Privacy-Preserving Computations of Predictive Medical Models with Minimax Approximation and Non-Adjacent Form

Abstract

In 2014, Bos et al. introduced a cloud service scenario to provide private predictive analyses on encrypted medical data, and gave a proof of concept implementation by utilizing homomorphic encryption (HE) scheme. In their implementation, they needed to approximate an analytic predictive model to a polynomial, using Taylor approximations. However, their approach could not reach a satisfactory compromise so that they just restricted the pool of data to guarantee suitable accuracy. In this paper, we suggest and implement a new efficient approach to provide the service using minimax approximation and Non-Adjacent Form (NAF) encoding. With our method, it is possible to remove the limitation of input range and reduce maximum errors, allowing faster analyses than the previous work. Moreover, we prove that the NAF encoding allows us to use more efficient parameters than the binary encoding used in the previous work or balaced base-B encoding. For comparison with the previous work, we present implementation results using HElib. Our implementation gives a prediction with 7-bit precision (of maximal error 0.0044) for having a heart attack, and makes the prediction in 0.5 s on a single laptop. We also implement the private healthcare service analyzing a Cox Proportional Hazard Model for the first time.

Appendices

A Approximation Polynomials

In this section, we list the approximation polynomials those have been used in this paper and the implementation.

1.1 A.1 Minimax Approximation for Logistic Model

(See Table 8).

Table 8. Coefficients of minimax polynomials for logistic model in [\(-3.7,3.7\)]

1.2 A.2 Minimax Approximation for Cox Model

(See Table 9).

Table 9. Coefficients of minimax polynomials for Cox model

B Proof of Theorem 3

For \(p\in \mathbb {Z}[x]\), we use \(\Vert p\Vert _{\infty }\) to denote the maximum of absolute values of coefficients. We use \(\mathbb {Z}_{+}[x]\) to denote the set of polynomials with coefficients of nonnegative integers. Let \(p\in \mathbb {Z}_{+}[x]\) be a polynomial of degree n defined by \(p(x)=\sum _{i=0}^{n}p_ix^i\). Regarding \(p_j = 0\) for all \(j\ge n+1\), we define two vector representations of p as follows:

$$R_{std}(p):=(p_0,p_1,p_2,\cdots , p_i, \cdots )\text {~~ and ~~}R_{dec}(p):=(\tilde{p}_0,\tilde{p}_1,\tilde{p}_2,\cdots , \tilde{p_i}, \cdots ),$$

where {\(\tilde{p}_i\)} is the rearrangement of {\(p_i\)} in decreasing order. \(R_{dec}(p)\) is well-defined since p has only finite number of positive terms. For \(p,q\in \mathbb {Z}_+[x]\), define a equivalence relation \(\sim \) as following.

$$p\sim q \Leftrightarrow R_{dec}(p)=R_{dec}(q)$$

For any polynomial \(p(x)=\sum _{i=0}^{n}p_ix^i\), we define \(|p|\in \mathbb {Z}_+[x]\) by \(|p|(x)=\sum _{i=0}^{n}|p_i|x^i\).

Definition 7

( \(\varvec{\Lambda }\) -shaped). For \(p\in \mathbb {Z}_+[x]\), we give some new definitions below.

1. 1.

   p is \(\Lambda \)-shaped if \(R_{std}(p)=(p_0,p_1,p_2,\cdots )\) satisfies the following condition.

   • (bisymmetricity) There exists \(a\in \mathbb {Z}\cup (\mathbb {Z}+\frac{1}{2})\) such that \(p_{\lfloor a+i+\frac{1}{2}\rfloor } = p_{\lceil a-i-\frac{1}{2}\rceil } \) for all \(i\le \lceil a-\frac{1}{2}\rceil \) and \(p_i=0\) for all \(i>\lceil a-\frac{1}{2}\rceil \).

   • (one-peakness) If \(p_i>p_{i+1}\) for some i, then \(p_j\ge p_{j+1}\) for all \(j\ge i\).

2. 2.

   A polynomial p is potentially \(\Lambda \)-shaped if \(p\sim q\) for some \(\Lambda \)-shaped q with nonzero constant term. In this case, we denote this q as \(\hat{p}\).

In other words, \(p\in \mathbb {Z}_+[x]\) is \(\Lambda \)-shaped if \(R_{std}(p)\) is bisymmetric after erasing some zeros at the end of the sequence and has at most one peak. We present a lemma which asserts that the set of \(\Lambda \)-shaped polynomials in \(\mathbb {Z}_+[x]\) is closed for multiplication of polynomials as follows.

Lemma 3

A finite product of \(\Lambda \)-shaped polynomials is \(\Lambda \)-shaped.

