Secure distributed genome analysis for GWAS and sequence comparison computation

Basic solution

For each SNP in the input, the computation is identical (and independent of other SNPs) and thus it suffices to describe the computation for a single SNP.

We divide the overall computation into three phases: input preparation, computation execution, and output reconstruction, which proceed as follows. Observe that each input site i can locally compute $n_{cA}^{\left(i\right)}$, $n_{tA}^{\left(i\right)}$, $n_{cB}^{\left(i\right)}$, $n_{tB}^{\left(i\right)}$ for each SNP. This is what is done as part of input preparation, after which each input site secret shares each of its computed values and distributes the shares among all three computational parties. We use notation [a] to denote that the value of a is secret-shared among the computational parties (i.e., each party holds a different share of a).

During computation execution, the computation proceeds on the shares to compute MAF and chi-squared statistics using equations 1 and 2 and secure building blocks from the previous section. We choose to perform only the private portion of the computation on secret shares, while postponing the computation with public constants to the output reconstruction phase. This is done for performance reasons to reduce the size of values used in the computation.

To calculate the MAF for each SNP in parallel, the computation follows equation 1 with provisions to make the computation data-oblivious. That is, each computational party performs the following steps: In this section we describe our approach to securely

1 $\left[n_A\right]=\left[n_{cA}^{\left(1\right)}\right]+\left[n_{tA}^{\left(1\right)}\right]+\left[n_{cA}^{\left(2\right)}\right]+\left[n_{tA}^{\left(2\right)}\right];$

2 $\left[n_B\right]=\left[n_{cB}^{\left(1\right)}\right]+\left[n_{tB}^{\left(1\right)}\right]+\left[n_{cB}^{\left(2\right)}\right]+\left[n_{tB}^{\left(2\right)}\right];$

3 $\left[b\right]=\mathsf{\text{LT(}}\left[n_A\right],\left[n_B\right],{\ell }_1\mathsf{\text{);}}$

4 $\left[re{s}_1\right]=\mathsf{\text{Mult}}\left(\left[b\right],\left[n_A\right]-\left[n_B\right]\right)+\left[n_B\right];$

The first two steps that aggregate the input values are local to each computational party, but steps 3 and 4 that produce the minimum of n _A and n _B involve joint computation by all of them. We subsequently discuss the choice of the parameter ℓ ₁.

To compute the chi-squared statistics for each SNP in parallel, we similarly follow the computation in equation 2 using the following steps:

1 $\left[n_{cA}\right]=\left[n_{cA}^{\left(1\right)}\right]+\left[n_{cA}^{\left(2\right)}\right];$

2 $\left[n_{tA}\right]=\left[n_{tA}^{\left(1\right)}\right]+\left[n_{tA}^{\left(2\right)}\right];$

3 $\left[n_{cB}\right]=\left[n_{cB}^{\left(1\right)}\right]+\left[n_{cB}^{\left(2\right)}\right];$

4 $\left[n_{tB}\right]=\left[n_{tB}^{\left(1\right)}\right]+\left[n_{tB}^{\left(2\right)}\right];$

5 [a] = Mul([n _cA ], [n _tB ]);

6 [b] = Mul([n _cB ], [n _tA ]);

7 [c] = Mul([n _cA ] + [n _tA ], [n _cB ] + [n _tB ]);

8 [d] = Mul([a] − [b], [a] − [b]);

9 [res₂] = Div(k · [d], [c], ℓ ₂);

Lines 5, 6, and 8 compute the numerator in equation 2 and line 7 its denominator (multiplication by public N , N _c , and N _t is omitted). The numerator is then scaled up by a factor of k to ensure that using integer division will provide sufficient precision of the result. The bitlength of k will be on the order of the precision of the answer in bits. We defer discussion of the choice of ℓ ₂ to the next section.

At the end of the computation, all computational parties send their shares of the result res₁ and res₂ for each SNP to one of the input sites who reconstruct the values. The output party then sets the result of MAF computation to res₁/N ^' and the result of the chi-squared computation to $\left(re{s}_2\cdot N^{\prime }\right)/\left(k{N}_c^{\prime }{N}_t^{\prime }\right)$.

Optimizations

Basic solution

As before, we divide the overall computation into three phases: input preparation, joint computation execution, and output reconstruction.

