 Proceedings
 Open
 Published:
FORESEE: Fully Outsourced secuRe gEnome Study basEd on homomorphic Encryption
BMC Medical Informatics and Decision Makingvolume 15, Article number: S5 (2015)
Abstract
Background
The increasing availability of genome data motivates massive research studies in personalized treatment and precision medicine. Public cloud services provide a flexible way to mitigate the storage and computation burden in conducting genomewide association studies (GWAS). However, data privacy has been widely concerned when sharing the sensitive information in a cloud environment.
Methods
We presented a novel framework (FORESEE: Fully Outsourced secuRe gEnome Study basEd on homomorphic Encryption) to fully outsource GWAS (i.e., chisquare statistic computation) using homomorphic encryption. The proposed framework enables secure divisions over encrypted data. We introduced two division protocols (i.e., secure errorless division and secure approximation division) with a tradeoff between complexity and accuracy in computing chisquare statistics.
Results
The proposed framework was evaluated for the task of chisquare statistic computation with two casecontrol datasets from the 2015 iDASH genome privacy protection challenge. Experimental results show that the performance of FORESEE can be significantly improved through algorithmic optimization and parallel computation. Remarkably, the secure approximation division provides significant performance gain, but without missing any significance SNPs in the chisquare association test using the aforementioned datasets.
Conclusions
Unlike many existing HME based studies, in which final results need to be computed by the data owner due to the lack of the secure division operation, the proposed FORESEE framework support complete outsourcing to the cloud and output the final encrypted chisquare statistics.
Introduction
Owing to the community effort on big data, biomedical science moves focus towards datadriven methodologies [1], which rely on collecting, integrating and analyzing large scale data. For biomedical studies, especially the genome analysis, the required storage and computational capacities may easily exceed the available resources in a single institution. Recently, cloud computing [2] emerges as a flexible alternative to support costeffective biomedical research with big data. Researchers can rely on a cloud environment to easily scale up their studies with large scale data. However, the adopt of cloud computing in biomedical studies also yields more and more concerns about the potential data privacy risk in comparison with the local computing environment. As genome data are extremely sensitive, the storage of raw genome in a cloud may increase the disclosure risk.
The recently announced NIH policy [3] allows NIH funded studies to utilize public clouds to facilitate data analysis. However, the researchers instead of the cloud providers are responsible for the data security and privacy. Many existing attacks [4–6] also demonstrate the vulnerability of deidentified genome data. Thus, it is important to protect the privacy of genome data [7–9]. The rapid improvements of the data protection techniques make it possible to perform certain computations over encrypted data [10, 11] based on homomorphic encryption.
In [12], Gentry proposed the first fully homomorphic encryption scheme to enable both addition and multiplication operations over encrypted data. Brakerski et al. [13, 14] improved homomorphic encryption scheme based on learning with errors (LWE). Lauter et al. [15] presented several secure statistical algorithms for genetic association studies based on homomorphic encryption. Besides, Togan et al. [16] studied the integer comparison problem over homomorphic encrypted data. Recently, Graepel et al. [17] and Naehrig et al. [18] also showed that certain machine learning algorithms can be implemented using HME. Wang et al. [24] proposed a novel homomorphic encryption based framework to securely computing on exact logistic regression. Cheon et al. [19] developed a protocol for HMEbased edit distance calculation that employed the greedy algorithm to obtain the upper bound of exact edit distance. Zhang et al. [25] improved homomorphic edit distance computation by combining pathfinding algorithm and integer comparison.
In this paper, we propose the FORESEE framework to achieve secured and fully outsourced chisquare statistics computation in a public cloud. We assume that the cloud faithfully follows the protocol but may be curious of information from the received data, which is the socalled semihonest adversary model [20]. The proposed FORESEE framework enables secure division operation over the homomorphic encrypted data and allows the cloud to directly release the study results. To be concrete, the contribution of this paper is twofold.

We develop a secure errorless division protocol, where a onetoone mapping function is constructed for the floating numbers in computation and the study results can be accurately decrypted with a lookup table.

We present a secure approximation division protocol to balance the complexity and accuracy with welldesigned secure integer division in secure computation. In implementation, binary tree product and groupbased computation are adopted to reduce circuit depth and the number of homomorphic multiplications.
For validation, experimental results show that the proposed FORESEE framework can identify all the significant SNPs based on the chisquare statistics with a moderate complexity using multiple slots for parallel computation.
Method
For clarity, in the rest of this paper, we use bold symbols to represent vector and matrix variables and normal symbols for scalar variables. Without specification, $\stackrel{\u2322}{\Delta}$ is reserved for the encrypted version of variable or function Δ and log (·) stands for the logarithm with base 2.
Secure outsourcing GWAS
In this paper, we focus on the task of secure outsourcing GWAS in the 2015 iDASH challenge [21]. Given the genotypes from two groups over a number of single nucleotide polymorphisms (SNPs), we aim to securely calculate the chisquare statistics for the SNPs between the given casecontrol groups. The chisquare statistic) χ^{2} is used by chisquare test to statistically assess whether there is significant association between the genetic variants and disease status. Typically, χ^{2} is obtained by cumulating the normalized squared deviations between the observed and expected frequency distribution of alleles.
