\text{Dec(ct,sk)}}={\left[{c}_{0}s\cdot {c}_{1}\right]}_{{q}_{l}}$ mod t where the polynomial ${\left[{c}_{0}s\cdot {c}_{1}\right]}_{{q}_{l}}$ is called the noise in the ciphertext ct.

Homomorphic Evaluation: Given two ciphertexts ct = (c_{0}, c_{1}) and $\mathsf{\text{ct'}}=\left({c}_{0}^{\prime},{c}_{1}^{\prime}\right)$ at level l, the homomorphic addition is computed by $\mathsf{\text{c}}{\mathsf{\text{t}}}_{\mathsf{\text{add}}}=\left({\left[{c}_{0}+{c}_{0}^{\prime}\right]}_{{q}_{l}},{\left[{c}_{1}+{c}_{1}^{\prime}\right]}_{{q}_{l}}\right)$. The homomorphic multiplication is computed by ct_{mult} = SwitchKey(c_{0} ∗ c_{1}, evk) where ${c}_{0}*{c}_{1}=\left({\left[{c}_{0}{c}_{0}^{\prime}\right]}_{{q}_{l}},{\left[{c}_{0}{c}_{1}^{\prime}+{c}_{1}{c}_{0}^{\prime}\right]}_{{q}_{l}},{\left[{c}_{1}{c}_{1}^{\prime}\right]}_{{q}_{l}}\right)$ and the key switching function SwitchKey is used to reduce the size of ciphertexts to two ring elements. We also apply modulus switching from q_{ i }to q_{i−1 }in order to reduce the noise. If we reach the smallest modulus q_{0}, we can no longer compute on ciphertexts.
Smart and Vercauteren [24] observed that R_{ t } is isomorphic to ${\prod}_{i=1}^{\ell}{\mathbb{Z}}_{t}\left[x\right]/{f}_{i}\left(x\right)$ if Φ_{ m }(x) factors modulo t into ℓ irreducible factors f_{ i }(x) of the same degree. Namely, a plaintext polynomial m can be considered as a vector of ℓ small polynomials, m mod f_{ i }, called plaintext slots. We can also transform the plaintext vector $\left({m}_{1},\dots ,{m}_{r}\right)\in {\prod}_{i=1}^{\ell}{\mathbb{Z}}_{t}\left[x\right]/{f}_{i}\left(x\right)$ to an element m ∈ R_{ t } using the polynomial Chinese Remainder Theorem (i.e., m = CRT(m_{1}, ..., m_{ r })). In particular, it is possible to add and multiply on the slots: if m, m′ ∈ R_{ t } encode (m_{1}, ..., m_{ ℓ }) and $\left({m}_{1}^{\prime},\dots ,{m}_{\ell}^{\prime}\right)$ respectively, then we see that $m+{m}^{\prime}={m}_{i}+{m}_{i}^{\prime}$ mod f_{ i } and $m\cdot {m}^{\prime}={m}_{i}\cdot {m}_{i}^{\prime}$ mod f_{ i }. This technique was adapted to the BGV scheme.
The YASHE scheme
A practical SHE scheme, YASHE, was proposed in [19] based on combining ideas from [22, 25, 26]. The security of this scheme is based on the hardness of the RLWE assumption similar to the one for BGV. It also relies on the Decisional Small Polynomial Ratio (DSPR) assumption which was introduced by LopezAlt, Tromer, and Vaikuntanathan [26]. Let $t\in {R}_{q}^{\times}$ be invertible in R_{ q }, y_{ i } ∈ R_{ q } and z_{ i } = y_{ i }/t ( mod q) for i = 1, 2. For z ∈ R_{ q }, and, we define χ_{ z } = χ + z to be the distribution shifted by z. The assumption is that it is hard to distinguish elements of the form h = a/b, where a ← y_{1} + tχ_{ z }, b ← y_{2} + tχ_{ z }, from elements drawn uniformly from R_{ q } . The YASHE scheme consists of the following algorithms.

ParamsGen: Given the security parameter λ, choose m to be a power of 2 (the mth cyclotomic polynomial is Φ_{ m }(x) = x^{ n }+ 1 (n = φ(m) = m/2), modulus q and t with 1 < t < q, truncated discrete Gaussian distribution χ_{ err }on R such that the coefficients of the polynomial are selected in the range [−B(λ), B(λ)]), and an integer base ω > 1. Output (m, q, t, χ_{ err }, ω).