Proof

It is enough to show for products of two \(\Lambda \)-shaped polynomials. For potentially \(\Lambda \)-shaped polynomials q and r, let \(R^{sym}_{std}(\hat{q})=(\hat{q}_0,\hat{q}_1,\hat{q}_2,\cdots ,\hat{q}_n)\) and \(R^{sym}_{std}(\hat{r})=(\hat{r}_0,\hat{r}_1,\hat{r}_2,\cdots ,\hat{r}_m)\) be bisymmetric sequences obtained by erasing some zeros at the end of \(R_{std}(\hat{q})\) and \(R_{std}(\hat{r})\) respectively. Then,

$$R_{std}(\hat{q}\cdot \hat{r})=(\sum _{i+j=0} \hat{q}_i\hat{r}_j,\sum _{i+j=1} \hat{q}_i\hat{r}_j,\cdots ,\sum _{i+j=n+m} \hat{q}_i\hat{r}_j,0,\cdots ).$$

The bisymmetricity holds since

$$\sum _{i+j=k} \hat{q}_i\hat{r}_j=\sum _{i+j=k} \hat{q}_{n-i}\hat{r}_{m-j}=\sum _{i+j=n+m-k} \hat{q}_i\hat{r}_j,$$

and the one-peakness comes from

$$\sum _{i+j=k} \hat{q}_i\hat{r}_j\le \sum _{i+j=k} \hat{q}_{i+1}\hat{r}_{j}\le \sum _{i+j=k+1} \hat{q}_i\hat{r}_j ~\text {for all}~k<\frac{n+m}{2}.$$

   \(\square \)

Definition 8

Define a partial order \(\preceq \) on \(\mathbb {Z}_+[x]\) as following. For p and q \(\in \mathbb {Z}_+[x]\), let \(R_{dec}(p)=(p_0,p_1,p_2,\cdots )\) and \(R_{dec}(q)=(q_0,q_1,q_2,\cdots )\).

$$\begin{aligned} p\preceq q&\iff R_{dec}(q) ~majorizes~ R_{dec}(p).\\&\iff \sum _{i=0}^{\infty } p_i = \sum _{i=0}^{\infty } q_i~\text {and}~\sum _{i=0}^{k} p_i \le \sum _{i=0}^{k} q_i ~\text {for all}~ k\in \mathbb {N}. \end{aligned}$$

Lemma 4

If q and r are potentially \(\Lambda \)-shaped,

$$p\preceq q \implies p r\preceq \hat{q} \hat{r}.$$

Sketch of Proof. Let \(R_{std}(p)=(p_0,p_1,p_2,\cdots )\) and \(R_{std}(q)=(q_0,q_1,q_2,\cdots )\). For \(R^{sym}_{std}(\hat{q})\) and \(R^{sym}_{std}(\hat{r})\), let us recycle the notations used in the proof of the Lemma 3. It is enough to show the following inequality holds for all \(t\in \mathbb {N}\) and \(K\subset \mathbb {N}\cup \{0\}\) with \(|K|=t\), denoting \(K_{n+m}\) as \( \mathbb {Z}\cap \left[ \lceil \frac{n+m-t+1}{2} \rceil , \lfloor \frac{n+m+t}{2} \rfloor \right] \) of t elements.

$$\sum _{k\in K}\sum _{i+j=k} p_ir_j\le \sum _{k\in K_{n+m}}\sum _{i+j=k} \hat{q}_i\hat{r}_j,$$

or equivalently,

$$\sum _{j=0}^{\infty }\left( r_j\sum _{i+j\in K} p_i \right) \le \sum _{j=0}^{\infty }\left( \hat{r}_j\sum _{i+j \in K_{n+m}} \hat{q}_i\right) .$$

Now the proof is completed by the fact that \(\left( \sum _{i+j \in K_{n+m}} \hat{q}_i\right) \text { majorizes } \left( \sum _{i+j\in K} p_i\right) \) as sequences with index j, which directly comes from the assumption \(p\preceq q\).   \(\square \)

Theorem 4

If \(p_i\)’s are potentially \(\Lambda \)-shaped,

$$\prod _{i=1}^{n} p_i\preceq \prod _{i=1}^{n} \hat{p_i}.$$

Proof

Suppose the theorem is true when \(n=k-1\). Then by Lemmas 3 and 4,

$$\prod _{i=1}^{k} p_i=p_k\cdot \prod _{i=1}^{k-1} p_i\preceq \hat{p_k}\cdot \prod _{i=1}^{k-1} \hat{p_i}=\prod _{i=1}^{k} \hat{p_i}.$$

When \(n=1\), it is trivial. By mathematical induction, the theorem is proved.   \(\square \)

Corollary 1

If \(p_i\)’s are binary polynomials,

$$\left\| ~\prod _{i=1}^{n} p_i~\right\| _{\infty }\le \left\| ~\prod _{i=1}^{n} \hat{p_i}~\right\| _{\infty }.$$

Proof

Directly follows from Theorem 4 and the fact that every binary polynomial is potentially \(\Lambda \)-shaped.   \(\square \)

Theorem 5

If a NAF polynomial p lies in \(P_n\), the following inequality holds. Furthermore, the bound is sharp.

$$\Vert p^e\Vert _{\infty }\le c_{([\frac{n+1}{2}],e)}.$$

Proof

We have

$$\Vert p^e\Vert _{\infty }\le \Vert |p|^e\Vert _{\infty }\le \Vert \hat{|p|}^e\Vert _{\infty } \le c_{([\frac{n+1}{2}],e)},$$

where the first inequality follows from the triangle inequality and the second inequality comes from Corollary 1. The third inequality follows from the definition of NAF: the number of nonzero terms of NAF polynomial cannot exceed the half of the number of terms. For sharpness, consider the alternating NAF which make the equality holds: \((1010\cdots )_{NAF}\).   \(\square \)

Finally we obtain the first equation of Theorems 3 from Theorem 2 and 5. The second equation is also obtained from simple calculations combining Theorem 2 and the first equation.