Here, O_{ i,j } and E_{ i,j } are the observed and expected allele counts for allele j, e.g. j = 1 for allele 'A' and j = 2 for allele 'a' in (see Table 1) from the case (i = 1) or control (i = 2) group, respectively.
Let us denote ${N}_{1}={O}_{1,1}+{O}_{1,2}$ and ${N}_{2}={O}_{2,1}+{O}_{2,2}$ the total number of alleles in the case and control groups, respectively. In general, E_{ i,j } is computed by $\left(\left({O}_{1,j}+{O}_{2,j}\right)\cdot {N}_{i}\right)/\left({N}_{1}+{N}_{2}\right)$ for i = 1, 2 and j = 1, 2. If we assume that the casecontrol groups have the same number of n patients, we can obtain ${N}_{1}={N}_{2}=2n$. Thus, Equation (1) can be simplified by
Equation (2) indicates that, in addition to homomorphic additions and multiplications, the χ^{2} statistic computation over encrypted dataset requires one secure division for fully outsourced GWAS, which is not supported in many existing HMEbased schemes [15, 17, 22]. For example, if the numerator and denominator in Equation (2) are released directly due to the lack of secure division operation, one can easily infer the underlying allele counts (i.e., O_{1,1}and O_{2,1}) by solving a system of equations. To address the problem, we propose the FORESEE framework to enable secure division operation for the χ^{2} statistic computation on an untrusted cloud.
The proposed framework
Figure 1 illustrates the proposed FORESEE framework, which allows secured and fully outsourced chisquare statistics computation in a public cloud and enable flexible release of study results. Using homomorphic encryption, the data owner can encrypt observed allele counts and directly upload to the public cloud. Consequently, the chisquare statistics can be securely computed according to Equation (2) based on homomorphic computation. Contrary to many existing HMEbased schemes [15, 17, 22], the proposed framework develops two protocols for secure division operations over encrypted data, so that the final results are not necessarily computed by the data owner. As a result, authorized users are able to access the encrypted study results when granted the private key for decryption. Remarkably, the secrecy of uploaded sensitive information and released study results can be guaranteed under the proposed framework, as the trusted party would not interact with the untrusted public cloud. Thus, the proposed scheme enables secure outsourcing of the chisquare statistic computation to public cloud services, by which individuals or single institutions could contribute to the chisquare statistic computation in GWAS in a secure manner.
In the FORESEE framework, we develop two protocols for secure division operations, namely, secure errorless division and secure approximation division. The secure errorless protocol makes a secure onetoone mapping from floating numbers to a set of encrypted positive integers. Consequently, authorized users can decrypt the study results with a lookup table. To achieve errorless division, the proposed protocol requires a deep circuit.
To balance the accuracy and complexity in chisquare statistic computation, the secure approximation division protocol is proposed as an alternative solution. Using secure integer division, the protocol approximates the study results with a tunable error rate. To improve its efficiency, binary tree product and groupbased computation are designed to reduce circuit depth and the number of homomorphic multiplications.
In the following subsections, we will elaborate both protocols developed for the FORESEE framework.
Secure errorless division protocol
In this section, we propose the secure errorless division protocol when both dividend and divisor are small (e.g., less than 100). Considering that secure division operation is not available in existing HMEbased schemes [15, 17, 22], we construct a onetoone mapping function from floating numbers to a set of encrypted positive integers. Thus, the study results can be accurately decrypted with a lookup table corresponding to the oneonone mapping function.
Secure mapping for division outcomes
To map the study result (in floating numbers), we construct a function with an integer output that uniquely corresponds to the division outcomes given a dividend and divisor. Let us denote $m\in \left[0,\stackrel{\u0304}{m}\right]$ and $w\in \left[1,\stackrel{\u0304}{w}\right]$ the dividend and divisor, respectively. Here, the upper bounds $\stackrel{\u0304}{m}$ and $\stackrel{\u0304}{w}$ of m and w should be predefined, so that the lookup table for decryption can be synchronized for all the authorized users. Consequently, we construct a twodimensional function $\mathcal{F}\left(m,w\right)$ that returns the positive integer u_{ m,w } corresponding to an index of the division result of m/w in floating number.
In the ciphertext domain, u_{ m,w } can be determined by the polynomials of m and w related to the ciphertext modulus p. According to the Fermat Theory, we can construct a simplified function with less number of homomorphic multiplications. Given the prime p > mw , the secure mapping function is
In Proposition 1, we demonstrated that the secure mapping proposed in Equation (4) is a onetoone mapping from floating outcomes of m/w to a set of encrypted positive integers.
Proposition 1 Given arbitrary positive integers m_{1}, m_{2}, w_{1}, and w_{2} taking their values $\left[1,\left\sqrt{p}\right\right]$, they satisfy
if and only if $\mathcal{F}\left({m}_{1},{w}_{1}\right)\equiv \mathcal{F}\left({m}_{2},{w}_{2}\right)\left(\phantom{\rule{0.2em}{0ex}}mod\phantom{\rule{0.2em}{0ex}}p\right)$, where $\left\sqrt{p}\right$ is the round function that returns the maximum integer not greater than $\sqrt{p}$.
Proof. Please refer to Appendix I.
