Outsourcing analyses on privacy-protected multivariate categorical data stored in untrusted clouds

Abstract

Outsourcing data storage and computation to the cloud is appealing due to the cost savings it entails. However, when the data to be outsourced contain private information, appropriate protection mechanisms should be implemented by the data controller. Data splitting, which consists of fragmenting the data and storing them in separate clouds for the sake of privacy preservation, is an interesting alternative to encryption in terms of flexibility and efficiency. However, multivariate analyses on data split among various clouds are challenging, and they are even harder when data are nominal categorical (i.e., textual, non-ordinal), because the standard arithmetic operators cannot be used. In this article, we tackle the problem of outsourcing multivariate analyses on nominal data split over several honest-but-curious clouds. Specifically, we propose several secure protocols to outsource to multiple clouds the computation of a variety of multivariate analyses on nominal categorical data (frequency-based and semantic-based). Our protocols have been designed to outsource as much workload as possible to the clouds, in order to retain the cost-saving benefits of cloud computing while ensuring that the outsourced stay split and hence privacy-protected versus the clouds. The experiments we report on the Amazon cloud service show that by using our protocols the controller can save nearly all the runtime because it can integrate partial results received from the clouds with very little computation.

Appendices

A Semantic distance calculation

The semantic distance quantifies the difference between the meaning of two nominal values. Semantic similarity/distance measures rely on the semantic evidences gathered from knowledge bases, such as ontologies, which taxonomically structure the concepts of a domain of knowledge [7]. Formally, an ontology\({\mathcal {O}}\) is composed, at least, of a set of concepts or classes C organized in a directed acyclic graph (due to multiple inheritance) by means of is-a (\(c_i < c_j\)) relationships [10], as shown in Fig. 2.

Fig. 2

Ontology extract for the “Diagnosis” concept

Measuring the semantic distance in large ontologies can be costly. In this section, we discuss the computational cost of some well-known measures by relying on the concepts introduced in the following definition.

Definition 1

Let \(S(\mathbf{X^a} )\) be the set of subsumers (i.e., taxonomic ancestors) of the nominal values of attribute \(\mathbf X^a\) mapped in an ontology \({\mathcal {O}}\). The least common subsumer of \(\mathbf X^a\), denoted by \(LCS(\mathbf{X^a})\), is the most specific concept in \(S(\mathbf{X^a})\). Formally,

$$\begin{aligned} S(\mathbf{X^a})= & {} \{ c_i \in {\mathcal {O}} | \forall c_j \in \mathbf{X^a} : c_j \le c_i\}; \\ LCS(\mathbf{X^a})= & {} \{ c \in S(\mathbf{X^a}) | \forall c_i \in S(\mathbf{X^a}) : c \le c_i\}. \end{aligned}$$

The semantic distance is defined as a function \(d_s: {\mathcal {O}} \times {\mathcal {O}} \rightarrow {\mathbb {R}}\) mapping a pair of concepts (corresponding to nominal values) to a real number that quantifies the difference between their meanings. According to the calculation principle employed, ontology-based measures can be divided in three families:

1. 1.

   Edge-counting measures.

2. 2.

   Feature-based measures.

3. 3.

   Measures based on information content.

1.1 A. 1 Edge-counting measures

They estimate the semantic distance between concept pairs as a function of the length of the taxonomic path connecting the two concepts in the ontology [33].

A well-known edge-counting measure was proposed by Wu and Palmer [50]:

$$\begin{aligned} d_{\text {WP}} (c_1 , c_2) = 1 - \frac{2\times \text {depth}(LCS( c_1 , c_2 ))}{\mathrm{denominator}}, \end{aligned}$$

(10)

where \({\mathrm{denominator}} = 2\times \text {depth}(LCS( c_1 , c_2 )) + \text {path}(c_1, LCS( c_1 , c_2 )) + \text {path}(c_2, LCS( c_1 , c_2 ))\); \(LCS(c_1 ,c_2)\) is the most specific subsumer of \(c_1\) and \(c_2\) in the ontology; \(\text {depth}(LCS( c_1 , c_2 ))\) is the number of nodes in the longest taxonomic path between the \(LCS(c_1 ,c_2 )\) and the node root of the taxonomy; and \(\text {path}(c_i, LCS( c_1,\)\(c_2 ))\) is the number of taxonomic edges in the shortest taxonomic path between the two concepts.

Simplicity is the main advantage of edge-counting measures. However, they present some shortcomings: (1) if they are applied to ontologies incorporating multiple taxonomical inheritance, several taxonomical paths are not taken into account, and (2) by considering only the paths (i.e., subsumers) between the concepts, much of the taxonomical knowledge explicitly modeled in the ontology is ignored.

Assuming that concepts in the ontology are linked with their ancestors through pointers, in the worst case (comparing the two most specific concepts in the ontology that have the root node as LCS), obtaining the \(LCS(c_1 ,c_2)\) requires running through the longest path in the taxonomy, i.e., twice the taxonomy depth D. Therefore, it takes O(D) cost to compute Expression (10).

1.2 A.2 Feature-based measures

They consider the degree of overlap between the sets of ontological features of the concepts to be compared. In [40], the authors suggested measuring the semantic distance as a function of taxonomic features, i.e., as the ratio between the number of non-common taxonomic ancestors and the total number of ancestors of the two concepts:

$$\begin{aligned}&d_{\mathrm{log}\text {SC}} ( c_1 , c_2 ) \nonumber \\&\quad = \log _{2} \left( 1 + \frac{|S(c_1)\cup S(c_2)|-|S(c_1)\cap S(c_2)|}{|S(c_1)\cup S(c_2)|}\right) , \end{aligned}$$

(11)

where \(S(c_i)\) is the set of taxonomic subsumers of the concept \(c_i\), for \(i = 1,2\). Due to the additional knowledge feature-based measures take into account (i.e., multiple direct ancestors in case of multiple inheritance), they tend to be more accurate than edge-counting measures [40].

