Abstract
In 2014, Bos et al. introduced a cloud service scenario to provide private predictive analyses on encrypted medical data, and gave a proof of concept implementation by utilizing homomorphic encryption (HE) scheme. In their implementation, they needed to approximate an analytic predictive model to a polynomial, using Taylor approximations. However, their approach could not reach a satisfactory compromise so that they just restricted the pool of data to guarantee suitable accuracy. In this paper, we suggest and implement a new efficient approach to provide the service using minimax approximation and Non-Adjacent Form (NAF) encoding. With our method, it is possible to remove the limitation of input range and reduce maximum errors, allowing faster analyses than the previous work. Moreover, we prove that the NAF encoding allows us to use more efficient parameters than the binary encoding used in the previous work or balaced base-B encoding. For comparison with the previous work, we present implementation results using HElib. Our implementation gives a prediction with 7-bit precision (of maximal error 0.0044) for having a heart attack, and makes the prediction in 0.5 s on a single laptop. We also implement the private healthcare service analyzing a Cox Proportional Hazard Model for the first time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Since only integer operations (addition and multiplication) are provided by the HE scheme, they needed to approximate the model to a polynomial which can be computed only by addition and multiplication.
- 2.
Measured 200 male patients, over an observation period which remains unspecific.
- 3.
\(C(\mathbf {x}) = 1 - 0.88936^{\exp (\mathbf {x}- 23.9802)}\) for men.
- 4.
We only give errors for odd degree polynomials, since in Taylor expansion of logistic function, constant and odd degree terms only appear. This is because the logistic function is a odd function up to a constant.
- 5.
Let us denote the maximum error between the function and the minimax approximation by e, and the oscillating error of kth iteration by \(e_k\). The rate of convergence being quadratic means \(|e-e_k|=O(|e-e_{k+1}|^2)\).
- 6.
The detailed formula can be found in [CSVW].
- 7.
References
Achieser, N.I.: Theory of Approximation. Courier Corporation, Chelmsford (2013)
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. Cryptology ePrint Archive, Report 2017/047 (2017). http://eprint.iacr.org/2017/047
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Abadi, A., Yavari, P., Dehghani-Arani, M., Alavi-Majd, H., Ghasemi, E., Amanpour, F., Bajdik, C.: Cox models survival analysis based on breast cancer treatments. Iran. J. Cancer Prev. 7(3), 124 (2014)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 309–325. ACM (2012)
Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45239-0_4
Bos, J.W., Lauter, K., Naehrig, M.: Private predictive analysis on encrypted medical data. J. Biomed. Inform. 50, 234–243 (2014)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Biondo, S., Ramos, E., Deiros, M., Ragué, J.M., De Oca, J., Moreno, P., Farran, L., Jaurrieta, E.: Prognostic factors for mortality in left colonic peritonitis: a new scoring system. J. Am. Coll. Surg. 191(6), 635–642 (2000)
Boekholdt, S.M., Sacks, F.M., Jukema, J.W., Shepherd, J., Freeman, D.J., McMahon, A.D., Cambien, F., Nicaud, V., De Grooth, G.J., Talmud, P.J., et al.: Cholesteryl ester transfer protein TaqIB variant, high-density lipoprotein cholesterol levels, cardiovascular risk, and efficacy of pravastatin treatment individual patient meta-analysis of 13 677 subjects. Circulation 111(3), 278–287 (2005)
Boyd, C.R., Tolson, M.A., Copes, W.S.: Evaluating trauma care: the TRISS method. J. Trauma Acute Care Surg. 27(4), 370–378 (1987)
Blankstein, R., Ward, R.P., Arnsdorf, M., Jones, B., Lou, Y.-B., Pine, M.: Female gender is an independent predictor of operative mortality after coronary artery bypass graft surgery contemporary analysis of 31 midwestern hospitals. Circulation 112(9 suppl), I–323 (2005)
Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi, M., Yun, A.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_20
Cheon, J.H., Kim, J., Lee, M.S., Yun, A.: CRT-based fully homomorphic encryption over the integers. Inf. Sci. 310, 149–162 (2015)
Coron, J.-S., Lepoint, T., Tibouchi, M.: Cryptanalysis of two candidate fixes of multilinear maps over the integers. IACR Cryptology ePrint Archive 2014, p. 975 (2014)
Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryption over the integers with shorter public keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_28
Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_27
Cox, D.R., Oakes, D.: Analysis of Survival Data, vol. 21. CRC Press, Boca Raton (1984)
Cox, D.R.: The regression analysis of binary sequences. J. R. Stat. Soc. Ser. B (Methodol.) 20(2), 215–242 (1958). JSTOR. www.jstor.org/stable/2983890