Proposition 1 implies that Equation (4) can map any pairs of $\left(\widehat{m},\u0175\right)$ with the same irreducible fraction to the same outcome $\widehat{\mathcal{F}}\left(\widehat{m}*,\u0175*\right)$, where m^{*} and w^{*} are the integer numerator and denominator, respectively that have no other common divisors. For example, given the ciphertext modulus $p=101,\widehat{\mathcal{F}}\left(\widehat{2},\widehat{1}\right)$ would be $\widehat{2}$ for the pairs $\left(\widehat{2},\widehat{1}\right),\left(\widehat{4},\widehat{2}\right)$ and $\left(\widehat{8},\widehat{4}\right)$. This fact means that the encrypted outcome can be securely released, as the authorized users can only obtain the accurate irreducible fraction m^{*}/w^{*}, but cannot infer the exact value of $\left(\widehat{m},\u0175\right)$.
Algorithm 1: Secure errorless division
0: Inputs: encrypted variable $\widehat{m},\u0175$, upper bound $\stackrel{\u0304}{m},\stackrel{\u0304}{w}$, the ciphertext modulus p.
1: Let ${{\u015d}_{0}}^{*}=\u0175,{\u015d}^{*}=\widehat{m}$.
2: Let $u*=\u230a\mathsf{\text{log}}\left(p2\right)\u230b$
3: Decompose p − 2 as $p2={\Sigma}_{i=0}^{\mathcal{h}}{2}^{{\mathcal{v}}_{i}}$, where $\mathcal{h}$ is the number of nonzero bits in the binary representation of p − 2 and ${\mathcal{v}}_{i}$. is the position of ith nonzero bit.
4: For each i = 1,2,⋯, u^{*}
5: ${\u015d}_{i}^{*}={\u015d}_{i1}^{*}*{\u015d}_{i1}^{*}$
6: end for
7: For each i = 0,1,⋯,$\mathcal{h}$
8: ${\widehat{s}}^{*}={\widehat{s}}^{*}*{\u015d}_{{\mathcal{v}}_{i}}^{*}$
9: end for
10: Outputs: ${\u015d}^{*}$
During decryption, users can find the accurate study result $\mathcal{r}$ with a lookup table, which consists of all possible irreducible fractions within ranges $m\in \left[0,\stackrel{\u0304}{m}\right]$ and $w\in \left[1,\stackrel{\u0304}{w}\right]$. Here, we provide two examples, where $\stackrel{\u0304}{m}=\stackrel{\u0304}{w}=10$ and p is set to 101 as the smallest prime greater than $\stackrel{\u0304}{m}\stackrel{\u0304}{w}=100$. It is worth mentioning that we can obtain the study result $\mathcal{r}$ in floating number in Example 2. This fact verifies the accuracy of the proposed secure errorless division.
Example 1 The authorized users would obtain s^{*} = 2 by decrypting ${\u015d}^{*}=\widehat{2}$. The pair of coprime integers (m, w) corresponding to $\widehat{\mathcal{F}}\left(\widehat{m},\u0175\right)\equiv \widehat{2}$ (mod 101) is (2,1). Thus, $\mathcal{r}$ = m/w = 2.
Example 2 When ${\u015d}^{*}=\hat{35},\left(m,w\right)=\left(4,3\right)$ as $\widehat{\mathcal{F}}\left(\widehat{m},\u0175\right)=\widehat{4}\cdot {\widehat{3}}^{99}\equiv \hat{35}\left(\phantom{\rule{0.2em}{0ex}}mod\phantom{\rule{0.2em}{0ex}}101\right)$. As a result, $\mathcal{r}$ = 4/3.
Secure approximation division protocol
In this subsection, we aim to develop the secure approximation division protocol. Since n (i.e., the number of patients in case or control group) is assumed to be a known integer, we denote A and B the dividend and divider of $\frac{{\left({O}_{1,1}{O}_{2,1}\right)}^{2}}{\left({O}_{1,1}+{O}_{2,1}\right)\left[4n\left({O}_{1,1}+{O}_{2,1}\right)\right]}$ in Equation (2), respectively. Thus, the chisquare statistic can be rewritten as
where $A={\left({O}_{1,1}{O}_{2,1}\right)}^{2}$ is a nonnegative integer, and $B=\left({O}_{1,1}+{O}_{2,1}\right)\left[4n\left({O}_{1,1}+{O}_{2,1}\right)\right]$ is a positive integer. Thus, given encrypted counts ${\widehat{O}}_{1,1}$ and ${\widehat{O}}_{2,1}$, $\widehat{A}$ and $\widehat{B}$ can be obtained with homomorphic multiplications and additions. Since the fraction team 1/B, with the value less than one, cannot be evaluated in the ciphertext domain, we scale it up by multiplying a positive integer ℳ. Therefore, the χ^{2} statistic can be approximated by
where $\u230aM/{B}_{i}\u230b$ is the round function that returns the maximum integer not greater than M/B_{ i } , e.g., $\u230a7/3\u230b=2$ and $\u230a10/15\u230b=0$. Here, ℳ is a public information and should be large enough, as the upper bound of relative error is determined by $1/\mathsf{\text{min}}\left(\frac{\mathcal{M}}{B}\right)\times 100\%=\left(\frac{400{n}^{2}}{\mathcal{M}}\right)\%$.