KeyGen: On the input parameters, sample f′, g ← {0, ± 1}^{φ(m) }and set f = [tf′ + 1]_{ q }. If f is not invertible modulo q, choose a new f′ and compute the inverse f^{−1} ∈ R of f modulo q and set h = [tgf^{−1}]q . Let ℓ_{ ω,q }= [log_{ ω }(q)] + 1 and define ${\mathsf{\text{P}}}_{\omega ,q}\left(a\right)={\left({\left[a{\omega}^{i}\right]}_{q}\right)}_{i=0}^{{\ell}_{\omega ,{q}^{1}}}$. Sample $e,s\leftarrow {\chi}_{err}^{{\ell}_{\omega ,q}}$ and compute $\gamma =\left[{\mathsf{\text{P}}}_{\omega ,q}\left(f\right)+e+hs\right]\in {R}_{q}^{{\ell}_{\omega ,q}}$. Then we set the key pair: (pk, sk, evk) = (h, f, γ).

Encryption: To encrypt m ∈ R_{ t }, choose e, s ← χ_{ err }and then compute the ciphertext $\mathsf{\text{Enc}}\left(m,\mathsf{\text{pk}}\right)={\left[\u230a\frac{q}{t}\u230b\cdot {\left[m\right]}_{t}+e+hs\right]}_{q}\in {R}_{q}$.

Decryption: Given a ciphertext ct, output $\text{Dec}(\text{ct},\text{sk})=\lfloor \frac{t}{q}\cdot {\left[f\cdot ct\right]}_{q}\rceil $ mod t. The inherent noise in the ciphertext is defined as the minimum value of infinite norm v_{∞} = max_{ i }{v_{ i }} such that $f\xb7\text{ct}=\lfloor \frac{q}{t}\rfloor \xb7{[m]}_{t}+v{(\text{mod})}_{q}$

Homomorphic Evaluation: Given two ciphertexts ct and ct′, homomorphic addition is computed as $\mathsf{\text{c}}{\mathsf{\text{t}}}_{\mathsf{\text{add}}}={\left[\mathsf{\text{ct}}+\mathsf{\text{ct'}}\right]}_{q}$

Homomorphic Evaluation: Given two ciphertexts ct and ct′, homomorphic addition is computed as $\mathsf{\text{c}}{\mathsf{\text{t}}}_{\mathsf{\text{add}}}={\left[\mathsf{\text{ct}}+\mathsf{\text{ct'}}\right]}_{q}$. Homomorphic multiplication is computed as $\mathsf{\text{c}}{\mathsf{\text{t}}}_{\mathsf{\text{mult}}}=\mathsf{\text{SwitchKey}}\left({\left[\u230a\frac{t}{q}\mathsf{\text{ct}}\cdot \mathsf{\text{ct'}}\u2309\right]}_{q},\mathsf{\text{evk}}\right)$ where the key switching function SwitchKey is used to transform a ciphertext decryptable under the original secret key f (see [19] for details).
Our methods for private genome analysis
In this section, we describe how to encode and encrypt the genomic data for each task. Based on these methods, we propose the evaluation algorithms to compute the genomic tests on encrypted data.
Encoding genomic data
The value e_{ i } defines whether the genotype at the specified locus is missing; the value f_{ i } specifies the variants compared with the reference.
and then concatenated with each other. Next we pad with 1 at the end of the bit string so as to distinguish the Astrings. Finally, we pad with zeros to make it a binary string of length 15, denoted by s_{ i }. Let s_{ i }[j] denote jth bit of s_{ i }. If a person's SNV at the given locus is not known (i.e., e_{ i } = 0), then it is encoded as 0string. For example, 'GT C' is encoded as a bit string 01111010 ... 0, of length 15.
Homomorphic computation of the BGV scheme
We describe how to compute the genomic algorithms described above on encrypted genetic data using the BGV scheme.
Task 1: GWAS on encrypted genomic data
Using the encodings that we propose for practical HE, we can homomorphically evaluate any function involving additions and multiplications, but it is not known how to perform homomorphic division of integer values. We obtain the counts using a few homomorphic additions.
