FORESEE: Fully Outsourced secuRe gEnome Study basEd on homomorphic Encryption

Background The increasing availability of genome data motivates massive research studies in personalized treatment and precision medicine. Public cloud services provide a flexible way to mitigate the storage and computation burden in conducting genome-wide association studies (GWAS). However, data privacy has been widely concerned when sharing the sensitive information in a cloud environment. Methods We presented a novel framework (FORESEE: Fully Outsourced secuRe gEnome Study basEd on homomorphic Encryption) to fully outsource GWAS (i.e., chi-square statistic computation) using homomorphic encryption. The proposed framework enables secure divisions over encrypted data. We introduced two division protocols (i.e., secure errorless division and secure approximation division) with a trade-off between complexity and accuracy in computing chi-square statistics. Results The proposed framework was evaluated for the task of chi-square statistic computation with two case-control datasets from the 2015 iDASH genome privacy protection challenge. Experimental results show that the performance of FORESEE can be significantly improved through algorithmic optimization and parallel computation. Remarkably, the secure approximation division provides significant performance gain, but without missing any significance SNPs in the chi-square association test using the aforementioned datasets. Conclusions Unlike many existing HME based studies, in which final results need to be computed by the data owner due to the lack of the secure division operation, the proposed FORESEE framework support complete outsourcing to the cloud and output the final encrypted chi-square statistics.


Introduction
Owing to the community effort on big data, biomedical science moves focus towards data-driven methodologies [1], which rely on collecting, integrating and analyzing large scale data. For biomedical studies, especially the genome analysis, the required storage and computational capacities may easily exceed the available resources in a single institution. Recently, cloud computing [2] emerges as a flexible alternative to support cost-effective biomedical research with big data. Researchers can rely on a cloud environment to easily scale up their studies with large scale data. However, the adopt of cloud computing in biomedical studies also yields more and more concerns about the potential data privacy risk in comparison with the local computing environment. As genome data are extremely sensitive, the storage of raw genome in a cloud may increase the disclosure risk.
The recently announced NIH policy [3] allows NIH funded studies to utilize public clouds to facilitate data analysis. However, the researchers instead of the cloud providers are responsible for the data security and privacy. Many existing attacks [4][5][6] also demonstrate the vulnerability of de-identified genome data. Thus, it is important to protect the privacy of genome data [7][8][9]. The rapid improvements of the data protection techniques make it possible to perform certain computations over encrypted data [10,11] based on homomorphic encryption.
In [12], Gentry proposed the first fully homomorphic encryption scheme to enable both addition and multiplication operations over encrypted data. Brakerski et al. [13,14] improved homomorphic encryption scheme based on learning with errors (LWE). Lauter et al. [15] presented several secure statistical algorithms for genetic association studies based on homomorphic encryption. Besides, Togan et al. [16] studied the integer comparison problem over homomorphic encrypted data. Recently, Graepel et al. [17] and Naehrig et al. [18] also showed that certain machine learning algorithms can be implemented using HME. Wang et al. [24] proposed a novel homomorphic encryption based framework to securely computing on exact logistic regression. Cheon et al. [19] developed a protocol for HME-based edit distance calculation that employed the greedy algorithm to obtain the upper bound of exact edit distance. Zhang et al. [25] improved homomorphic edit distance computation by combining path-finding algorithm and integer comparison.
In this paper, we propose the FORESEE framework to achieve secured and fully outsourced chi-square statistics computation in a public cloud. We assume that the cloud faithfully follows the protocol but may be curious of information from the received data, which is the socalled semi-honest adversary model [20]. The proposed FORESEE framework enables secure division operation over the homomorphic encrypted data and allows the cloud to directly release the study results. To be concrete, the contribution of this paper is two-fold.
• We develop a secure errorless division protocol, where a one-to-one mapping function is constructed for the floating numbers in computation and the study results can be accurately decrypted with a lookup table.
• We present a secure approximation division protocol to balance the complexity and accuracy with welldesigned secure integer division in secure computation. In implementation, binary tree product and groupbased computation are adopted to reduce circuit depth and the number of homomorphic multiplications.
For validation, experimental results show that the proposed FORESEE framework can identify all the significant SNPs based on the chi-square statistics with a moderate complexity using multiple slots for parallel computation.

Method
For clarity, in the rest of this paper, we use bold symbols to represent vector and matrix variables and normal symbols for scalar variables. Without specification, is reserved for the encrypted version of variable or function Δ and log (·) stands for the logarithm with base 2.