Usually, we set $\mathcal{M}=\mathsf{\text{min}}\left(p1,\u230a\frac{p1}{\mathsf{\text{max}}\left(\frac{A}{B}\right)}\u230b\right)$, where p is the ciphertext modulus. According to Equation (7), we develop the secure approximation division protocol based on secure integer division.
Secure integer division
In this subsection, we describe the secure integer division protocol to achieve secure To compute $\u230a\frac{\hat{\mathcal{M}}}{B}\u230b$ o in Equation (7), we first introduce a vector Twith its 6th element defined by
where B_{ i } = i * (4n− i), i = 1,2,...,2n are the possible values of B in chisquare statistic computation (see equation (6)). Consequently, given ℳ, we define a function f(x) which satisfies
In our implementation, a onedimensional function is formulated using Lagrange interpolating polynomial with x ∈ {B_{1},..., B_{2n}}
Since division is intractable for homomorphic encrypted data, we need to derive a surrogate function for Equation (10) that can be implemented based on homomorphic multiplications and additions. For simplicity, we denote u_{ i }. the divisor for x = B_{ i }. in Equation (10).
Consequently, we can construct a surrogate function for Equation (10) by numerically finding a set of integers v_{ i }. with 1 ≤ v_{ i }. ≤ p − 1 for 1 ≤ i ≤ 2n, that satisfy
Here, p is the cipheretext modulus (i.e., a prime under doubleCRT representation in the BGV scheme). Thus, we demonstrate the existence of {v_{ i }} in Proposition 2 to guarantee the computational tractability of f(x) in the ciphertext domain.
Proposition 2 For each u_{ i } = 1,2,⋯,2n, given p > ℳ, at least one v_{ i } can be found to satisfy (12).
Proof. Please refer to Appendix II.
Substituting $1/{\Pi}_{1\le l\le 2n,l\ne i}\left({B}_{i}{B}_{l}\right)$ with v_{ i } in Equation (10), we can reformulate f(x) with multiplications instead.
We transform Equation (13) into the combination of polynomials of x by expanding the products and combining the coefficients.
Here, ${{h}^{\prime}}_{i}$ is the coefficient for the ith order of x (i.e., x^{i}.) after polynomial expansion, which includes ${v}_{i}{B}_{l}$ and t_{ i }. In the ciphertext domain, we can construct the function $\widehat{f}\left(\widehat{x}\right)$ for secure integer division $\u230a\hat{\mathcal{M}}/\widehat{x}\u230b$.
where $\widehat{x}\in \left\{{\widehat{B}}_{1},{\widehat{B}}_{2},\dots ,{\widehat{B}}_{2n}\right\}$ are finite positive encrypted integers, and ${\u0125}_{i}\in \left[\widehat{0},\widehat{p}\widehat{1}\right]$ is obtained by encrypting ${h}_{i}\equiv {{h}^{\prime}}_{i}\left(\phantom{\rule{0.2em}{0ex}}mod\phantom{\rule{0.2em}{0ex}}\phantom{\rule{0.3em}{0ex}}p\right)$. We set h_{ i } = 0 with i > 2n − 1.
Implementation optimization
The secure integer division can be optimized to further reduce the cumulative circuit depths (CCD) and number of homomorphic multiplications (HMs). To achieve this goal, we adopt groupbased computation and binary tree product to generate $\widehat{f}\left(\widehat{x}\right)$ in implementation.
To reduce the number of HMs, a groupbased computation is adopted to calculate $\widehat{f}\left(\widehat{x}\right)$. The key idea of the proposed groupbased optimization is to first compute a set of ${\u0125}_{c\cdot d+i}{\widehat{x}}^{i}$ with i ∈ [0, d], where d is number of elements in each group, and c = 0,..., C is the group index with the total number of groups $C=\u230a\left(2n1\right)/d\u230b+1$. After grouping, we get the following equation with a reduced number of HMs.
Algorithm 2 describes the generation of $\hat{X}=\left(\widehat{1},\widehat{x},\dots ,{\widehat{x}}^{d}\right)$ using binary tree product. The number of HMs and CCD required to calculate $\hat{X}$ can be reduced to d − 1 and $\u230a\mathsf{\text{log}}\left(d1\right)\u230b+1$, respectively.
Algorithm 2: Binary tree product for generating $\hat{X}$
0: Inputs: encrypted variable $\widehat{x}$, the maximum power d
1: For i = 2,3,⋯, d
2: Let ${l}_{1}={2}^{\u230a\mathsf{\text{log}}\left(i1\right)\u230b}$.
3: Let ${l}_{2}=i{l}_{1}.$
4: ${\widehat{x}}^{i}={\widehat{x}}^{{l}_{1}}\cdot {\widehat{x}}^{{l}_{2}}.$
5: end for
6: Outputs: $\widehat{X}=\left(\widehat{1},\widehat{x},\dots ,{\widehat{x}}^{d}\right)$
An additional optimization can be applied in equation (16) by replacing the multiplication ${\u0125}_{c\cdot d+i}{\widehat{x}}^{i}$ as the summation over a total number of ${\u0125}_{c\cdot d+i}$ additions of ${\widehat{x}}^{i}$ to reduce the number of HMs.