Cox, D.R.: Regression models and life-tables. J. R. Stat. Soc. Ser. B 34(2), 187–220 (1972)
Cox, D.R.: Regression models and life-tables. In: Kotz, S., Johnson, N.L. (eds.) Breakthroughs in Statistics. SSS, pp. 527–541. Springer, New York (1992). https://doi.org/10.1007/978-1-4612-4380-9_37
Costache, A., Smart, N.P., Vivek, S., Waller, A.: Fixed point arithmetic in SHE schemes. Technical report, Cryptology ePrint Archive, Report 2016/250 (2016). http://eprint.iacr.org/2016/250
Dowlin, N., Gilad-Bachrach, R., Laine, K., Lauter, K., Naehrig, M., Wernsing, J.: Manual for using homomorphic encryption for bioinformatics. Microsoft Research (2015). http://research.microsoft.com/pubs/258435/ManualHEv2.pdf
D’Agostino, R.B., Pencina, M.J., Massaro, J.M., Coady, S.: Cardiovascular disease risk assessment: insights from Framingham. Glob. Heart 8(1), 11–23 (2013)
D’Agostino, R.B., Vasan, R.S., Pencina, M.J., Wolf, P.A., Cobain, M., Massaro, J.M., Kannel, W.B.: General cardiovascular risk profile for use in primary care the Framingham heart study. Circulation 117(6), 743–753 (2008)
http://www.framinghamheartstudy.org/risk-functions/cardiovascular-disease/10-year-risk.php
Fraser, W.: A survey of methods of computing minimax and near-minimax polynomial approximations for functions of a single independent variable. J. ACM (JACM) 12(3), 295–314 (1965)
Gentry, C.: A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009). https://crypto.stanford.edu/craig/
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing-STOC 2009, pp. 169–169. ACM Press (2009)
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. Cryptology ePrint Archive, Report 2012/099 (2009). https://eprint.iacr.org/2012/099
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Halevi, S., Shoup, V.: Design and implementation of a homomorphic-encryption library. IBM Research, Manuscript (2013)
Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31
Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_25
Kologlu, M., Elker, D., Altun, H., Sayek, I.: Validation of MPI and PIA II in two different groups of patients with secondary peritonitis. Hepatogastroenterology 48(37), 147–151 (2000)
http://www.claudiaflowers.net/rsch8140/logistic_regression_example.htm
Mattner, L., Roos, B.: Maximal probabilities of convolution powers of discrete uniform distributions. Stat. Probab. Lett. 78(17), 2992–2996 (2008)
Novodvorskii, E.P., Pinsker, I.S.: The process of equating maxima. Uspekhi Matematicheskikh Nauk 6(6), 174–181 (1951)
Remez, E.Y.: Sur le calcul effectif des polynomes d’approximation de tschebyscheff. CR Acad. Sci. Paris 199, 337–340 (1934)
Rivlin, T.-J.: Chebyshev Polynomials. Wiley, New York (1990)
Smart, N.P., Vercauteren, F.: Fully homomorphic SIMD operations. Des. Codes Crypt. 71(1), 57–81 (2014)
Truett, J., Cornfield, J., Kannel, W.: A multivariate analysis of the risk of coronary heart disease in Framingham. J. Chronic Dis. 20(7), 511–524 (1967)
Tabaei, B.P., Herman, W.H.: A multivariate logistic regression equation to screen for diabetes development and validation. Diab. Care 25(11), 1999–2003 (2002)
Tolosie, K., Sharma, M.K.: Application of Cox proportional hazards model in case of tuberculosis patients in selected Addis Ababa health centres, Ethiopia. Tuberc. Res. Treat. 2014, 11 p. (2014). https://doi.org/10.1155/2014/536976. Article ID 536976
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Veidinger, L.: On the numerical determination of the best approximations in the Chebyshev sense. Numer. Math. 2(1), 99–105 (1960)
Acknowledgement
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. B0717-16-0098). The authors would like to thank Yong Soo Song, Kyoohyung Han, and the anonymous reviewers for valuable comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Approximation Polynomials
In this section, we list the approximation polynomials those have been used in this paper and the implementation.
1.1 A.1 Minimax Approximation for Logistic Model
(See Table 8).
1.2 A.2 Minimax Approximation for Cox Model
(See Table 9).
B Proof of Theorem 3
For \(p\in \mathbb {Z}[x]\), we use \(\Vert p\Vert _{\infty }\) to denote the maximum of absolute values of coefficients. We use \(\mathbb {Z}_{+}[x]\) to denote the set of polynomials with coefficients of nonnegative integers. Let \(p\in \mathbb {Z}_{+}[x]\) be a polynomial of degree n defined by \(p(x)=\sum _{i=0}^{n}p_ix^i\). Regarding \(p_j = 0\) for all \(j\ge n+1\), we define two vector representations of p as follows:
where {\(\tilde{p}_i\)} is the rearrangement of {\(p_i\)} in decreasing order. \(R_{dec}(p)\) is well-defined since p has only finite number of positive terms. For \(p,q\in \mathbb {Z}_+[x]\), define a equivalence relation \(\sim \) as following.
For any polynomial \(p(x)=\sum _{i=0}^{n}p_ix^i\), we define \(|p|\in \mathbb {Z}_+[x]\) by \(|p|(x)=\sum _{i=0}^{n}|p_i|x^i\).
Definition 7
( \(\varvec{\Lambda }\) -shaped). For \(p\in \mathbb {Z}_+[x]\), we give some new definitions below.
