- Research
- Open access
- Published:
Privacy-preserving search for chemical compound databases
BMC Bioinformatics volume 16, Article number: S6 (2015)
Abstract
Background
Searching for similar compounds in a database is the most important process for in-silico drug screening. Since a query compound is an important starting point for the new drug, a query holder, who is afraid of the query being monitored by the database server, usually downloads all the records in the database and uses them in a closed network. However, a serious dilemma arises when the database holder also wants to output no information except for the search results, and such a dilemma prevents the use of many important data resources.
Results
In order to overcome this dilemma, we developed a novel cryptographic protocol that enables database searching while keeping both the query holder's privacy and database holder's privacy. Generally, the application of cryptographic techniques to practical problems is difficult because versatile techniques are computationally expensive while computationally inexpensive techniques can perform only trivial computation tasks. In this study, our protocol is successfully built only from an additive-homomorphic cryptosystem, which allows only addition performed on encrypted values but is computationally efficient compared with versatile techniques such as general purpose multi-party computation. In an experiment searching ChEMBL, which consists of more than 1,200,000 compounds, the proposed method was 36,900 times faster in CPU time and 12,000 times as efficient in communication size compared with general purpose multi-party computation.
Conclusion
We proposed a novel privacy-preserving protocol for searching chemical compound databases. The proposed method, easily scaling for large-scale databases, may help to accelerate drug discovery research by making full use of unused but valuable data that includes sensitive information.
Introduction
In recent years, the increasing cost of drug development and decreasing number of new chemical entities have become growing concerns [1]. One of the most popular approaches for overcoming these problems is searching for similar compounds in databases [2]. In order to improve the efficiency of this task, it is important to utilize as many data resources as possible. However, the following dilemma prevents the use of many existing data resources. Unpublished experimental results have been accumulated at many research sites, and such data has scientific value [3]. Since data holders are usually afraid of sensitive information leaking from the data resources, they do not want to release the full data, but they might allow authorized users to search the data as long as the users obtain only search results from which they cannot infer sensitive information. Likewise, private databases of industrial research might be made available if the sensitive information were sufficiently protected. On the other hand, query compounds are also sensitive information for the users, and thus the users usually avoid sending queries and want to download all of the data in order to conduct search tasks on their local computers. In short, we cannot utilize important data resources because both the data holder and the data user insist on their privacy. Therefore, an emerging issue is to develop novel technology that enables privacy-preserving similarity searches.We show several use cases in the next section.
Let us start by clarifying privacy problems in database searches. In a database search, two types of privacy are of concern: "user privacy" (also known as input privacy) and "database privacy" (also known as output privacy). The first is equal to protecting the user's query from being leaked to others including the database holder. The second is equal to protecting the database contents from being leaked to others including the database user, except for the search results held by the user. Here we firstly consider the case of using no privacy-preserving techniques; namely, the user sends a plain query to the server and the server sends the search result. In this case, the user's query is fully obtained by the server. On the database side, the server's data is not directly leaked to the user. However, there is a potential risk that the user may infer the database contents from the search results. To protect user privacy, a scheme called single-database private information retrieval (PIR) has been proposed [4]. The simplest method for achieving PIR is that the user downloads all the contents of the database and searches on his/her local computer. Since this naive approach needs a huge communication size, several cryptographic techniques have been developed, in which the query is safely encrypted/randomized in the user's computer and the database conducts the search without seeing the query. Although PIR is useful for searching public databases, it does not suit the purpose of searching private databases because of the lack of database privacy. Likewise, similarity evaluation protocols keep user privacy [5–7] but they do not sufficiently protect database privacy because the server directly outputs similarity scores that become important hints for inferring database contents.
Generally speaking, it is very difficult to keep both user privacy and database privacy, because the database side must prevent various attacks without seeing the user's query. Among them, the following two attacks are major concerns.