Since the time cost of HMs is larger than HAs, we determine d by minimizing the number of HMs. As shown in Table 9 the total number of HMs required for secure integer division is 2C + d − 3. The number of groups C and the number of elements in each group d are selected to minimize the number of HMs $F\left(d\right)=d+2\u230a\left(2n1\right)/d\u230b3$. Given an integer $n,F\left(d\right)\approx d+\frac{2\left(2n1\right)}{d}3$ can obtain its minimum$2\sqrt{4n2}3$, only when $d=\sqrt{2\left(2n1\right)}$. Since d is an integer, it is estimated by $\u230a\sqrt{2\left(2n1\right)}\u230b$ to minimize F(d). Thus, C can be estimated by $\u230a\left(2n1\right)/d\u230b+1$ accordingly. Using the optimal d and C, secure integer division can be achieved based on the encrypted function $\widehat{f}\left(\widehat{x}\right)$ in Equation (15). Algorithm 3 elaborates the secure integer division. In line 2, in order to obtain $\hat{{X}^{\prime}}$, the inputs of Algorithm 2 are set to${\widehat{x}}^{d}$ and C − 1, respectively.
Algorithm 3: Secure integer division
0: Inputs: encrypted variable $\widehat{x}$, group size d , the number of groups C, the ciphertext modulus p, the polynomial parameters h_{ i }, i = 0,1,...,2n − 1
1: Compute $\widehat{X}=\left(\widehat{1},\widehat{x},\dots ,{\widehat{x}}^{d}\right)$ according to Algorithm 2
2: Compute $\widehat{X}=\left(\widehat{1},{\widehat{x}}^{d},\dots ,{\widehat{x}}^{\left(C1\right)d}\right)$ according to Algorithm 2
3: For each c = 0,1,⋯, C − 1
4: For each i = 0,1,⋯, d − 1
5: Calculate ${\widehat{h}}_{cd+i}{\widehat{x}}^{i}$
6: end for
7: end for
8: Let $\widehat{a}=\widehat{0}$
9: For each c = 0,1,⋯, C − 1
10: ${\widehat{a}}^{\prime}=\widehat{0}.$
11: For each i = 0,1,2,⋯, d − 1
12: Update ${\widehat{a}}^{\prime}={\widehat{a}}^{\prime}+{\u0125}_{cd+i}{\widehat{x}}^{i}$
13: end for
14: Update $\widehat{a}=\widehat{a}+{\widehat{a}}^{\prime}{\widehat{x}}^{cd}$
15: end for
16: Outputs: $\widehat{a}=\widehat{f}\left(\widehat{x}\right).$.
Parallel computation using multiple slots
Since HME schemes with ciphertext space ${\mathbb{Z}}_{q}^{{L}_{s}}$ support single instruction multiple data (SIMD) with L_{ s } slots, we can use parallel computation to reduce the number of homomorphic multiplications (HMs) and homomorphic additions (HAs). Denote $\widehat{a}=\left({\widehat{a}}_{1},{\widehat{a}}_{2},\dots ,{\widehat{a}}_{{L}_{s}}\right)$ and $\widehat{b}=\left({\widehat{b}}_{1},{\widehat{b}}_{2},\dots ,{\widehat{b}}_{{L}_{s}}\right)$ the two encrypted ciphertexts with L_{ s } slots. SIMD is applicable to simultaneous computation of the addition $\widehat{a}+\widehat{b}=\left({\widehat{a}}_{1}+{\widehat{b}}_{1},{\widehat{a}}_{2}+{\widehat{b}}_{2},\dots ,{\widehat{a}}_{{L}_{s}}+{\widehat{b}}_{{L}_{s}}\right)$ and $\widehat{a}\cdot \widehat{b}=\left({\widehat{a}}_{1}\cdot {\widehat{b}}_{1},{\widehat{a}}_{2}\cdot {\widehat{b}}_{2},\dots ,{\widehat{a}}_{{L}_{s}}\cdot {\widehat{b}}_{{L}_{s}}\right)$ multiplication. In two ciphertexts, only two slots in the same position can operate with each other.
In Algorithm 1, multiple encrypted outputs can be calculated at the same time with parallel computation. When the result is returned back to the user, the user extracts the integer in each slot and search it in the lookup table. Noticeably, in the parallel computation, m^{u} and n^{u} should be selected as the upper bounds of all the dividends and divisors in the slots. Similarly, multiple slots can also be used in the secure approximation division protocol. The secure integer division developed in Algorithm 3 can be simultaneously conducted for L_{ s } pairs of inputs $\left({\widehat{a}}_{i},{\widehat{b}}_{i}\right),i=1,2,\dots ,{L}_{s}$ using multiple slots.
Results
In this section, we evaluate the proposed FORESEE framework, which was implemented with HElib [23], one of the most efficient opensource HME libraries based on the LWE theory [13, 14]. The evaluations were made on an Ubuntu 14.04 server with Intel Xeon CPU E52687W @ 3.10GHz and 256 GB memory. We present the performance in the terms of time and memory cost. First, we provide the results of secure errorless division on simulated data. Moreover, we provide the performance of chisquare statistics based on the secure approximation division.
