Hidden Markov model (HMM) is a popular statistical tool with a large number of applications in pattern recognition. In some of these applications, such as speaker recognition, the computation involves personal data that can identify individuals and must be protected. We thus treat the problem of designing privacy-preserving techniques for HMM and companion Gaussian mixture model computation suitable for use in speaker recognition and other applications. We provide secure solutions for both two-party and multi-party computation models and both semi-honest and malicious settings. In the two-party setting, the server does not have access in the clear to either the user-based HMM or user input (i.e., current observations) and thus the computation is based on threshold homomorphic encryption, while the multi-party setting uses threshold linear secret sharing as the underlying data protection mechanism. All solutions use floating-point arithmetic, which allows us to achieve high accuracy and provable security guarantees, while maintaining reasonable performance. A substantial part of this work is dedicated to building secure protocols for floating-point operations in the two-party setting, which are of independent interest.

We note that the meaning of t is defined differently in the literature for (n, t)-threshold encryption schemes and (n, t)-threshold secret sharing schemes. That is, in the former case, t shares are sufficient for reconstructing the secret, while in the latter case this can be achieved only with \(t+1\) shares. For compatibility with prior work, we choose to follow standard definitions.
Throughout this description we don’t describe the functionality of each building block. Such description will be given only for the building blocks that we need to implement in the malicious model.
We note that such probabilistic version is sufficient in some cases, while in others the function can be changed to always produce correct truncation with the use of extra comparison.
We also note that \(\mathsf TruncPR\) in [10] was designed to work on both positive and negative integers, while in our case supporting only nonnegative integers is sufficient.
We are grateful to Yihua Zhang for help with the multi-party experiments. This work was supported in part by grants CNS-1223699 and CNS-1319090 from the National Science Foundation and FA9550-13-1-0066 from the Air Force Office of Scientific Research. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the funding agencies.
Appendix: Additional two-party protocols in the semi-honest model
In this section, we provide four protocols: probabilistic truncation \(\mathsf TruncPR\), inversion \(\mathsf Inv\), prefix multiplication \(\mathsf PreMul\), and bit decomposition \(\mathsf BitDec\) secure in the semi-honest setting. All of these protocols have been modified from their original versions to the two-party setting using homomorphic encryption, but the structure of the computation remains unchanged. In all cases it is assumed that the inputs are nonnegative integers.
We first describe TruncPr protocol adapted from its original version in [10]. On input of \(\mathsf{Enc}(x), \ell \), and k, the protocol outputs \(\mathsf{Enc}(y) = \mathsf{Enc}(\lfloor x/2^k \rfloor + b)\), where b is a (random) bit. High-level description of the protocol is given in Sect. 8.5.

The above protocol assumes that \(k \ge 2\). When \(k = 1\), each \(P_i\) instead chooses \(r^{\prime }_i\) as a random bit in step 1, and in step 2 the parties compute \(\mathsf{Enc}(r^{\prime }) = \mathsf{Enc}(r^{\prime }_1 \oplus r^{\prime }_2) = \mathsf{Enc}(r^{\prime }_1) \cdot \mathsf{Enc}(r^{\prime }_2) \cdot (\mathsf{Mul}(\mathsf{Enc}(r^{\prime }_1), \mathsf{Enc}(r^{\prime }_2)))^{-2}\). The rest of the protocol remains unaffected.
The second protocol describes two-party computation of multiplicative inverse of x, where x is assumed to be a nonzero element of the group. High-level description of this protocol is given in Sect. 8.6.

The next protocol that we illustrate is two-party prefix multiplication \(\mathsf{PreMul}\), which is based on multi-party \(\mathsf PreMulC\) from [10]. High-level description of this protocol is given in Sect. 8.7.

The last protocol that we are going to describe here is bit decomposition \(\mathsf{BitDec}\), which originally appeared in [11] for the multi-party setting and modified it to work in our two-party setting based on homomorphic encryption. A high-level description of the protocol can be found in Sect. 8.8.

Aliasgari, M., Blanton, M. & Bayatbabolghani, F. Secure computation of hidden Markov models and secure floating-point arithmetic in the malicious model. Int. J. Inf. Secur. 16, 577–601 (2017). https://doi.org/10.1007/s10207-016-0350-0