Secure outsourcing GWAS
In this paper, we focus on the task of secure outsourcing GWAS in the 2015 iDASH challenge [21]. Given the genotypes from two groups over a number of single nucleotide polymorphisms (SNPs), we aim to securely calculate the chi-square statistics for the SNPs between the given case-control groups. The chi-square statistic) c 2 is used by chi-square test to statistically assess whether there is significant association between the genetic variants and disease status. Typically, c 2 is obtained by cumulating the normalized squared deviations between the observed and expected frequency distribution of alleles.
Here, O i,j and E i,j are the observed and expected allele counts for allele j, e.g. j = 1 for allele 'A' and j = 2 for allele 'a' in (see Table 1) from the case (i = 1) or control (i = 2) group, respectively.
Let us denote N 1 = O 1,1 + O 1,2 and N 2 = O 2,1 + O 2,2 the total number of alleles in the case and control groups, respectively. In general, E i,j is computed by ((O 1,j + O 2,j ) · N i )/(N 1 + N 2 ) for i = 1, 2 and j = 1, 2. If we assume that the case-control groups have the same number of n patients, we can obtain N 1 = N 2 = 2n . Thus, Equation (1) can be simplified by Equation (2) indicates that, in addition to homomorphic additions and multiplications, the χ 2 statistic computation over encrypted dataset requires one secure division for fully outsourced GWAS, which is not supported in many existing HME-based schemes [15,17,22]. For example, if the numerator and denominator in Equation (2) are released directly due to the lack of secure division operation, one can easily infer the underlying allele counts (i.e., O 1,1 and O 2,1 ) by solving a system of equations. To address the problem, we propose the FORESEE framework to enable secure division operation for the χ 2 statistic computation on an untrusted cloud.
The proposed framework Figure 1 illustrates the proposed FORESEE framework, which allows secured and fully outsourced chi-square statistics computation in a public cloud and enable flexible release of study results. Using homomorphic encryption, the data owner can encrypt observed allele counts and directly upload to the public cloud. Consequently, the chi-square statistics can be securely computed according to Equation (2) based on homomorphic computation. Contrary to many existing HME-based schemes [15,17,22], the proposed framework develops two protocols for secure division operations over encrypted data, so that the final results are not necessarily computed by the data owner. As a result, authorized users are able to access the encrypted study results when granted the private key for decryption. Remarkably, the secrecy of uploaded sensitive information and released study results can be guaranteed under the proposed framework, as the trusted party would not interact with the untrusted public cloud. Thus, the proposed scheme enables secure outsourcing of the chi-square statistic computation to public cloud services, by which individuals or single institutions could contribute to the chi-square statistic computation in GWAS in a secure manner.
In the FORESEE framework, we develop two protocols for secure division operations, namely, secure errorless division and secure approximation division. The secure errorless protocol makes a secure one-to-one mapping from floating numbers to a set of encrypted positive integers. Consequently, authorized users can decrypt the study results with a lookup table. To achieve errorless division, the proposed protocol requires a deep circuit.
To balance the accuracy and complexity in chi-square statistic computation, the secure approximation division protocol is proposed as an alternative solution. Using secure integer division, the protocol approximates the study results with a tunable error rate. To improve its efficiency, binary tree product and group-based computation are designed to reduce circuit depth and the number of homomorphic multiplications.
In the following subsections, we will elaborate both protocols developed for the FORESEE framework.

Secure errorless division protocol
In this section, we propose the secure errorless division protocol when both dividend and divisor are small (e.g., less than 100). Considering that secure division operation is not available in existing HME-based schemes [15,17,22], we construct a one-to-one mapping function from floating numbers to a set of encrypted positive integers. Thus, the study results can be accurately decrypted with a lookup table corresponding to the oneon-one mapping function.