Simulation study
Table 2 elaborates the experimental setups for the secure errorless division protocol. Given the ciphertext modulus p, the upper bound $\stackrel{\u0304}{m}$ (i.e., dividend) and $\stackrel{\u0304}{w}$ (i.e., divisor) is set to $\u230a\sqrt{p}\u230b$. A number of L_{ s } slots are used for parallel computation. The lifting parameter for plaintext base is set to 1. The security level is 80. The number of columns in key switching is 2. Hamming distance is 64.
Using HElib, one ciphertext can contain multiple slots to have many integers encrypted into the ciphertext with the public key. Thus, the size of the public key is related to the number of multiple slots L_{ s } in addition to the ciphertext modulus p and the number of levels in modulus chain L. Taking Table 2 for example, L_{ s } for $\left(\stackrel{\u0304}{m},\stackrel{\u0304}{w}\right)=\left(70,70\right)$ is 3144, which is greater than most ones. Thus, its ciphertext sizes are much larger than the other configurations with close values of $\stackrel{\u0304}{m}$ and $\stackrel{\u0304}{w}$.
Using HElib, we are able to evaluate all the slots in the ciphertext in parallel. Table 3 shows the average execution time for the secure errorless division protocol. Based on the lookup table generated for various parameters $\left(\stackrel{\u0304}{m},\stackrel{\u0304}{w}\right)$, the proposed protocol is efficient for secure division operation over m ≤ 100 and w ≤ 100. However, its circuit depths increase rapidly with the growth of m and w, which limits its application for larger dividends and divisors.
Chisquare statistic computation
We employ the secure approximation division protocol in secure chisquare statistic computation. Two datasets from iDASH genome privacy protection challenge are used for evaluation, which contain 311 SNPs and 610 SNPs, respectively in the casecontrol groups, each consisted of with 200 individuals,
In homomorphic encryption, the ciphertext modulus p and the number of levels in modulus chain L are set to 25600000039 and 51, respectively. The public and private key sizes are both around 2.6 GB. The lifting parameter for plaintext base is set to 1. The security level is 80. The number of columns in key switching is 2 and the Hamming distance is 64. To reduce computational complexity, we use L_{ S } = 864 slots in parallel computation. For secure integer division, ℳ is 25600000000. f and a are accordingly set to 28 and 15 for 200 individuals in each group.
Table 4 provides the time cost for homomorphic evaluation of both datasets in chisquare statistics computation, including key generation, encryption, total and average execution time. Using multiple slots, the secure approximation division protocol can achieve the chisquare statistics computation in less than one second in average. Table 5 evaluates the accuracy of computation in terms of the meansquared error (MSE) and maximum error between the exact and the approximate chisquare statistics, where the MSE are less than 5 × 10^{−10} . The evaluation on maximum error also supports the conclusion.
Remarkably, we also computed the pvalue for each SNP based on the chisquare statistic and applied different pvalue cutoffs as 0.05, 0.01, and 0.005. The secure approximation division protocol is demonstrated to find out all the significant SNPs for both datasets under different p value cutoffs. As a result, the proposed protocol provides a good tradeoff between accuracy and complexity for secure chisquare statistic computation.
Furthermore, we compare the two proposed protocols in the chisquared statistics computation. For secure errorless division protocol, we use the same parameters list above, except that L is set to 151 to guarantee the required circuit depth in implementation. Table 6 and 7 compare the computational complexity and storage cost for the two protocols, respectively. In Table 6 the secure errorless division protocol requires about 10, 20 and 5 times in complexity for key generation, encryption, and execution (computation), when compared with the secure approximation division protocol. Table 7 shows that the ciphertext key sizes for secure errorless division are about 8 times larger due to the greater L. These results imply that the secure approximation division protocol provides a good tradeoff in terms of complexity and accuracy for chisquared statistic computation.
Discussions
In this section, we analyze the computational complexity of the proposed FORESEEE protocol and discuss its potential extension and its limitation.
Complexity analysis
In this subsection, we make an analysis on the computational complexity of the secure errorless division and secure approximation division protocols. Cumulative circuit depth2 (CCD) and the numbers of homomorphic multiplications (HMs) are provided for both protocols in the FORESEE framework.
We begin with the complexity analysis for secure errorless division protocol (i.e., Algorithm 1). As shown in Table 8 the number of HMs to calculate ${{\u015d}_{i}}^{*}$ at each iteration in A1 line 5 is 1. The number of HMs to obtain s^{*} at each iteration in A1 lines 8 is also 1. Therefore, the CCD in calculating ${{\u015d}_{i}}^{*}$ in A1 lines 46 are $\u230a\mathsf{\text{log}}\left(p2\right)\u230b$. The depths to obtain s^{*} in A1 lines 79 are $\u230a\mathsf{\text{log}}\left(p2\right)\u230b+h+1$
Table 9 provides the CCD and number of HMs for secure approximate division (i.e., Algorithm 3). The number of HMs to obtain $\widehat{X}$ and ${\widehat{X}}^{\prime}$ are d − 1 and C − 2, respectively. To evaluate Equation (18), the total number of HMs are d + 2C − 3. By using binary tree product based optimization, the circuit depths required for computing $\widehat{X}$ and ${\widehat{X}}^{\prime}$ are $\u230a\mathsf{\text{log}}\left(d1\right)\u230b+1$ and $\u230a\mathsf{\text{log}}\left(c2\right)\u230b+1$,respectively. Finally, the total CCD for secure approximate division operation is $\u230a\mathsf{\text{log}}\left(c2\right)\u230b+\u230a\mathsf{\text{log}}\left(d1\right)\u230b+3$.