-
Regression attack
Given one data point, the similarity between a target and the data point becomes a strong hint for detecting the target. The accuracy of the detection increases as the number of given data points becomes larger. In fact, a protocol that is not suitably designed may lead to even a small number of queries enabling the database user to detect the target. For example, when the server returns the exact distance between a query and a database entry, the range of the entry is rapidly narrowed as the number of queries increases, and the entry is finally detected uniquely by only almost the same number of queries as the dimension of the entry (see Figure 1 for a detailed explanation). For example, in the case of using theMACCS keys, which are 166 bit structural key descriptors and often used for representing chemical compounds, a database entry is detected by sending only 166 queries. Therefore, it is necessary for the server to return the minimum information that is sufficient for the purpose of the search. In the Thresholding largely improves database privacy section, we will compare success probability of the regression attack for the case when the server returns minimum information (which our protocol aims for) and the other case when the server returns more information (which the previous method aims for).
-
Illegal query attack
Searching with an illegal query often causes unexpected server behaviour. In such a case, the server might return unexpected results that include important server information. To prevent this, the server should ensure the correctness of the user's query.
A schematic view of the privacy-preserving database search problems discussed here is shown in Figure 2.
In the field of cryptography, there have been studies of versatile techniques such as general purpose multi-party computation (GP-MPC) [8] and fully homomorphic encryption (FHE) [9], which enable the design of systems that maintain both user privacy and database privacy. However, these techniques require huge computational costs as well as intensive communications between the parties (see the recent performance evaluation of FHE [10]), so they are scarcely used in practical applications. In order to avoid using such techniques, a similarity search protocol using a trusted third party [11] and a privacy preserving SQL database using a trusted proxy server [12] have been proposed, but those methods assure privacy only when the third party does not collude with the user or the server, which is not convenient for many real problems. As far as we know, no practical method has been proposed despite the great importance of privacy-preserving similarity searching. To overcome this lack, we propose a novel privacy-preserving similarity search method that can strongly protect database privacy as well as user privacy while keeping a significantly low computational cost and small communication size.
The rest of this paper is organized as follows. In the next section, we summarize our achievements in this study. This is followed by the Cryptographic background section and the Method section, where we define the problem and introduce details of the proposed protocol. In the Security analyses section, both the user privacy and database privacy of the proposed protocol are discussed in detail. In the Performance evaluation section, the central processing unit (CPU) time and communication size of the proposed protocol are evaluated for two datasets extracted from ChEMBL. Finally, we present our conclusions for this study in the Conclusion section.
Our Achievements
Here we focus on similarity search with the Tversky index of fingerprints, which is the most popular approach for chemical compound searches [13] and is used for various search problems in bioinformatics. To provide a concrete application, we address the problem of counting the number of similar compounds in a database, which solves various problems appearing in chemical compound searches. The following model describes the proposed method.
Model 1 The user is a private chemical compound holder, and the server is a private database holder. The user learns nothing but the number of similar compounds in the server's database, and the server learns nothing about the user's query compound.
Here we introduce only a small fraction of the many scientific or industrial problems solved by Model 1.
1 Secure pre-purchase inspection service for chemical compound.
When a client considers the purchase of a commercial database such as a focused library [14], he/she wants to check whether the database includes a sufficient number of similar compounds, without sending his/her private query, but the server does not allow downloading of the database.
2 Secure patent compound filtering.
When a client finds a new compound, he/she usually wants to know whether it infringes on competitors' patents by searching the database of patent-protected compounds maintained by third parties. The same problem occurs when the client wants to check whether or not the compound is undesirable.
3 Secure negative results check.
It is a common perception that current scientific publication is strongly biased against negative results [3], although a recent study showed statistically that negative results brought meaningful benefit [15]. Since researchers are reluctant to provide negative results, which often include sensitive information, a privacy-preserving system for sharing those results would greatly contribute to reducing redundant efforts for similar research topics. For example, it would be useful to have a system that allows a user to check whether the query is similar to failed compounds that have previously been examined in other laboratories.
In this study, we propose a novel protocol called the secure similar compounds counter (SSCC) which achieves Model 1. The first main achievement of this study is that SSCC is remarkably tolerant against regression attacks compared with existing protocols which directly output the similarity score. Moreover, we propose an efficient method for protecting the database from illegal query attacks. These points are discussed in the Security analyses section.