Input preparation. Each input site i extracts all SUB and SNP records from its dataset and pads them with dummy records to size N _i + 1 (we require at least one dummy record). (If the combined fraction of SUB and SNP records is guaranteed to be within a certain fraction α < 1 of the total size for typical genomic datasets, then the datasets can be padded to αN _i + 1 records. For this competition, α could not be lower than 1.) Furthermore, to meet Batcher's mergesort requirements, the input parties additionally pad the sets with dummy records so that the combined size of the two datasets is 2 ^q , where q = ⌈log2(N1 + N2 + 2)⌉. We use this newly formed dataset as the input into the computation and refer to it as a "dataset".

After computing a 3-tuple (V₁, V₂, V₃) for each record in its dataset, an input site i sorts the records by the V₁ field to form set S _i , generates shares of all records in S _i , and distributes them to the computational parties (we slightly abuse notation and use [S _i ] to denote shares of all values in S _i ). It also distributes shares of the number of dummy records d _i in S _i .

Computation execution. After receiving two sorted sets of ([V₁], [V₂], [V₃]) triples from both input sites, the computational parties run oblivious merge using [V1] as the key. The algorithm is built using an input-independent sequence of compare-and-exchange operations. Each operation takes two integers and either swaps them or leaves them unchanged so that the first output (min) is always smaller than the second (max). In our framework, it is implemented as follows:

1 [c] = LT([a], [b], ℓ );

2 [min] = [c]([a] − [b]) + [b];

3 [max] = [c]([b] − [a]) + [a];

Note that lines 2 and 3 involve only a single multiplication (i.e., first compute [c]([a] − [b]) and then set [min] and [max] with no additional interaction). When applying this operation to our setting, comparisons on line 1 are performed using [V₁]'s, but the entire records ([V₁], [V₂], [V₃]) are swapped (or left unchanged) using comparison results [c].

The computational parties next compute the Hamming distance as specified in Algorithm 2. Sets S₁ and S₂ represent sorted input triples of the input parties and parameters ℓ₁ and ℓ₂ correspond to the bitlengths of fields V₁ and V₂ (or V₃), as discussed previously.

Because a specific location V₁ appears only once in each of the input datasets (except for dummy records), there will be at most two records with the same V₁ in the combined set. The algorithm works by looking at each pair of two consecutive elements in the combined sorted set and adds 1 to dist if this is the first time the location appears on the list (i.e., a _i = 0 on line 4). The distance is incremented automatically for the first record (dist = 1 on line 2). Then, if a location appears for the second time (a _i = 1 on line 4), the algorithm examines the values of V₂ and V₃ fields (lines 5-6) to determine whether the condition for incrementing the distance is satisfied (i.e., b _i = 1 and c _i = 0). If not (b _i = 0 or c _i = 1), dist is decremented by 1 to compensate for the fact that it was increased during previous loop iteration. All dummy records collectively contribute distance −d₁−d₂ +2 (i.e., 0 for the first two records and −1 for each additional record) and this is why we adjust the computed distance at the end (line 9). We note that all loop iterations and all comparisons within a loop iteration can be carried out in parallel.

Algorithm 2 SecureHD([S₁], [S₂], [d₁], [d₂])

1: ${\left(\left[V_1^{\left(i\right)}\right],\left[V_2^{\left(i\right)}\right],\left[V_3^{\left(i\right)}\right]\right)}_{i=1}^{2^q}=\mathsf{\text{Merge}}\left(\left[S_1\right],\left[S_2\right]\right)$

2: dist = 1

3: for i = 2 to 2 ^q do

4:   $\left[a_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right],\left[V_1^{\left(i\right)}\right],{\ell }_1\right)$

5:   $\left[b_i\right]=\mathsf{\text{EQ}}\left(\left[V_2^{\left(i-1\right)}\right],\left[V_2^{\left(i\right)}\right],{\ell }_2\right)$

6:   $\left[c_i\right]=\mathsf{\text{EQ}}\left(\left[V_3^{\left(i-1\right)}\right],\left[V_3^{\left(i\right)}\right],{\ell }_2\right)$

7: dist = dist + (1 − [a _i ]) + [a _i ]([b _i ](1 − [c _i ]) − 1)

8: end for

9: dist = dist + [d₁] + [d₂] −2

10: return dist

Output reconstruction is straightforward and consists only of receiving and combining shares of the computed Hamming distance.