Task 2: secure DNA sequence comparison
We represent sequence comparison algorithms as binary circuits and then evaluate them over encrypted data. We use the native plaintext space of binary polynomials (i.e., ${R}_{2}={\mathbb{Z}}_{2}\left[x\right]/\left({\Phi}_{m}\left(x\right)\right)$), and denote XOR and AND as ⊕ and ∧, respectively. For simplicity, you may consider the plaintext space ${\mathbb{Z}}_{2}^{\ell}$ supporting batching operation with ℓ slots.
where $\mathsf{\text{E(}}{\mathsf{\text{s}}}_{i},{\mathsf{\text{s'}}}_{i}\mathsf{\text{)}}={\wedge}_{j=1}^{15}\left({\mathsf{\text{s}}}_{i}\left[j\right]\oplus {\mathsf{\text{s'}}}_{i}\left[j\right]\oplus 1\right)$ has 1 if and only if ${\mathsf{\text{s}}}_{i},{\mathsf{\text{s'}}}_{i}$ are the same. After homomorphic computations, the output can be decrypted with the secret key. The plaintext polynomial has the Hamming distance result of SNV site i at the ith slot, so we need only aggregate them.
Finally, one can decrypt the results and decode $\ell \left(\mathcal{L}\right)$ values from the output plaintext polynomials. More precisely, let ${\ell}_{i,j}$ be the value at ith slot which corresponds to the jth bit. We see that ${\sum}_{j=1}^{\mu}{\ell}_{i,j}\cdot {2}^{j1}$ is the approximate Edit distance of SNV site i, hence we need only perform aggregation operations over them.
Homomorphic computation of the YASHE scheme
We explain how to evaluate the genomic algorithms homomorphically using the YASHE scheme.
Task 1: GWAS on encrypted genomic data
Task 2: secure DNA sequence comparison
Since polynomial multiplication does not correspond to componentwise multiplication of the vectors, we have to consider another packing method instead of [13]. Let us consider the polynomialCRT packing method. The mth cyclotomic polynomial ${\Phi}_{m}\left(x\right)$ factors modulo 2 into a product of the same irreducible factors (i.e., ${\Phi}_{m}\left(x\right)={x}^{n}+1={\left(x+1\right)}^{n}$ mod 2); so we cannot apply batching technique with these parameters. We can instead do that if taking a prime t (not 2) such that the polynomial splits into the distinct factors modulo t, but the use of a different message space leads to change our primitive circuits.
where $\mathsf{\text{E}}\left({\mathbf{\text{s}}}_{i},{{\mathbf{\text{s}}}^{\prime}}_{i}\right)=\prod _{j=1}^{15}\left(1{\left({\mathbf{\text{s}}}_{i}\left[j\right]{{\mathbf{\text{s}}}^{\prime}}_{i}\left[j\right]\right)}^{2}\right)$.
Then we get the encryptions of the approximate Edit distance result of SNV i.
Results and discussion
In this section, we explain how to set the parameters for homomorphic evaluations and present our experimental results. We used BGV scheme with ShoupHalevi's HE library [28] (called HELib). HELib is written in C++ and based on the arithmetic library NTL [29] over GMP. Our experiments with BGV were performed on a Linux machine with an Intel Xeon 2.67 GHz processor. We also implemented YASHE scheme with ARITH library in C. The measurements were done in an Intel Core 3.60GHz, running 64bit Windows 7.
The dataset used for Task 1 consists of 200 case group (constructed from 200 participants from PGP) and 200 control group (simulated based on the haplotypes of 174 participants from CEU population of apMap Project). The dataset for Task 2 consists of two individual genomes randomly selected from PGP.
Theoretical comparison between BGV and YASHE
The theoretical sizes of ciphertext modulus and a ciphertext
BGV  YASHE  

Log_{2} q  $\left(\mathsf{\text{M}}\cdot \frac{{\mathsf{\text{log}}}_{2}\left(h\cdot n\cdot {t}^{4}\right)}{36}+3\right)\cdot \left(11+\frac{1}{2}\phantom{\rule{2.36043pt}{0ex}}{\mathsf{\text{log}}}_{2}n\right)$  2M · log_{2} nt 
ct  $2n\left(\mathsf{\text{M}}\cdot \frac{{\mathsf{\text{log}}}_{2}\left(h\cdot n\cdot {t}^{4}\right)}{36}+3\right)\cdot \left(11+\frac{1}{2}\phantom{\rule{2.36043pt}{0ex}}{\mathsf{\text{log}}}_{2}n\right)$  2nM · log_{2} nt 
For some 0 ≤ η < 1; if log_{2} t ≥ 4, then log_{2} t + 18η  4 ≥ 0; otherwise, we have d_{n,t}= 1 and so $18\cdot {d}_{n,t}14{\mathsf{\text{log}}}_{2}t>0$.