Secure mapping for division outcomes
To map the study result (in floating numbers), we construct a function with an integer output that uniquely corresponds to the division outcomes given a dividend and divisor. Let us denote m ∈ [0,m] and w ∈ [1,w] the dividend and divisor, respectively. Here, the upper boundsm andw of m and w should be predefined, so that the lookup table for decryption can be synchronized for all the authorized users. Consequently, we construct a two-dimensional function F (m, w) that returns the positive integer u m,w corresponding to an index of the division result of m/w in floating number.
In the ciphertext domain, u m,w can be determined by the polynomials of m and w related to the ciphertext modulus p. According to the Fermat Theory, we can construct a simplified function with less number of homomorphic multiplications. Given the prime p >mw , the secure mapping function iŝ In Proposition 1, we demonstrated that the secure mapping proposed in Equation (4) is a one-to-one mapping from floating outcomes of m/w to a set of encrypted positive integers.
Proposition 1 Given arbitrary positive integers m 1 , m 2 , w 1 , and w 2 taking their values [1, | p|] , they satisfy if and only if F (m 1 , w 1 ) ≡ F (m 2 , w 2 )(modp) , where | p| is the round function that returns the maximum integer not greater than p .
Proof. Please refer to Appendix I. Proposition 1 implies that Equation (4) can map any pairs of (m,ŵ) with the same irreducible fraction to the same outcomeF (m * ,ŵ * ) , where m * and w * are the integer numerator and denominator, respectively that have no other common divisors. For example, given the ciphertext modulus p = 101,F (2,1) would be2 for the pairs (2,1), (4,2) and (8,4). This fact means that the encrypted outcome can be securely released, as the authorized users can only obtain the accurate irreducible fraction m * /w * , but cannot infer the exact value of (m,ŵ) .
Algorithm 1: Secure errorless division 0: Inputs: encrypted variablem,ŵ , upper bound m,w , the ciphertext modulus p. 1: , where is the number of nonzero bits in the binary representation of p − 2 and . is the position of i-th nonzero bit. 4:

Secure approximation division protocol
In this subsection, we aim to develop the secure approximation division protocol. Since n (i.e., the number of patients in case or control group) is assumed to be a known integer, we denote A and B the dividend and in Equation (2), respectively. Thus, the chi-square statistic can be rewritten as where A = (O 1,1 − O 2,1 ) 2 is a nonnegative integer, and ] is a positive integer. Thus, given encrypted countsÔ 1,1 andÔ 2,1 ,Â and B can be obtained with homomorphic multiplications and additions. Since the fraction team 1/B, with the value less than one, cannot be evaluated in the ciphertext domain, we scale it up by multiplying a positive integer ℳ. Therefore, the c 2 statistic can be approximated by where M/B i is the round function that returns the maximum integer not greater than M/B i , e.g., 7/3 = 2 and 10/15 = 0. Here, ℳ is a public information and should be large enough, as the upper bound of relative where p is the ciphertext modulus. According to Equation (7), we develop the secure approximation division protocol based on secure integer division.

Secure integer division
In this subsection, we describe the secure integer division protocol to achieve secure To compute M B o in Equation (7), we first introduce a vector T with its 6-th element defined by where B i = i * (4n− i), i = 1,2,...,2n are the possible values of B in chi-square statistic computation (see equation (6)). Consequently, given ℳ, we define a function f(x) which satisfies In our implementation, a one-dimensional function is formulated using Lagrange interpolating polynomial with x ∈ {B 1 ,..., B 2n } Since division is intractable for homomorphic encrypted data, we need to derive a surrogate function for Equation (10) that can be implemented based on homomorphic multiplications and additions. For simplicity, we denote u i . the divisor for x = B i . in Equation (10).
Consequently, we can construct a surrogate function for Equation (10) by numerically finding a set of integers Here, p is the cipheretext modulus (i.e., a prime under double-CRT representation in the BGV scheme). Thus, we demonstrate the existence of {v i } in Proposition 2 to guarantee the computational tractability of f(x) in the ciphertext domain.
Proof. Please refer to Appendix II.
We transform Equation (13) into the combination of polynomials of x by expanding the products and combining the coefficients.
Here, h i is the coefficient for the i-th order of x (i.e., x i .) after polynomial expansion, which includes v i B l and t i . In the ciphertext domain, we can construct the functionf (x) wherex ∈ {B 1 ,B 2 , . . . ,B 2n } are finite positive encrypted integers, andĥ i ∈ [0,p −1] is obtained by encrypting

Implementation optimization
The secure integer division can be optimized to further reduce the cumulative circuit depths (CCD) and number of homomorphic multiplications (HMs). To achieve this goal, we adopt group-based computation and binary tree product to generatef (x) in implementation.
To reduce the number of HMs, a group-based computation is adopted to calculatef (x) . The key idea of the proposed group-based optimization is to first compute a set ofĥ c·d+ix i with i ∈ [0, d], where d is number of elements in each group, and c = 0,..., C is the group index with the total number of groups C = (2n − 1) /d + 1.
After grouping, we get the following equation with a reduced number of HMs. Since the time cost of HMs is larger than HAs, we determine d by minimizing the number of HMs. As shown in Table 9 the total number of HMs required for secure integer division is 2C + d − 3. The number of groups C and the number of elements in each group d are selected to minimize the number of HMs F (d) = d + 2 (2n − 1) /d − 3 . Given an integer . Thus, C can be estimated by (2n − 1) /d + 1 accordingly. Using the optimal d and C, secure integer division can be achieved based on the encrypted functionf (x) in Equation (15). Algorithm 3 elaborates the secure integer division. In line 2, in order to obtain X , the inputs of Algorithm 2 are set tox d and C − 1, respectively.