Separating SUB and SNP records

As the first significant optimization, we separate computation of the distance for SNP and SUB records and consequently reconstruct the overall distance from the two values. The main reason for this is to reduce the time comparisons of V₂ and V₃ take. Recall that SNP records contain a single character in REF and ALT fields, while SUB records can contain longer strings. In the genomic datasets we worked with, a great majority of all records were SNP records that can be processed using 2-bit comparisons for V₂ and V₃ (i.e., ℓ₂ = 2). In the basic solution, however, the bitlength had to be unnecessarily increased by two orders of magnitude for most records to meet privacy requirements. Thus, the idea consists of extracting two sets from each input dataset: one consisting of SNP records and another consisting of SUB records. Then the distance for SUB records is computed separately from the distance for SNP records and the sum is returned as the result.

This strategy works well if all records with the same ⟨CHROM, POS⟩ pair are always marked with the same type across all datasets. It is, however, possible for two datasets to contain SUB and SNP records corresponding to the same location. Because of the existence of such records, the Hamming distance will not be computed correctly if we simply add the two distances together. That is, if one record appears in the SUB set and another with the same location appears in the SNP set, they collectively will contribute 2 to the overall distance instead of correct 0 or 1 (depending on other attributes). To address this, we need to find all such pairs and compensate for the difference they introduced, which is the most subtle part of our solution. We next provide more detail about the solution and highlight the differences from the basic scheme.

Input preparation. Given a dataset, an input entity produces two subsets: one composed of SUB records and one composed of both SUB and SNP records from the dataset. As before, both sets need to be padded with dummy records to hide their number and make the size to be a power of 2 to the combined size of 2 ^qs and 2 ^q , where q _s = ⌈log(α _s (N₁ + N₂) + 2)⌉ and q = ⌈log(α(N₁ + N₂) + 2⌉ and α _s (α) denotes the maximum fraction of SUB (resp., SNP and SUB) records in genomic datasets (we were given α = 1 and α _s = 0.3). All records in the SUB set are converted to (V₁, V₂, V₃) triples as before. For the SNP&SUB set, one-character REF and ALT fields in SNP or SUB records are represented using integers 0-3, while these fields of longer length in SUB records are represented using integer 4 (i.e., V₂ and V₃ fields are 3 bits long). This will guarantee that comparison of a one-character long REF or ALT field in a SNP record with a longer REF or ALT field in a SUB record will result in their inequality. We also add another binary attribute V₄ to each record of the SNP&SUB set that indicates whether the record is of SUB type (V₄ = 0) or SNP type (V₄ = 1). We set V₄ = 0 in dummy records.

Each input entity now produces shares of (V₁, V₂, V₃) in its SUB set and (V₁, V₂, V₃, V₄) in its SNP&SUB set (together with the number of dummy records in each set) and distributes them to the computational parties. We note that computation with SNP&SUB sets can be performed on shorter bitlengths, which results in faster arithmetic, and thus we setup two different instances of the secret sharing scheme and process SUB sets separately from SNP&SUB sets.

Computation execution. To compute the Hamming distance correctly, we now distinguish between different cases: (i) SUB records that don't have a SNP record with identical location in the other dataset, (ii) SNP records that don't have a SUB record with identical location in the other dataset, and (iii) records that have another record with identical location but different type present in the other dataset. Let N0 denote the number of records in the third category.

Algorithm 3 SecureHD2([S₁], [S₂])

1: ${\left(\left[V_1^{\left(i\right)}\right],\left[V_2^{\left(i\right)}\right],\left[V_3^{\left(i\right)}\right],\left[V_4^{\left(i\right)}\right]\right)}_{i=1}^{2^q}=\mathsf{\text{Merge}}\left(\left[S_1\right],\left[S_2\right]\right)$

2: $\mathsf{\text{dist}}=\left[V_4^{\left(1\right)}\right]$

3: for i = 2 to 2 ^q do

4:   $\left[a_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right],\left[V_1^{\left(i\right)}\right]\right)$

5:   $\left[b_i\right]=\mathsf{\text{EQ}}\left(\left[V_2^{\left(i-1\right)}\right],\left[V_2^{\left(i\right)}\right]\right)$

6:   $\left[c_i\right]=\mathsf{\text{EQ}}\left(\left[V_3^{\left(i-1\right)}\right],\left[V_3^{\left(i\right)}\right]\right)$