Let us contrast the complexity of homomorphic multiplication operations for the two schemes. One of the new optimizations for BGV is to convert polynomials between coefficient and evaluation representations. Most of the homomorphic operations are performed in the more efficient evaluation representation, but it sometimes requires coefficient representation. Note that these conversions take the most time in execution. In more detail, at the lth level of this scheme, the key switching procedure requires $\mathcal{O}$(l) Fast Fourier Transforms (FFTs) and the modulus switching operation requires (l + 1) FFTs. Since HElib uses the Bluestein FFT algorithm [30] (with runtime complexity of $\mathcal{O}$(n log n)), this yields an overall complexity of $\mathcal{O}$(ln log n) for a multiplication of ciphertexts.
For the polynomial multiplication in the base ring R_{ q } = ℤ_{ q }[x]/(x^{ n } + 1), we implemented the FFT algorithm by Nussbaumer [31] based on recursive negacyclic convolutions (with runtime complexity $\frac{9}{2}n\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}n\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}n+\mathcal{O}\left(n\mathsf{\text{log}}n\right)$ of arithmetic operations in ℤ_{ q }). The homomorphic multiplication in YASHE includes a costly key switching operation which is an inner product on ${R}_{q}^{\ell \omega ,q}$, hence we obtain a total cost of ${\ell}_{\omega ,q}\cdot \left(\frac{9}{2}n\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}\phantom{\rule{2.36043pt}{0ex}}n\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}\phantom{\rule{2.36043pt}{0ex}}\mathsf{\text{log}}\phantom{\rule{2.36043pt}{0ex}}n+\mathcal{O}\left(n\mathsf{\text{log}}n\right)\right)$ operations for a ciphertext multiplication. Therefore, BGV is expected to be faster than YASHE for a ciphertext multiplication if we take similar parameters with q and n.
How to set parameters
The security of BGV relies on the hardness of the RLWE assumption. Similarly, YASHE is provably secure in the sense of INDCPA under the RLWE assumption and DSPR assumption. The main difference between the schemes is that BGV uses an odd integer m while YASHE chooses m to be a poweroftwo with a prime integer q such that q ≡ 1 (mod m). In [23], it was shown that the hardness of RLWE with the cyclotomic polynomial Φ_{ m }(x) = x^{ϕ(m) }+ 1 can be established by a quantum reduction to shortest vector problems in ideal lattices. This means that YASHE is believed to be secure as long as the lattice problems are hard to solve.
Parameters of the BGV scheme
thus we set the parameter t = 2^{10}. For the second task, we used t = 2 to evaluate binary circuits.
from the security analysis of [18] based on Lindner and Peikert's method [32]. For the efficiency of the implementation, we choose the smallest integer m so as to satisfy Inequality (2) and pack the message into plaintext slots as many as possible. Next, we define a ladder of moduli to make the correct decryption after computation with L levels (see [18] for details). Finally, we consider the discrete Gaussian distribution χ_{ err } = D_{ℤ,σ}with mean 0 and standard deviation σ = 3.2 over the integers to sample random error polynomials.
Parameters of the YASHE scheme
As discussed before, t = 2^{10} will suffice to compute the MAFs and χ^{2} statistic. For the second task, we look for the parameter t ≠ 2 which maximizes the number of slots we can handle in one go. We fix the word ω = 2^{128} for the evaluation key and the standard deviation σ = 8 for the error distribution χ_{ err }.
Since we can estimate the size of noise during homomorphic operations, we get the lower bound on q to ensure the correctness. We also have maximal values of q to ensure the desired security using the results of [33], so that we can have more loose bound than that from LP's method. Then we set m as a poweroftwo to get a nontrivial interval for q and then select a smallest q in this interval.