The second main achievement is that SSCC is significantly efficient both in computational cost and communication size. We carefully designed the protocol such that it uses only an additive-homomorphic cryptosystem, which is computationally efficient, and does not rely on any time-consuming cryptographic methods such as GP-MPC or FHE. Hence the performance of the protocol is sufficiently high for a large-scale database such as ChEMBL [16], as is shown in the Performance evaluation section.
Cryptographic background
Additively homomorphic encryption scheme
In this paper, we use an additive-homomorphic cryptosystem to design our protocol. The key feature of the additive-homomorphic cryptosystem is that it enables to perform additive operations on encrypted values. Therefore, intuitively, any standard computation algorithm can be converted into the privacy-preserving computation algorithm, if operations used in the standard algorithm can be replaced by additions.
More formally, we use a public-key encryption scheme (KeyGen; Enc;Dec), which is semantically secure; that is, an encryption result (ciphertext) leaks no information about the original message (plaintext) [17]. Here, KeyGen is a key generation algorithm for selecting a pair (pk, sk) of a public key pk and a secret key sk; Enc(m) denotes a ciphertext obtained by encrypting message m under the given pk; and Dec(c) denotes the decryption result of ciphertext c under the given sk. We also require the following additive-homomorphic properties:
-
Given two ciphertexts Enc(m1) and Enc(m2) of messages m1 and m2, Enc(m1 + m2) can be computed without knowing m1, m2 and the secret key (denoted by Enc(m1) ⊕ Enc(m2)).
-
Given a ciphertext Enc(m) of a message m and an integer e, Enc(e⊕m) can be computed without knowing m and the secret key (denoted by e ⊗ Enc(m)).
For example, we can use either the Paillier cryptosystem [18] or the "lifted" version of the ElGamal cryptosystem [19] as such an encryption scheme; now the second operation ⊗ can be achieved by repeating the first operation ⊕. We notice that the range of plaintexts for those cryptosystems can be naturally set as an integer interval [−N1, N2] for some sufficiently large N1, N2 >0; therefore, the plaintexts are divided into positive ones, negative ones, and zero.
Non-interactive zero-knowledge proof
Below, we discuss the following situation: A user (a prover) wants to make a server (a verifier) convinced that a ciphertext c generated by the user corresponds to a message m in {0, 1}, but does not want to reveal any information about which of 0 and 1 is m. This can be achieved by using a cryptographic tool called non-interactive zero-knowledge (NIZK) proof. In the present case, it enables the user to generate a "proof" associated with c, so that:
-
If m is indeed in {0, 1}, then the server can verify this fact by testing the proof (without knowing m itself).
-
If m ∉ {0, 1}, then the user cannot generate a proof that passes the server's test.
-
The server cannot obtain any information about m from the proof, except for the fact that m ∈ {0, 1}.
(See [20] for a general formulation.) Besides the existing general-purpose NIZK proofs, Sakai et al. [21] proposed an efficient scheme specific to the "lifted" ElGamal cryptosystem, which we use below. (See Section 1 of Additional File 1 in which we give the brief description of the NIZK proofs [21].)
Method
The goal of this study is to design a protocol between a user and a server that enables the user to obtain the number of compounds in the server's database that are similar to the user's target compound. Here, a fingerprint of compound is modeled as (i.e., a bit string of length ℓ). An equivalent way to refer to is the set of all indices i where p i = 1. We denote such a set by p. The similarity of two compounds p, qis then measured by Tversky index which is parameterized by α, β > 0 and is defined as:
Tversky index is useful since it includes several important similarity measurements such as Jaccard Index (JI, which is exactly TI1,1 and also known as Tanimoto Index) and Dice index (which is exactly TI1/2,1/2) [22]. First, we introduce the basic idea and two efficient techniques for improving database privacy. Then, we describe our full proposed protocol.