7:   $\left[d_i\right]=\mathsf{\text{OR}}\left(\left[V_4^{\left(i-1\right)}\right],\left[V_4^{\left(i\right)}\right]\right)$

8:   $\left[e_i\right]=\mathsf{\text{XOR}}\left(\left[V_4^{\left(i-1\right)}\right],\left[V_4^{\left(i\right)}\right]\right)$

9:   $\mathsf{\text{dist}}+=\left[d_i\right]\left(\left(1-\left[a_i\right]\right)\left[V_4^{\left(i\right)}\right]+\left[a_i\right]\left(\left[b_i\right]\left(1-\left[c_i\right]\right)-\left[V_4^{\left(i-1\right)}\right]\right)\right)-\left[a_i\right]\left[e_i\right]$

10: end for

11: return dist

The computational parties execute Algorithm 2 on two SUB datasets. This computes the distance corresponding to the records in category 1, but also introduces offset N₀. The parties then execute Algorithm 3 on two SNP&SUB sets that computes the distance corresponding to categories 2 and 3 and additionally compensates for the offset. The output will then be the sum of the distances computed by both algorithms.

In Algorithm 3, when examining each pair of consecutive records, we only consider those that contain at least one SNP record within the pair (d _i = 1 on line 9). Furthermore, similar Algorithm 2, when observing a location for the first time, we add 1 to the Hamming distance, but only if it is a SNP record ($V_4^{\left(1\right)}=1$ on line 2 and $V_4^{\left(i\right)}=1$ on line 9). If a location appears for the second time, we undo the previous increment if b _i = 0 or c _i = 1 as before, but only if the record preceding the current one is of type SNP (i.e., $V_4^{\left(i-1\right)}=1$ on line 9). By doing that, we are able compute the distance corresponding to records of second and third types without introducing errors. The offset N₀ is compensated by the last term a _i e _i on line 9, that counts the number of pairs of consecutive records that have the same location (a _i = 1), but different types (e _i = 1). OR([x], [y]) and XOR([x], [y]) are implemented as [x]+[y]−Mult([x], [y]) and [x]+[y]−2Mult([x], [y]), respectively (computation of d _i and e _i reuses the same multiplication result).

Note that dummy records do not introduce any error in Algorithm 3. That is, d _i = 0 and e _i = 0 when both records i and i − 1 are dummy and the expression on line 9 evaluates to 0. Similarly, when record i−1 is real while record i is fake that expression also evaluates to 0 because a _i = 0 and $V_4^{\left(i\right)}=0$.

After computing the distances corresponding to SUB and SNP&SUB sets, the parties need to convert shares of one of them into shares of the same value in the secret sharing setup used by the other algorithm. Then the distances can be locally added to compute the over-all result. Output reconstruction is performed as before by exchanging the shares and recovering the result.

The performance gain achieved by this optimization highly depends on the values of public parameters α _s , α, and M. While the gain stems from using shorter values for V₂ and V₃ with SNP&SUB sets, the total number of records processed using this solution $\left(2^q+2^{q_s}\right)$ is greater than in the basic scheme (2 _q ). Therefore, this optimization is recommended with relatively small α _s and large M. In our experiments with α _s = 0.3, α = 1, and M = 100, we observed approximately 30% performance improvement compared to the basic scheme.

Reducing set size

Our second optimization is with respect to oblivious sort and removing the requirement that the input size has to be a power of 2 for the merge step of Batcher's mergesort. To explain how our optimization works, we need to provide additional details about Batcher's mergesort algorithm.

After executing the first iteration of the outer loop, the first (second) half of L will contain (m + n)/2 smallest (resp., largest) elements of L although they are not necessarily sorted. After its second iteration, the ith quarter of L will contain the ith quarter of elements in the final sorted list for i = 1, ..., 4. This process continues until each sublist contains one element and L becomes sorted. Notice that the algorithm uses log(m + n) iterations of the outer loop, and in each iteration every element in the list is used in a compare-and-exchange operation, which is the reason for requiring the size of the list to be a power of 2.