Parallel computation using multiple slots
Since HME schemes with ciphertext space Z L s q support single instruction multiple data (SIMD) with L s slots, we can use parallel computation to reduce the number of homomorphic multiplications (HMs) and homomorphic additions (HAs). Denoteâ = â 1 ,â 2 , . . . ,â L s and b = (b 1 ,b 2 , . . . ,b L s ) the two encrypted ciphertexts with L s slots. SIMD is applicable to simultaneous computation of the additionâ +b = â 1 +b 1 ,â 2 +b 2 , . . . ,â L s +b L s and a ·b = â 1 ·b 1 ,â 2 ·b 2 , . . . ,â L s ·b L s multiplication. In two ciphertexts, only two slots in the same position can operate with each other. In Algorithm 1, multiple encrypted outputs can be calculated at the same time with parallel computation. When the result is returned back to the user, the user extracts the integer in each slot and search it in the lookup table. Noticeably, in the parallel computation, m u and n u should be selected as the upper bounds of all the dividends and divisors in the slots. Similarly, multiple slots can also be used in the secure approximation division protocol. The secure integer division developed in Algorithm 3 can be simultaneously conducted for L s pairs of inputs = 1, 2, . . . , L s using multiple slots.

Results
In this section, we evaluate the proposed FORESEE framework, which was implemented with HElib [23], one of the most efficient open-source HME libraries based on the LWE theory [13,14]. The evaluations were made on an Ubuntu 14.04 server with Intel Xeon CPU E5-2687W @ 3.10GHz and 256 GB memory. We present the performance in the terms of time and memory cost. First, we provide the results of secure errorless division on simulated data. Moreover, we provide the performance of chisquare statistics based on the secure approximation division. Table 2 elaborates the experimental setups for the secure errorless division protocol. Given the ciphertext modulus p, the upper boundm (i.e., dividend) andw (i.e., divisor) is set to p . A number of L s slots are used for parallel computation. The lifting parameter for plaintext base is set to 1. The security level is 80. The number of columns in key switching is 2. Hamming distance is 64.

Simulation study
Using HElib, one ciphertext can contain multiple slots to have many integers encrypted into the ciphertext with the public key. Thus, the size of the public key is related to the number of multiple slots L s in addition to the ciphertext modulus p and the number of levels in modulus chain L. Taking Table 2 for example, L s for (m,w) = (70, 70) is 3144, which is greater than most ones. Thus, its ciphertext sizes are much larger than the other configurations with close values ofm andw .
Using HElib, we are able to evaluate all the slots in the ciphertext in parallel. Table 3 shows the average execution time for the secure errorless division protocol. Based on the lookup table generated for various parameters (m,w) , the proposed protocol is efficient for secure division operation over m ≤ 100 and w ≤ 100. However, its circuit depths increase rapidly with the growth of m and w, which limits its application for larger dividends and divisors.

Chi-square statistic computation
We employ the secure approximation division protocol in secure chi-square statistic computation. Two datasets from iDASH genome privacy protection challenge are used for evaluation, which contain 311 SNPs and 610 SNPs, respectively in the case-control groups, each consisted of with 200 individuals, In homomorphic encryption, the ciphertext modulus p and the number of levels in modulus chain L are set to 25600000039 and 51, respectively. The public and private key sizes are both around 2.6 GB. The lifting parameter for plaintext base is set to 1. The security level is 80. The number of columns in key switching is 2 and the Hamming distance is 64. To reduce computational complexity, we use L S = 864 slots in parallel computation. For secure integer division, ℳ is 25600000000. f and a are accordingly set to 28 and 15 for 200 individuals in each group. Table 4 provides the time cost for homomorphic evaluation of both datasets in chi-square statistics computation, including key generation, encryption, total and average execution time. Using multiple slots, the secure approximation division protocol can achieve the chisquare statistics computation in less than one second in average. Table 5 evaluates the accuracy of computation in terms of the mean-squared error (MSE) and maximum error between the exact and the approximate chi-square statistics, where the MSE are less than 5 × 10 −10 . The evaluation on maximum error also supports the conclusion.
Remarkably, we also computed the p-value for each SNP based on the chi-square statistic and applied different p-value cutoffs as 0.05, 0.01, and 0.005. The secure approximation division protocol is demonstrated to find out all the significant SNPs for both datasets under different p -value cutoffs. As a result, the proposed protocol provides a good tradeoff between accuracy and complexity for secure chi-square statistic computation. The inputs are positive integers m (i.e., dividend) and w (i.e., divisor) with corresponding upper boundsm andw . p is plaintext base; L is number of levels in modulus chain; and L s is number of slots for parallel computation. Moreover, the storage costs of key generation are also provided as reference.  Furthermore, we compare the two proposed protocols in the chi-squared statistics computation. For secure errorless division protocol, we use the same parameters list above, except that L is set to 151 to guarantee the required circuit depth in implementation. Table 6 and 7 compare the computational complexity and storage cost for the two protocols, respectively. In Table 6 the secure errorless division protocol requires about 10, 20 and 5 times in complexity for key generation, encryption, and execution (computation), when compared with the secure approximation division protocol. Table 7 shows that the ciphertext key sizes for secure errorless division are about 8 times larger due to the greater L. These results imply that the secure approximation division protocol provides a good trade-off in terms of complexity and accuracy for chi-squared statistic computation.