Basic idea
We firstly consider the simplest case that the user has (the fingerprint of) a target compound qas a query and the server's database consists of only a single fingerprint p. The case of a larger database is discussed later. The goal here is to detect whether or not the Tversky index of pand qis larger than a given threshold 1 ≥ θ > 0. The main idea of our approach is to calculate the score
from encrypted fingerprints pand qby an additive-homomorphic cryptosystem. The score is non-negative if and only if the Tversky index of pand qis at least θ. Now since |p\ q| = |p| − |p∩ q| and a similar relation holds for |q\ p|, the score (1) is positively proportional to
where λ1 = c(θ-1 − 1 + α + β), λ2 = cα, λ3 = cβ and any positive value c. We assume that the parameters and the threshold for the Tversky index are rational numbers denoted by α = μ a /γ, β = μ b /γ and θ = θ n /θ d , where μ a , μ b , γ, θ n and θ d are non-negative integers. By using c = γθ n g−1 under this assumption, λ1, λ2 and λ3 become non-negative integers where g is the greatest common divisor of γ(θ d − θ n ) + θ n (μ a + μ b ), θ n μ a and θ n μ b .
Motivated by this observation, we define the following modified score, called the threshold Tversky index:
Definition 1 Given parameters α and β and a threshold θ for the Tversky index which are rational numbers denoted by α = μ a /γ, β = μ b /γ and θ = θ n /θ d where μ a , μ b , γ, θ n and θ d are non-negative integers, then the threshold Tversky index for fingerprints p and q is defined by
and non-negative integer parameters λ 1 , λ 2 and λ 3 are defined by
where g is the greatest common divisor of γ(θ d − θ n )+θ n (μ a +μ b ), θ n μ a and θ n μ b .
By the above argument, we have TI α,β (p, q) ≥ θ if and only if . Therefore, the user can know whether or not his/her target compound qis similar (i.e., TIα,β(p, q) ≥ θ) to the fingerprint pin the database, by obtaining only the value .
In the protocol, the bits of the user's target fingerprint qand the value |p| held by the server are both encrypted using the user's public key. Since can be computed by the addition of these values and multiplication by integers, the protocol can calculate (without the secret key) a ciphertext of , which is then decrypted by the user. For simplicity, we will abuse the notation and write TI(p, q), without subscripts α, β, θ when the context is clear.
We emphasize that our protocol does not use time-consuming cryptographic methods such as GP-MPC and FHE, and data transfer occurs only twice during an execution of the protocol. Hence, our protocol is efficient enough to scale to large databases.
Database security enhancement techniques against regression attack
As discussed in Introduction section, the server needs to minimize returned information in order to minimize the success ratio of the regression attack. That is, the ideal situation for the server is that the user learns only the similarity/non-similarity property of fingerprints pand q, without knowing any other information about the secret fingerprint p. This means that only the sign of should be known by the user. However, in our basic protocol, the value of is fully obtained by the user; Database privacy is not protected from regression attacks. (See the Security analyses section for details.) In order to send only the sign of , we firstly considered using a bit-wise decomposition protocol [23] for extracting and sending only the sign bit of . Although this approach is ideal in terms of security, the protocol requires more than 30 rounds of communications, which is much more efficient than using GP-MPC or FHE, but rather time-consuming for large-scale databases. Therefore, here we propose the novel technique of using dummy replies, which requires only one round of communication while sufficiently minimizing information leakage of p. In the proposed technique, besides its original reply , the server also chooses random integers φ1, ..., φ n from a suitable interval and encrypts those values under the user's public key pk. Then the server sends the user a collection of ciphertexts t, Enc(φ1), ..., Enc(φ n ) that are shuffled to conceal the true ciphertext t, as well as the number sd of dummy values φ k with φ k ≥ 0. The user decrypts the received n + 1 ciphertexts, counts the number sc of non-negative values among the decryption results, and compares sc to sd. Now we have if and only if sc − sd = 1; therefore, the user can still learn the sign of , while the actual value of is concealed by the dummies. We have confirmed that the information leakage of papproaches zero as the number of dummies becomes large; see the Security analyses for pudding dummies section for more detailed discussion. (We have also developed another security enhancement technique using sign-preserving randomization of ; see Section 2 of Additional File 1 for details.)