Potential extension
In this paper, we proposed the FORESEE framework to address the problem of fully outsourcing chisquare statistic computation to a public cloud. However, the application scenarios for the FORESEE framework, especially the secure approximation division protocol, can be further extended to securely compute other statistics tests that involve division operations. One intuitive example is the Transmission disequilibrium test (TDT) developed to assess the genetic linkage between the genetic variants and disease status in familybased association studies. TDT is based on the binomial test with one degree of freedom, which is asymptotically equivalent to the chisquare hypothesis test.
Limitation
There are several limitations in the FORESEE framework. First, in secure approximation division protocol, the upper bound of approximation error depends on the ciphertext modulus G. Therefore, G should be large enough to guarantee the accuracy in computation, which degrades the efficiency of the FORESEE framework. Second, the computational and storage costs based on homomorphic encryption are still very high. For example, key generation and encryption is much more timeconsuming than computation. The ciphertext sizes are also a heavy burden for communication. Finally, it is still a challenging problem to generalize the secure errorless division protocol. In summary, there is still room to improve the proposed division protocols in the FORESEE framework through better algorithm design, efficient coding in the HElib and parallelization.
Conclusion
In this paper, we proposed a novel FORESEE framework for the secure outsourcing GWAS in the iDASH genome privacy protect challenge, especially for the chisquare statistic computation. The proposed framework consists of two protocols for secure division operation, namely secure errorless division and secure approximation division. The secure errorless protocol made a bijection between floating numbers and a set of encrypted positive integers. Thus, it could output the accurate study results based on a lookup table. On the other hand, the secure approximation division protocol adopted secure integer division to obtain approximate study results with a tunable accuracy. The protocol was able to balance the complexity and accuracy by using the groupbased computation and binary tree product with improved efficiency. In comparison to existing HMEbased schemes [15, 17, 22], both protocols enabled fully outsourced secure GWAS in an untrusted public cloud and could directly release study results to authorized users for decryption. Experimental results show that the secure approximation division protocol can capture all the significant SNPs in chisquare statistic computation with a moderate computational complexity.
Appendix I: Proof of Proposition 1
Since ${m}_{1}{w}_{1}^{p2}\equiv {m}_{2}{w}_{2}^{p2}\left(\phantom{\rule{0.2em}{0ex}}mod\phantom{\rule{0.2em}{0ex}}\phantom{\rule{0.3em}{0ex}}p\right)$, we can obtain Equation (17) by multiplying w_{1}w_{2} on the both sides.
According to the Fermat's little theorem,
When w_{1} and w_{2} are coprime with p, we can find that
Since ${w}_{2}{m}_{1}\le \u230a\sqrt{p}\u230b*\u230a\sqrt{p}\u230b<p$ and ${w}_{1}{m}_{2}\le \u230a\sqrt{p}\u230b*\u230a\sqrt{p}\u230b<p$, it holds for the prime p that
From Equations (19) and (20), we obtain that ${w}_{2}{m}_{1}={w}_{1}{m}_{2}$, which comes to Proposition 1.
Appendix II: Proof of Proposition 2
We recall the Fermat's little theorem that, given a prime p,
where p and q are coprime numbers. Since ${u}_{i}\in \left[1,p1\right]$, the greatest common divisor for u_{ i } and p is always 1. Given an integer u_{ i } , we can derive ${{v}^{\prime}}_{i}={u}_{i}^{p2}$ to satisfy ${u}_{i}{{v}^{\prime}}_{i}\equiv 1$ (mod p) in Equation (12). Thus, by considering ${v}_{i}\equiv {{v}^{\prime}}_{i}$ (mod p), v_{ i }. ∈ [1, p − 1] can be found for Equation (12). As a result, we draw the Proposition 2.
Abbreviations
 GWAS:

GenomeRwide association study
 HME:

Homomorphic Encryption
 HM:

Homomorphic Multiplication
 CCD:

Cumulative circuit depth.
References
 1.
Howe D, Costanzo M, Fey P, Gojobori T, Hannick L, Hide W, Hill DP, Kania R, Schaeffer M, St Pierre S, Twigger S, White O, Rhee SY: Big data: The future of biocuration. Nature. 2008, 455: 4750.
 2.
The NIST Definition of Cloud Computing. National Institute of Standards and Technology
 3.
NOTLODL15L086: Notice for Use of Cloud Computing Services for Storage and Analysis of ControlledLAccess Data Subject to the NIH Genomic Data Sharing (GDS) Policy. [http://grants.nih.gov/grants/guide/noticeRfiles/NOTRODR15086.html]
 4.
Homer N, Szelinger S, Redman M, Duggan D, Tembe W, Muehling J, Pearson JV, Stephan DA, Nelson SF, Craig DW: Resolving individuals contributing trace amounts of DNA to highly complex mixtures using highLdensity SNP genotyping microarrays. PLoS Genet. 2008, 4: e1000167
 5.
Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y: Identifying personal genomes by surname inference. Science (80). 2013, 339: 321324.
 6.
Wang R, Li YF, Wang X, Tang H, Zhou X: Learning your identity and disease from research papers. Proceedings of the 16th ACM conference on Computer and communications security  CCS '09. 2009, New York, New York, USA: ACM Press, 53444.
 7.
Naveed M, Ayday E, Clayton EW, Fellay J, Gunter CA, Hubaux JRP, Malin BA, Wang X: Privacy and Security in the Genomic Era. 2014
 8.
Wang S, Mohammed N, Chen R: Differentially private genome data dissemination through topLdown specialization. BMC Med Inform Decis Mak. 2014, 14 (Suppl 1): S2
 9.
Kamm L, Bogdanov D, Laur S, Vilo J: A new way to protect privacy in largeLscale genomeLwide association studies. Bioinformatics. 2013, 29: 88693.
 10.
Zhou M, Zhang R, Xie W, Qian W, Zhou A: Security and Privacy in Cloud Computing: A Survey. 2010 Sixth International Conference on Semantics, Knowledge and Grids. IEEE. 2010, 105112.
 11.
Wang W, Hu Y, Chen L: Accelerating fully homomorphic encryption using GPU. IEEE Conference on High Performance Extreme Computing (HPEC). 2012, 15.
 12.
Gentry C: Fully homomorphic encryption using ideal lattices. Proceedings of the 41st annual ACM symposium on Symposium on theory of computing  STOC '09. 2009, New York, NY, USA: ACM Press, 169178.
 13.
Brakerski Z, Gentry C, Vaikuntanathan V: (Leveled) fully homomorphic encryption without bootstrapping. Proceedings of the 3rd Innovations in Theoretical Computer Science Conference on  ITCS '12. 2012, New York, NY, USA: ACM Press, 111: 309325.
 14.
Brakerski Z, Vaikuntanathan V: Efficient fully homomorphic encryption from (standard) LWE. SIAM J Comput. 2011, 43: 831871.
 15.
Lauter K, LópezRAlt A, Naehrig M: Private computation on encrypted genomic data. 14th Privacy Enhancing Technologies Symposium, Workshop on Genome Privacy (GenoPri'14). 2014, Amsterdam, The Netherlands
 16.
Togan M, Plesca C: ComparisonLbased computations over fully homomorphic encrypted data. Communications (COMM), 2014 10th International Conference on. 2014, 16.
 17.
Graepel T, Lauter K, Naehrig M: ML confidential: Machine learning on encrypted data. Information Security and Cryptology ICISC 2012. 2013, Springer, 121.
 18.
Naehrig M, Lauter K, Vaikuntanathan V: Can homomorphic encryption be practical?. Proceedings of the 3rd ACM workshop on Cloud computing security workshop  CCSW '11. 2011, New York, NY, USA: ACM Press, 113
 19.
Cheon JH, Kim M, Lauter K: Homomorphic Computation of Edit Distance. WAHC'15  3rd Workshop on Encrypted Computing and Applied Homomorphic Cryptography. 2015
 20.
Hazay C, Lindell Y: Efficient Secure TwoParty Protocols. 2010, Berlin, Heidelberg: Springer Berlin Heidelberg, Information Security and Cryptography
 21.
2015 iDASH Privacy and security Workshop. [http://www.humangenomeprivacy.org/2015/]
 22.
Bos JW, Lauter K, Naehrig M: Private predictive analysis on encrypted medical data. J Biomed Inform. 2014, 50: 234243.
 23.
 24.
Wang S, Zhang Y, Dai W, Lauter K, Kim M, Tang Y, Xiong H, Jiang X: HEALER: Homomorphic computation of ExAct Logistic rEgRession for secure rare disease variants analysis in GWAS. Bioinformatics. 2015, [accepted]
 25.
Zhang Y, Dai W, Wang S, Kim M, Lauter K, Sakuma J, Xiong H, Jiang X: SECRET: Secure EditLdistance computation over homomoRphic Encrypted daTa. Proceedings of the 5th Annual Translational Bioinformatics Conference Tokyo, Japan. 2015, [accepted]
Acknowledgements
This work was funded in part by the NHGRI (K99HG008175), NLM (R00LM011392, R21LM012060), NHLBI (U54HL108460), NSFC (61425011, 61271218, 61501294 and U1201255), and "Shu Guang" project (13SG13).
This article has been published as part of BMC Medical Informatics and Decision Making Volume 15 Supplement 5, 2015: Proceedings in the 4th iDASH Privacy Workshop: Critical Assessment of Data Privacy and Protection (CADPP) challenge. The full contents of the supplement are available online at http://www.biomedcentral.com/14726947/15/S5.
Author information
Additional information
Competing interests
The authors declare that they have no competing interests.
Authors' contributions
YZ and WD drafted the majority of the manuscript, YZ conducted the experiments. HX and XJ provided some helpful comments. SW provided the motivation for this work, detailed edits and critical suggestions.
Yuchen Zhang, Wenrui Dai contributed equally to this work.
Rights and permissions
About this article
Published
DOI
Keywords
 Genomewide association study
 homomorphic encryption
 secure outsourcing