Consider an example with input L₁ = (3, 4, 6, 9, 12) and L₂ = (2, 5, 10), which is combined into L = (3, 4, 6, 9, 12, 10, 5, 2). In the first iteration of the outer loop, compare-and-exchange operations are performed on pairs (3, 12), (4, 10), (6, 5), and (9, 2), and the resulting list is (3, 4, 5, 2, 12, 10, 6, 9). In the second iteration, comparisons are performed on (3, 5), (4, 2), (12, 6), (10, 9) and produce (3, 2, 5, 4, 6, 9, 12, 10). In the last iteration, we compare every pair of consecutive elements (3, 2), (5, 4), (6, 9), (12, 10), which results in the final sorted list (2, 3, 4, 5, 6, 9, 10, 12). If L2 = (2, 5) instead, after all iterations 2 will remain at the end of the list making it unsorted, as the element does not have any pair to use in a comparison.

We next proceed with describing our strategy for generalizing the merge operation to work with inputs of arbitrary sizes, which might be of independent interest. There will be no need to pad the input in the beginning to make the overall input size to be a power of 2, but dummy records are now added throughout algorithm execution as needed. This means that earlier loop iterations use a smaller number of elements and are therefore faster than in the original algorithm. In particular, at each loop iteration, if the size of a sublist is odd, we append a copy of its last element to the end. This will ensure that comparisons can be performed at the current level while still preserving the necessary properties of the (partially) sorted list. For example, suppose we want to merge (3, 6, 8) and (5, 7). Before the first iteration 5 will be added to the list (3, 6, 8, 7, 5) because the number of elements in it is odd, and we obtain (3, 5, 5, 7, 6, 8) at the end of that iteration. At the time of second iteration, the size of sublists (3, 5, 5) and (7, 6, 8) is also odd and they are modified to be (3, 5, 5, 5) and (7, 6, 8, 8). In the next iteration no additional padding is used and we obtain (3, 5, 5, 5, 6, 7, 8, 8) at the end of the algorithm.

In the context of Hamming distance computation, we similarly make a copy of the entire last record of a subset as needed during the merge step. More importantly, after having the list sorted, we need to ensure the Hamming distance is computed correctly because the introduction of repeated records creates inaccuracies in Algorithm 2. Now two consecutive records with the same location in the sorted set may correspond to (i) two records in the original datasets, (ii) two copied records, or (iii) one original and one copied record. Let a _i and a _j be two different records with the same location in the original datasets. If they get copied during the merge as $a_i^{\prime }$ and $a_j^{\prime }$, the relative order of these records in the sorted list can be arbitrary (e.g., $\left(a_i^{\prime },a_i,a_j,a_j^{\prime }\right)$, $\left(a_i^{\prime },a_j,a_i,a_j^{\prime }\right)$, etc.) and they may contribute more than 1 to the computed distance.

We address the problem by modifying locations of records in the datasets so that (i) two records originally with the same location are assigned locations that differ by 1 and (ii) two records originally with different locations are assigned locations that differ by more than 1. By doing that, a pair of consecutive records with the same location in the sorted set is guaranteed to correspond to either two copied records or one original record and its copy. In either case, the Hamming distance should not get affected. We implement this change by setting the location to 4V₁, where V₁ is the original location, for records from the first input site and to 4V₁ + 1 for records from the second input site.

Algorithm 4 SecureHD3([S₁], [S₂])

1: ${\left(\left[V_1^{\left(i\right)}\right],\left[V_2^{\left(i\right)}\right],\left[V_3^{\left(i\right)}\right]\right)}_{i=1}^{2^q}=\mathsf{\text{NewMerge}}\left(\left[S_1\right],\left[S_2\right]\right)$

2: dist = 1

3: for i = 2 to 2 ^q do

4:   $\left[a_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right],\left[V_1^{\left(i\right)}\right]\right)$

5:   $\left[b_i\right]=\mathsf{\text{EQ}}\left(\left[V_2^{\left(i-1\right)}\right],\left[V_2^{\left(i\right)}\right]\right)$

6:   $\left[c_i\right]=\mathsf{\text{EQ}}\left(\left[V_3^{\left(i-1\right)}\right],\left[V_3^{\left(i\right)}\right]\right)$

7:   $\left[d_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right]+1,\left[V_1^{\left(i\right)}\right]\right)$

8:   $\mathsf{\text{dist}}+=\left(1-\left[a_i\right]\right)\left(1-\left[d_i\right]+\left[d_i\right]\left(\left[b_i\right]\left(1-\left[c_i\right]\right)-1\right)\right)$