Implementation results
Implementation results of Task 1 using BGV and YASHE
s  t  log_{2} q  n  ℓ  L  ct  KeyGen  Encrypt  Eval  Decrypt  

BGV  MAF  311 610  2^{9}  60 61  5292 8190  378 630  3  78 kB 122 kB  6.92s 10.28s  11.90s 14.85s  29.99 ms 33.36 ms  290.06 ms 690.23 ms 
χ ^{ 2 }  311 610  2^{10}  60 61  5292 8190  378 630  3  78 kB 122 kB  6.35s 12.27s  11.61s 15.13s  30.05 ms 38.17 ms  560.10 ms 720.33 ms  
YASHE  MAF  311 610  2^{10}  48  1024  1024  0  6 kB  0.01s 0.04s  1.63s 4.10s  5.74 ms 16.98 ms  33.71 ms 16.78 ms 
χ ^{ 2 }  311 610  0.01s 0.04s  1.61s 4.12s  5.99 ms 17.20 ms  16.73 ms 17.01 ms 
Implementation results of Task 2 using BGV and YASHE
Size  t  log_{2} q  n  ℓ  L  ct  KeyGen  Encrypt  Eval  Decrypt  

BGV  Hamming  5K 10K  2  132  8190  630  7  264 kB  2.53s  12.65s 24.90s  15.39s 29.39s  0.64s 1.29s 
Edit  5K 10K  150  8  300 kB  3.41s  16.98s 33.34s  40.86s 76.08s  2.97s 5.81s  
YASHE  Hamming  5K 10K  8191  384  8192  4096  6  384 kB  130.59s  29.70s 58.82s  68.31s 134.87s  2.67s 5.04s 
Edit  5K 10K  58.46s 116.61s  110.18s 245.04s  2.66s 5.07s 
Performance results of Task 1
In Table 3 the top four rows refer to the results using BGV, and the bottom four rows refer to results using YASHE for computing the MAFs and χ^{ 2 } statistic in casecontrol groups. Note that the number of slots means that how many messages we can pack into one single ciphertext. When using YASHE, we can evaluate simultaneously by embedding the data into the coefficients of plaintext polynomial; the maximal degree of plaintext polynomial in this case is considered to be the number of slots.
In practice, we need to apply one more modulusswitching during homomorphic additions for the BGV scheme, so the total number of ciphertext moduli is L = 1 + 2 = 3. On the contrary, L means the levels of multiplications in YASHE (without taking into account the additions). In other words, when evaluating a polynomial of degree d on encrypted data, we have L ≈ log d levels of multiplications by computing in a binary tree way. Thus, L = 0 suffices to support such homomorphic additions in Task 1. Thus we don't need to generate the evaluation key, which enables to take less time for key generation than BGV. Moreover, the evaluation performance of YASHE is much better since BGV requires a costly modulus switching operations even for computing simple homomorphic additions.
Performance results of Task 2
Table 4 presents the parameter setting and performance results for secure DNA sequence comparison using BGV and YASHE. We evaluated the performance with the input data of different sizes 5K and 10K. We implemented the comparison circuit with the same method as described in [17, Lemma 1] in order to reduce the circuit depth over encryption.
As discussed before, given the parameter L, we obtain the approximate size of ciphertext modulus as log_{2} q ≈ 43 + 18 · (L − 2) for BGV when using t = 2 and R = ℤ[x]/(Φ_{8191}(x)). Since it should support L = 7 or 8 to correctly evaluate genomic algorithms of Task 2, we use the modulus q around 130 to 150. On the other hand, the size of the parameter q in YASHE should be strictly larger than 2L log_{2} (nt) ≈ 52L with t = 2^{9} and R = ℤ[x]/(x^{8192} + 1). So we used a 384bit prime q such that q ≡ 1 (mod 2^{14}).
In the implementation of YASHE scheme, computing the inverse of f modulo q turns out to be the mosttime consuming part of the keygeneration, which runs in around 128.34 seconds(s). In total, it takes about 130.59s to generate the public key, secret key and evaluation keys, while the key generation of the BGV scheme takes about 3.41s in order to support 8 levels.
There is also quite a big gap between the two schemes in timings for a multiplication of ciphertexts: BGV takes around 0.07s, while YASHE takes around 1.75s (including the key switching step) under the parameter settings used in Task 2. For the efficiency of the YASHE scheme, we might avoid a costly key switching step during the homomorphic multiplication; however, it supports a limited number of homomorphic multiplications without the key switching step. This follows since the noise grows exponentially with the multiplicative depth through such consecutive operations. One alternative is to use a hybrid approach, in which we leave out key switching in certain places but do it in others using the evaluation key with a power of the secret key so that one can keep the ciphertext noise small for correct decryption. As a result, polynomial multiplication modulo x^{ n } + 1 takes about 0.64s, but it is still slower than that in BGV. As expected, BGV is faster than YASHE to evaluate the genomic algorithms for DNA sequence comparison.