If S is the maximum number of ancestors that a concept can have in the ontology, computing Expression (11) takes O(S) cost. Notice that, for ontologies without multiple inheritance, this cost is the same as the one of edge-counting measures.

1.3 A.3 Measures based on information content

They measure the semantic distance between two concepts as the inverse of the amount of information they share in the ontology, which is represented by their LCS [35]. In particular, Lin [30] proposed as a measure the inverse of the ratio between the information content of the LCS of the concepts and the sum of the information content of each concept.

$$\begin{aligned} d_{\text {lin}}(c_1,c_2) =1- \frac{IC(LCS(c_1,c_2))}{IC(c_1)+IC(c_2)}. \end{aligned}$$

(12)

In [41], IC(c) is intrinsically estimated within the ontology as the normalized ratio between the number of leaves (i.e., terminal hyponyms) under concept c in the taxonomy and the number of subsumers of c:

$$\begin{aligned} IC(c) = - \log \left( \frac{\frac{|\text {leaves}(c)|}{|S(c)|}+1}{|\text {max\_leaves}+1|}\right) . \end{aligned}$$

(13)

Thanks to IC-based measures exploiting the largest amount of ontological evidence (i.e., ancestors and leaves), they achieve better accuracy than edge-counting and feature-based measures [6].

Expression (12) requires computing the LCS of the two concepts, plus the ICs of the LCS and the concepts. Like in edge-counting measures, computing the LCS has a worst-case complexity O(D). On the other hand, Expression (13) requires obtaining all the possible concepts connected to c, either subsumers of hyponyms; hence, in the worst case (i.e., when c is the root node, which subsumes all the concepts in the ontology), the IC computation takes O(C) cost, where C is the total number of concepts in the taxonomy. In conclusion, Expression (12) has \(O(C+D)\) computational cost. Thus, IC-based measures are not only the most accurate but also the costliest.

B Security of the scalar product protocols used

1.1 B. 1 Proof of Proposition 1

Charlie receives \(\varvec{r}'_x\) from Alice. But \(\varvec{r}'_x\) can be obtained as the difference between \(\hat{\varvec{x}}'+{\varvec{k}}\) and \({\varvec{x}}+{\varvec{k}}\), where \({\varvec{k}}\) is an n-vector with all its components set to k and k is any real number. Hence, Charlie learns nothing about \(\varvec{x}\). A similar argument shows that Charlie learns nothing about \(\varvec{y}\).

Bob receives \(\hat{\varvec{x}}'\) from Alice and \({\varvec{r}}_y\) from Charlie. Clearly, \({\varvec{r}}_y\) contains no information on \({\varvec{x}}\). On the other hand,

$$\begin{aligned} \hat{\varvec{x}}' = {{{\mathcal {P}}}}_x(\hat{\varvec{x}})= {{{\mathcal {P}}}}_x({\varvec{x}}+{\varvec{r}}_x). \end{aligned}$$

Since \(\mathbf{P}_x\) is a random permutation, the probability of Bob’s learning \(\hat{\varvec{x}}\) from \(\hat{\varvec{x}}'\) is 1 over the number of permutations of \(\hat{\varvec{x}}\), that is

$$\begin{aligned} \frac{n^x_1! n^x_2! \ldots n^x_{d_x}!}{n!}, \end{aligned}$$

where \(d_x\) is the number of different values among the n values of \(\hat{\varvec{x}}\), and \(n^x_i\) is the number of repetitions of the ith different value. Since \(\hat{\varvec{x}}\) is the result of adding a random vector to \({\varvec{x}}\), it is highly unlikely that \(\hat{\varvec{x}}\) contains repeated values, so the probability of Bob’s learning \(\hat{\varvec{x}}\) is very low. Furthermore, Bob does not know \({\varvec{r}}_x\). Without knowledge of \(\hat{\varvec{x}}\) and \({\varvec{r}}_x\), Bob cannot learn \(\varvec{x}\).

The argument on the inability of Alice to learn \(\varvec{y}\) is analogous.

1.2 B.2 On the security of Protocol 2

Protocol 2 is a variation of a protocol proposed in [23]. The latter protocol takes place only between Alice and Bob and there is no CLARUS proxy. Thus it differs from Protocol 2 in the last three steps, which are as follows:

1. 4.

   Bob generates a random plaintext \(s_B\), a random number \(r'\) and sends \(\omega ' = \omega Enc_{p_k}(-s_B;r')\) to Alice.

2. 5.

   Alice computes \(s_A = Dec_{s_k}(\omega ') = \varvec{x}^T \varvec{y} - s_B\).

3. 6.

   Alice and Bob simultaneously exchange the values \(s_A\) and \(s_B\), respectively, so that both can compute \(s_A + s_B = \varvec{x}^T \varvec{y}\).

The authors of [23] prove that, if Paillier’s cryptosystem is secure, Alice cannot learn \({\varvec{y}}\) and Bob cannot learn \(\mathbf{x}\) in their protocol.

The only modification introduced by Protocol 2 is that Alice and Bob do not share their results \(s_A\) and \(s_B\), but they send these values to CLARUS. Since neither Alice nor Bob have more information than in the protocol of [23], the security of the latter protocol is preserved in Protocol 2.