Discussions
In this section, we analyze the computational complexity of the proposed FORESEEE protocol and discuss its potential extension and its limitation.

Complexity analysis
In this subsection, we make an analysis on the computational complexity of the secure errorless division and secure approximation division protocols. Cumulative circuit depth2 (CCD) and the numbers of homomorphic multiplications (HMs) are provided for both protocols in the FORESEE framework.
We begin with the complexity analysis for secure errorless division protocol (i.e., Algorithm 1). As shown in Table 8 the number of HMs to calculateŝ * i at each iteration in A1 line 5 is 1. The number of HMs to obtain s * at each iteration in A1 lines 8 is also 1. Therefore, the CCD in calculatingŝ * i in A1 lines 4-6 are log p − 2 . The depths to obtain s * in A1 lines 7-9 are log p − 2 + h + 1 Table 9 provides the CCD and number of HMs for secure approximate division (i.e., Algorithm 3). The number of HMs to obtainX andX are d − 1 and C − 2, respectively. To evaluate Equation (18), the total number of HMs are d + 2C − 3. By using binary tree product based optimization, the circuit depths required for computingX andX are log (d − 1) + 1 and log (c − 2) + 1 ,respectively. Finally, the total CCD for secure approximate division operation is log (c − 2) + log (d − 1) + 3 .

Potential extension
In this paper, we proposed the FORESEE framework to address the problem of fully outsourcing chi-square statistic computation to a public cloud. However, the application scenarios for the FORESEE framework, especially the secure approximation division protocol, can be further extended to securely compute other statistics tests that involve division operations. One intuitive example is the Transmission disequilibrium test (TDT) developed to assess the genetic linkage between the genetic variants and disease status in family-based association studies. TDT is based on the binomial test with one degree of freedom, which is asymptotically equivalent to the chi-square hypothesis test.

Limitation
There are several limitations in the FORESEE framework. First, in secure approximation division protocol,   the upper bound of approximation error depends on the ciphertext modulus G. Therefore, G should be large enough to guarantee the accuracy in computation, which degrades the efficiency of the FORESEE framework. Second, the computational and storage costs based on homomorphic encryption are still very high. For example, key generation and encryption is much more timeconsuming than computation. The ciphertext sizes are also a heavy burden for communication. Finally, it is still a challenging problem to generalize the secure errorless division protocol. In summary, there is still room to improve the proposed division protocols in the FORESEE framework through better algorithm design, efficient coding in the HElib and parallelization.

Conclusion
In this paper, we proposed a novel FORESEE framework for the secure outsourcing GWAS in the iDASH genome privacy protect challenge, especially for the chi-square statistic computation. The proposed framework consists of two protocols for secure division operation, namely secure errorless division and secure approximation division. The secure errorless protocol made a bijection between floating numbers and a set of encrypted positive Table 8. Complexity analysis in terms of cumulative circuit depth2 (CCD) and the number of homomorphic multiplications (HMs) for secure errorless division protocol (Algorithm 1)  Table 9. Complexity analysis in terms of cumulative circuit depth2 (CCD) and the number of homomorphic multiplications (HMs) for secure approximation division (Algorithm 3) integers. Thus, it could output the accurate study results based on a lookup table. On the other hand, the secure approximation division protocol adopted secure integer division to obtain approximate study results with a tunable accuracy. The protocol was able to balance the complexity and accuracy by using the group-based computation and binary tree product with improved efficiency. In comparison to existing HME-based schemes [15,17,22], both protocols enabled fully outsourced secure GWAS in an untrusted public cloud and could directly release study results to authorized users for decryption. Experimental results show that the secure approximation division protocol can capture all the significant SNPs in chi-square statistic computation with a moderate computational complexity.