Database security enhancement technique against illegal query attack Illegal query attacks can be prevented if the server can detect whether or not the user's query is valid. To keep user privacy, the server must conduct this task with-out obtaining more information than the validity/invalidity of the query. In fact, this functionality can be implemented by using the NIZK proof by Sakai et al. [21] mentioned in the Non-interactive zero-knowledge proof section. The improved protocol requires the user to send the server a proof associated with the encrypted fingerprint bits qi, from which the server can check whether qis indeed a valid fingerprint (without obtaining any other information about q); the server aborts the protocol if qis invalid. Here we use the "lifted" ElGamal cryptosystem as our basic encryption scheme to apply Sakai's scheme. (We note that if we require the user to send Enc(−|q|) used by server's computation, then another NIZK proof is necessary to guarantee the validity of the additional ciphertext, which decreases the communication efficiency of our protocol. Hence our protocol requires the server to calculate Enc(−|q|) by itself.) The formal definition of the valid query is given in the Database privacy in malicious model section.
Secure similar compounds counter
For the general case that the database consists of more than one fingerprint p, we propose the protocol shown in Algorithm 1 to count the number of fingerprints psimilar to the target fingerprint q. In the protocol, the server simply calculates the encryption of the threshold Tversky indices for all database entries and, as discussed above, replies with a shuffled collection of these true ciphertexts and dummy ciphertexts, as well as the number sd of non-negative dummy values. Then the value sc − sd finally obtained by the user is equal to the number of similar fingerprints pin the database.
Algorithm 1 The secure similar compounds counter (SSCC)
-
Public input: Length of fingerprints ℓ and parameters for the Tversky index θ = θ n /θ d , α = μ a /γ, β = μ b /γ
-
Private input of a user: Target fingerprint q
-
Private input of a server: Set of fingerprints P = {p(1), ..., p(M)}
1 (Key setup of cryptosystem) The user generates a key pair (pk, sk) by the key generation algorithm KeyGen for the additive-homomorphic cryptosystem and sends public key pk to the server (the user and the server share public key pk and only the user knows secret key sk).
2 (Initialization) The user encrypts his/her fingerprint q as a vector of ciphertexts: . He/she also generates v as a vector of proofs. Each proof vi is associated with Enc(q i ).
3 (Query of entry) The user sends the vector of ciphertexts and the vector of proofs v to the server as a query.
4 (Query validity verification) The server verifies the validity of by testing the vector of proof v. If v does not pass the server's test, the user cannot move on to the next step.
5 (Calculation of threshold Tversky index)
(a) The server calculates the greatest common divisor of γ(θ d − θ n ) + θ n (μ a + μ b ), θ n μ a and θ n μ b as g, and calculates λ1 = γθ n g−1 (θ−1 − 1 + α + β), λ2 = γθ n g−1α, and λ3 = γθ n g−1β.
(b) The server calculates from .
(c) for j = 1 to M do
i. The server calculates and encrypts it to obtain a ciphertext .
ii. The server calculates a ciphertext t j of threshold Tversky index .
c ← Enc(0)
for k = 1 to ℓ do
if
c ← c ⊕ Enc(q k ) ▷ Computing
end if
end for
t j ← λ1 ⊗ c ⊕ λ2 Enc(−|p(j)|) ⊕ λ3 ⊗ Enc(−|q|)
end for
6 (Padding of dummies)
(a) The server generates a set of dummy values {φ1, ..., φ n } and counts the number sd of non-negative dummies φ i ≥ 0.
(b) The server encrypts φ i to obtain a ciphertext Enc(φ i ) for i = 1, ..., n.
(c) The server shuffles the contents of the set T = {t1, ..., t M , Enc(φ1), ..., Enc(φ n )}.
7 (Return of matching results) The server sends T and sd to the user.
8 (Decryption and counting) The user decrypts the contents of T and counts the number sc of non-negative values.
9 (Evaluation) The user obtains sc − sd as the number of similar fingerprints in the database.