Conclusions
In this paper, we discussed how to privately perform genomic tests on encrypted genome data using homomorphic encryption. In addition to the efficient implementations of BGV and YASHE, we compared two schemes both theoretically and practically. We found that there is a tradeoff between the security and performance. YASHE uses a poweroftwo dimension n which defines the 2nth cyclotomic polynomial; this is a good choice for providing strong security, but it requires larger parameters to ensure correctness than BGV, and the homomorphic multiplication in YASHE is slower than that in BGV. Therefore, the performance numbers for BGV are better than YASHE when homomorphically evaluating deep circuits (like the Hamming distance algorithm or approximate Edit distance algorithm). On the other hand, it is more efficient to use the YASHE scheme for a lowdegree computation, such as minor allele frequencies or χ^{2} test statistic in a casecontrol study.
Declarations
Acknowledgements
The authors would like to thank Michael Naehrig for extensive assistance with the code for the YASHEbased implementation for the contest. The authors would also like to thank the iDASH Secure Genome Analysis Contest organizers, in particular Xiaoqian Jiang and Shuang Wang, for running the contest and providing the opportunity to submit competing implementations for these important tasks. MK was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2014R1A2A 1A11050917).
This article has been published as part of BMC Medical Informatics and Decision Making Volume 15 Supplement 5, 2015: Proceedings of the 4th iDASH Privacy Workshop: Critical Assessment of Data Privacy and Protection (CADPP) challenge. The full contents of the supplement are available online at http://www.biomedcentral.com/14726947/15/S5.
Declarations
Publication funding for this supplement was supported by iDASH U54HL108460, iDASH linked R01HG007078 (Indiana University), NHGRI K99HG008175 and NLM R00LM011392.
Authors’ Affiliations
References
 Personal Genome Project. [http://www.personalgenomes.org/]
 HapMap Project. [http://hapmap.ncbi.nlm.nih.gov/]
 Humbert M, Ayday E, Hubaux JP, Telenti A: Addressing the concerns of the lacks family: quantification of kin genomic privacy. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 11411152.Google Scholar
 Erlich Y, Narayanan A: Routes for breaching and protecting genetic privacy. Nature Reviews Genetics. 2014, 15 (6): 409421.View ArticlePubMedPubMed CentralGoogle Scholar
 Naveed M, Ayday E, Clayton EW, Fellay J, Gunter CA, Hubaux JP, Malin BA, Wang X: Privacy in the Genomic Era. arXiv,abs/1405.1891v3Google Scholar
 Kantarcioglu M, Jiang W, Liu Y, Malin B: A cryptographic approach to securely share and query genomic sequences. IEEE Trans on Inf Technol Biomed. 2008, 12 (5): 606617.View ArticleGoogle Scholar
 Baldi P, Baronio R, Cristofaro ED: Countering GATTACA: efficient and secure testing of fullysequenced human genomes. Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011, 691702.Google Scholar
 Ayday E, Raisaro JL, McLaren PJ, Fellay J, Hubaux JP: Privacypreserving Computation of Disease Risk by Using Genomic, Clinical, and Environmental Data. USENIX Workshop on Health Information Technologies. 2013Google Scholar
 Gentry C: Fully homomorphic encryption using ideal lattices. Proceedings of the 40th ACM Symposium on Theory of Computing. 2009, 169178.Google Scholar
 van Dijk M, Gentry C, Halevi S, Vaikuntanathan V: Fully homomorphic encryption over the integers. Proceedings of Advances in CryptologyEurocrypt. 2010, 6110: 2443.Google Scholar
 Gentry C, Sahai A, Waters B: Homomorphic encryption from learning with errors: Conceptuallysimpler, asymptoticallyfaster, attributebased. Proceedings of Advances in CryptologyCrypto. 2013, 8042: 7592.Google Scholar