-
1.
p is \(\Lambda \)-shaped if \(R_{std}(p)=(p_0,p_1,p_2,\cdots )\) satisfies the following condition.
-
(bisymmetricity) There exists \(a\in \mathbb {Z}\cup (\mathbb {Z}+\frac{1}{2})\) such that \(p_{\lfloor a+i+\frac{1}{2}\rfloor } = p_{\lceil a-i-\frac{1}{2}\rceil } \) for all \(i\le \lceil a-\frac{1}{2}\rceil \) and \(p_i=0\) for all \(i>\lceil a-\frac{1}{2}\rceil \).
-
(one-peakness) If \(p_i>p_{i+1}\) for some i, then \(p_j\ge p_{j+1}\) for all \(j\ge i\).
-
-
2.
A polynomial p is potentially \(\Lambda \)-shaped if \(p\sim q\) for some \(\Lambda \)-shaped q with nonzero constant term. In this case, we denote this q as \(\hat{p}\).
In other words, \(p\in \mathbb {Z}_+[x]\) is \(\Lambda \)-shaped if \(R_{std}(p)\) is bisymmetric after erasing some zeros at the end of the sequence and has at most one peak. We present a lemma which asserts that the set of \(\Lambda \)-shaped polynomials in \(\mathbb {Z}_+[x]\) is closed for multiplication of polynomials as follows.
Lemma 3
A finite product of \(\Lambda \)-shaped polynomials is \(\Lambda \)-shaped.
Proof
It is enough to show for products of two \(\Lambda \)-shaped polynomials. For potentially \(\Lambda \)-shaped polynomials q and r, let \(R^{sym}_{std}(\hat{q})=(\hat{q}_0,\hat{q}_1,\hat{q}_2,\cdots ,\hat{q}_n)\) and \(R^{sym}_{std}(\hat{r})=(\hat{r}_0,\hat{r}_1,\hat{r}_2,\cdots ,\hat{r}_m)\) be bisymmetric sequences obtained by erasing some zeros at the end of \(R_{std}(\hat{q})\) and \(R_{std}(\hat{r})\) respectively. Then,
The bisymmetricity holds since
and the one-peakness comes from
\(\square \)
Definition 8
Define a partial order \(\preceq \) on \(\mathbb {Z}_+[x]\) as following. For p and q \(\in \mathbb {Z}_+[x]\), let \(R_{dec}(p)=(p_0,p_1,p_2,\cdots )\) and \(R_{dec}(q)=(q_0,q_1,q_2,\cdots )\).
Lemma 4
If q and r are potentially \(\Lambda \)-shaped,
Sketch of Proof. Let \(R_{std}(p)=(p_0,p_1,p_2,\cdots )\) and \(R_{std}(q)=(q_0,q_1,q_2,\cdots )\). For \(R^{sym}_{std}(\hat{q})\) and \(R^{sym}_{std}(\hat{r})\), let us recycle the notations used in the proof of the Lemma 3. It is enough to show the following inequality holds for all \(t\in \mathbb {N}\) and \(K\subset \mathbb {N}\cup \{0\}\) with \(|K|=t\), denoting \(K_{n+m}\) as \( \mathbb {Z}\cap \left[ \lceil \frac{n+m-t+1}{2} \rceil , \lfloor \frac{n+m+t}{2} \rfloor \right] \) of t elements.
or equivalently,
Now the proof is completed by the fact that \(\left( \sum _{i+j \in K_{n+m}} \hat{q}_i\right) \text { majorizes } \left( \sum _{i+j\in K} p_i\right) \) as sequences with index j, which directly comes from the assumption \(p\preceq q\). \(\square \)
Theorem 4
If \(p_i\)’s are potentially \(\Lambda \)-shaped,
Proof
Suppose the theorem is true when \(n=k-1\). Then by Lemmas 3 and 4,
When \(n=1\), it is trivial. By mathematical induction, the theorem is proved. \(\square \)
Corollary 1
If \(p_i\)’s are binary polynomials,
Proof
Directly follows from Theorem 4 and the fact that every binary polynomial is potentially \(\Lambda \)-shaped. \(\square \)
Theorem 5
If a NAF polynomial p lies in \(P_n\), the following inequality holds. Furthermore, the bound is sharp.
Proof
We have
where the first inequality follows from the triangle inequality and the second inequality comes from Corollary 1. The third inequality follows from the definition of NAF: the number of nonzero terms of NAF polynomial cannot exceed the half of the number of terms. For sharpness, consider the alternating NAF which make the equality holds: \((1010\cdots )_{NAF}\). \(\square \)
Finally we obtain the first equation of Theorems 3 from Theorem 2 and 5. The second equation is also obtained from simple calculations combining Theorem 2 and the first equation.
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Cheon, J.H., Jeong, J., Lee, J., Lee, K. (2017). Privacy-Preserving Computations of Predictive Medical Models with Minimax Approximation and Non-Adjacent Form. In: Brenner, M., et al. Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10323. Springer, Cham. https://doi.org/10.1007/978-3-319-70278-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-70278-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70277-3
Online ISBN: 978-3-319-70278-0
eBook Packages: Computer ScienceComputer Science (R0)