Parameter settings of the protocol
Decrypting an encrytion of too large value needs huge computation cost if the lifted-ElGamal cryptosystem is used. Therefore, in order to keep the consistency and efficiency of the protocol, the range of should not be too large. i.e., the integer parameters λ1, λ2 and λ3 in the threshold Tversky index should not be too large. In fact, this will not cause a problem in practice; For example, the parameters become λ1 = 9, λ2 = λ3 = 4 for computing which is a typical setting of a chemical compound search. In this case, a minimum value and a maximum value of is -664 and 166 for 166 MACCS keys, which is a sufficiently small range. (See Section 3 of Additional File 1 for details.)
Security analyses
In this section, we evaluate security of SSCC by several approaches.
In the area of cryptology, the following two standard security models for two-party computation have been considered:
-
Semi-honest model : Both parties follow the protocol, but an adversarial one attempts to infer additional information about the other party's secret input from the legally obtained information.
-
Malicious model : An adversarial party cheats even in the protocol (e.g., by inputting maliciously chosen invalid values) in order to illegally obtaining additional information about the secret.
We analyze user privacy and database privacy in both the semi-honest and malicious models. For the database privacy, we firstly compare attack success ratios for the case of using our method which aims to output a binary sign and the other case of using the previous methods which aim to output a similarity score, and show that outputting a binary sign improves database privacy. We also evaluate security strength of our method against a regression attack by comparing attack success ratios for the case of using dummies and the ideal case that uses a versatile technique (such as GP-MPC and FHE) to output a binary sign, and show that the security strength for the case of using dummies is almost the same as the ideal case under realistic settings.
User privacy
The semantic security of the encryption scheme used in the protocol (see the Additively homomorphic encryption scheme section) implies immediately that the server cannot infer any information about the user's target fingerprint qduring the protocol. This holds in both the semi-honest and malicious models.
Thresholding largely improves database privacy
We mentioned in the introduction section that minimizing information returned from the server reduces success ratio of regression attack. Therefore, SSCC aims for "ideal" case in which the user learns only the sign of during the protocol. The previous methods that compute Jaccard Index aim for the "plain" case, in which the user fully learns the value TI(p, q). Here we evaluate the efficiency of the thresholding by comparing success probabilities of regression attack for those two cases. We consider the general case in which the user is allowed to send more than one query and those queries are searched by Jaccard Index. We also suppose that the database consists of a single fingerprint pin order to clarify the effect of thresholding.
The goal of an attacker is to reveal pby analysing the results returned from the server. It is generally effective for the attacker to exploit the difference between the two outputs obtained by sending two different queries. In fact, when the server returns , becomes positive if and only if p i = 1, where q= (0, ..., q i = 1, ..., 0) and 0 = (0, ..., 0). This means that the attacker can reveal any bit in pby sending the single query after sending the first query 0. Therefore, pcan be fully revealed by sending only ℓ + 1 queries. On the other hand, there is no deterministic attack for revealing pfrom only the sign of , because two different inputs do not always lead to different outputs. Since we know of a linear algorithm that fully reveals pin response to at most 2ℓ queries after making a "hit" query qsuch that , here we evaluate database privacy by the probability of making at least one hit query when the user is allowed to send x queries. (See Section 4 of Additional File 1 for details.) This probability is denoted as
where f p , defined as follows, is the probability that the user makes one hit query with a single trial when pis given.
For ease of calculation, we computed the upper bound of equation (2) for x = 1, 10, 102, ..., 106 and θ = 0.7, 0.8, 0.9, 1.0. (See Section 5 of Additional File 1 for details.) Since publicly available 166 MACCS keys are the most popular fingerprint for chemical compound searches, we set ℓ to 166. From the results shown in Figure 3, we can see that the probability of making a hit query is sufficiently small for practical use even though the user is allowed to send a million of queries. Considering that the user learns pby using no more than ℓ + 1 queries when he/she learns , we can conclude that database privacy is dramatically improved by thresholding. In other words, the proposed protocol, which aims to output only the sign of the similarity score, has stronger security than other previous methods, which directly output similarity scores.
Security analyses for padding dummies
We showed that the output privacy in the "ideal" case is significantly improved from the "plain" case. Here we experimentally evaluate how the actual situation of our proposed protocol is close to the "ideal" case.