 Yasuda M, Shimoyama T, Kogure J, Yokoyama K, Koshiba T: Secure pattern matching using somewhat homomorphic encryption. Proceedings of the. 2013, 6576. ACM Cloud Computing Security WorkshopGoogle Scholar
 Lauter K, Naehrig M, Vaikuntanathan V: Can homomorphic encryption be practical?. Proceedings of the 18th ACM Conference on Cloud Computing Security. 2011, 113124.Google Scholar
 Graepel T, Lauter K, Naehrig M: Ml confidential: Machine learning on encrypted data. Proceedings of Information Security and CryptologyICISC. 2012, 7839: 121.Google Scholar
 Bos JW, Lauter K, Naehrig M: Private predictive analysis on encrypted medical data. Journal of Biomedical Informatics. 2014, 50: 234243.View ArticlePubMedGoogle Scholar
 Lauter K, LópezAlt A, Naehrig M: Private computation on encrypted genomic data. Proceedings of Progress in Cryptology  LATINCRYPT. 2014, 8895: 327.Google Scholar
 Cheon JH, Kim M, Lauter K: Homomorphic computation of edit distance. Proceedings of Financial Cryptography and Data Security  FC International Workshop WAHC. Edited by: Brenner M, Christin N, Johnson B, Rohloff K. 2015, 8976: 194212.View ArticleGoogle Scholar
 Gentry C, Halevi S, Smart N: Homomorphic evaluation of the AES circuit. Proceedings of Advances in CryptologyCrypto. 2012, 7417: 850867.Google Scholar
 Bos JW, Lauter K, Loftus J, Naehrig M: Improved security for a ringbased fully homomorphic encryption scheme. Proceedings of Cryptography and Coding  14th IMA International Conference. 2013, 8308: 4564.Google Scholar
 Wagner RA, Fischer MJ: The string to string correction problem. Journal of the ACM. 1974, 21 (1): 168173.View ArticleGoogle Scholar
 Brakerski Z, Gentry C, Vaikuntanathan V: (Leveled) fully homomorphic encryption without bootstrapping. Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. 2012, 309325.Google Scholar
 Brakerski Z: Fully homomorphic encryption without modulus swithing from classical gapsvp. Proceedings of Advances in CryptologyCrypto. 2012, 7417: 868886.Google Scholar
 Lyubashevsky V, Peikert C, Regev O: On ideal lattices and learning with errors over rings. Proceedings of Advances in CryptologyEurocrypt. 2010, 6110: 123.Google Scholar
 Smart N, Vercauteren F: Fully homomorphic SIMD operations. Designs, Codes and Cryptography. 2014, 71 (1): 5781.View ArticleGoogle Scholar
 Stehlé D, Steinfeld R: Making NTRU as secure as worstcase problems over ideal lattices. Proceedings of Advances in Cryptology  EUROCRYPT. 2011, 6632: 2747.Google Scholar
 LópezAlt A, Tromer E, Vaikuntanathan V: Onthefly multiparty computation on the cloud via multikey fully homomorphic encryption. Proceedings of the 40th ACM Symposium on Theory of Computing. 2012, 12191234.Google Scholar
 Cheon JH, Kim M, Kim M: Searchandcompute on encrypted data. Proceedings of Financial Cryptography and Data Security  FC International Workshop WAHC. Edited by: Brenner M, Christin N, Johnson B, Rohloff K. 2015, 8976: 142159.View ArticleGoogle Scholar
 Halevi S, Shoup V: Design and implementation of a homomorphic encryption library. Technical report, IBM. 2013Google Scholar
 Shoup V: NTL: A Library for Doing Number Theory. [http://www.shoup.net/ntl]
 Bluestein LI: A Linear Filtering Approach to the Computation of Discrete Fourier Transform. IEEE Transactions on Audio and Electroacoustics. 18 (4): 451455.Google Scholar
 Nussbaumer HJ: Fast polynomial transform algorithms for digital convolution. IEEE Trans on Acoustics, Speech and Signal Proceesing. 1980, 28 (2): 205215.View ArticleGoogle Scholar
 Lindner R, Peikert C: Better key sizes (and attacks) for lwebased encryption. Proceedings of Topics in CryptologyCTRSA. 2011, 6558: 319339.Google Scholar
 Lepoint T, Naehrig M: A comparison of the homomorphic encryption schemes fv and yashe. Proceedings of Progress in CryptologyAFRICACRYPT. 2014, 8469: 318335.Google Scholar
Copyright
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.