9: end for

10: return dist

With this solution, the input sites prepare their input datasets as in the basic scheme, but pad a set to size N _i + 1 instead of requiring the combined size to be a power of 2. The computational parties can locally modify V₁'s in the input records run the improved merge and compute the Hamming distance as specified in Algorithm 4. The algorithm has two major differences compared to Algorithm 2: (i) when examining each pair of consecutive records, only pairs with different locations can contribute to the distance (a _i = 0 on line 8) and (ii) when locations of two consecutive records differ by 1 (d _i = 1 on line 8), they are treated as having the same location in Algorithm 2, and when the locations differ by neither 1 nor 0 (d _i = 0 and a _i = 0 on line 8), they are treated as having different locations in Algorithm 2.

Dummy records inserted by each input site into their input datasets do not affect correctness of the Hamming distance that uses this optimization (including the combined solution in Algorithm 5). This is because the first dummy record from the first input set will result in the distance incremented by 1, while the first dummy record from the second input set will result in the distance decremented by 1. All consecutive dummy records from the first or the second input datasets do not modify the distance (because all records with the same V₁ are ignored).

We recently became aware of a sorting algorithm [16] that generalizes Batcher's bitonic sort to input sizes which are not a power of 2 without adding extra records during the sorting procedure. The algorithm results in the same asymptotic complexity as our solution, but performs fewer compare-and-exchange operations in each iteration (because dummy records are not added), which is expected to lead to better performance than our algorithm. We plan to provide both theoretical and empirical comparison of this algorithm with our solution as future work.

Our final solution consists of using both optimizations from the previous and current subsections, and we summarize it in Algorithm 5. We omit its explanation due to space considerations.

Algorithm 5 SecureHD4 $\left(\left[S_1^{\mathsf{\text{SUB}}}\right],\left[S_1^{\mathsf{\text{SNP}}}\right],\left[S_2^{\mathsf{\text{SUB}}}\right],\left[S_2^{\mathsf{\text{SNP}}}\right]\right)$

1: dist₁ = SecureHD3$\left(\left[S_1^{\mathsf{\text{SUB}}}\right],\left[S_2^{\mathsf{\text{SUB}}}\right]\right)$

2: ${\left(\left[V_1^{\left(i\right)}\right],\left[V_2^{\left(i\right)}\right],\left[V_3^{\left(i\right)}\right],\left[V_4^{\left(i\right)}\right]\right)}_{i=1}^{2^q}=\mathsf{\text{NewMerge}}\left(\left[S_1^{\mathsf{\text{SNP}}}\right],\left[S_2^{\mathsf{\text{SNP}}}\right]\right)$

3: $\mathsf{\text{dis}}{\mathsf{\text{t}}}_2=\left[V_4^{\left(0\right)}\right]$

4: for i = 2 to 2 ^q do

5:   $\left[a_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right],\left[V_1^{\left(i\right)}\right]\right)$

6:   $\left[b_i\right]=\mathsf{\text{EQ}}\left(\left[V_2^{\left(i-1\right)}\right],\left[V_2^{\left(i\right)}\right]\right)$

7:   $\left[c_i\right]=\mathsf{\text{EQ}}\left(\left[V_3^{\left(i-1\right)}\right],\left[V_3^{\left(i\right)}\right]\right)$

8:   $\left[d_i\right]=\mathsf{\text{OR}}\left(\left[V_4^{\left(i-1\right)}\right],\left[V_4^{\left(i\right)}\right]\right)$

9:   $\left[e_i\right]=\mathsf{\text{XOR}}\left(\left[V_4^{\left(i-1\right)}\right],\left[V_4^{\left(i\right)}\right]\right)$

10:   $\left[g_i\right]=\mathsf{\text{EQ}}\left(\left[V_1^{\left(i-1\right)}\right]+1,\left[V_1^{\left(i\right)}\right]\right)$

11:   $\mathsf{\text{dis}}{\mathsf{\text{t}}}_2+=\left(1-\left[a_i\right]\right)\left(\left[d_i\right]\left(\left(1-\left[g_i\right]\right)\left[V_4^{\left(i\right)}\right]+\left[g_i\right]\left(\left[b_i\right]\left(1-\left[c_i\right]\right)-V_4^{\left(i-1\right)}\right)\right)-\left[g_i\right]\left[e_i\right]\right)$

12: end for

13: return dist₁ + Convert(dist₂)