Before going into detail analyses, let us discuss how to generate dummies. It is ideal for the server privacy to generate a dummy according to the same distribution where is generated from. However, this is not realistic because is determined by both pand qwhich is user's private information. Therefore, in our analyses, we assume that a dummy is generated from uniform distribution over possible values of . For example, if possible values of is {1, 2, 3, 4, 5}, dummies are randomly selected from any one of them. The purpose of padding dummies is to mitigate the risk of leaking . In order to clarify the effect of the use of dummy values, we concentrate on the basic case; the database contains a single p, and there exist k possible values of . i-th value of the k possible values arises as the true according to the probability w i . Namely, true is generated from the multinomial distribution with k different probabilities w= w1, ...,wk, while dummies are generated from the multinomial distribution with equal probability 1/k. To conduct stringent analyses, we assume that the user knows w, and he/she also knows that dummies are uniformly distributed over k possible .
The security provided by our protocol can be formalized in the following manner. First we recall that, in our protocol, the server computes encryption of and encryption of dummy values φ1, ..., φ n , and then sends the user the n+1 encrypted values as well as the number of positive dummy values in φ1, ..., φ n . For the purpose of formalizing the security, we introduce a "fictional" server that performs the following: It first receives the encrypted values , φ1, ..., φ n from the real server. Secondly, it gets the sign of . (We note that a real server cannot do it since it requires unrealistic computational power that breaks the security of the encryption scheme, so this is just fictional for the sake of mathematical definition.) Thirdly, it generates another dummy value randomly, and independently of the values of , φ1, ..., φ n (except for the sign of ), in the following manner:
-
If is positive, then is chosen randomly from positive values.
-
If is negative, then is chosen randomly from negative values.
Finally, the fictional server sends the user an encryption of (instead of ) as well as the encrypted φ1, ..., φ n and the number of positive values in φ1, ..., φ n . We note that, when the user receives a reply from the fictional server, the user can know the sign of which is the same as that of , but cannot know any other information on since is independent of . In the setting, the following property can be proven:
Theorem 1 Suppose that the user cannot distinguish, within computational time TIME, the sets of decrypted values of ciphertexts involved in outputs of the real server and of the fictional server. Then any information computable within computational time TIME from the decryption results for output of the real server is equivalent to information computable within computational time TIME′ from the sign of only, where TIME′ is a value which is close to TIME.
Proof Let be an algorithm, with running time TIME, which outputs some information on the decrypted values for an output of the real server. We construct an algorithm which computes, from the sign of only, an information equivalent to the information computed by . The construction is as follows; from the sign of , generates dummy values by mimicking the behavior of the fictional server, and then inputs these dummy values to a copy of , say , and gets the output of . Now if the output of is not equivalent to the output of , then the definition of implies that the probability distributions of the outputs of with inputs given by the decrypted values for outputs of the real server and of the fictional server are significantly different (since used in is a copy of ); it enables the user to distinguish the two possibilities of his/her received values by observing the output of , but this contradicts the assumption of the theorem. Therefore, the output of is equivalent to the output of as claimed. Moreover, the computational overhead of compared to is just the process of generating dummy values by mimicking the behavior of the fictional server; it is not large (i.e., TIME′ is close to TIME as claimed) since the server-side computation of our proposed protocol is efficient. Hence, the theorem holds.
Roughly rephrasing, if the assumption of the theorem is true for a larger TIME, then the actual situation of our proposed protocol becomes closer to the "ideal" case provided we focus on any information available from efficient computation. As a first step to evaluate how the assumption is plausible (i.e., how the value TIME in the assumption can be large), we performed computer experiments to show that some natural attempts to distinguish the actual and the fictional cases do not succeed, as explained below.
In this experiment, we evaluate the security of our protocol by comparing the probabilities that the user correctly guesses the value in two cases: The case in which the user makes a guess based only on a prior knowledge w, and the other case in which the user makes a guess based on the observation of the search result under the condition that he/she knows w.
For the first case, the user's best strategy for guessing is to choose the i0-th possible value, where
In this case, the success probability of the guess is .
Let us consider the best strategy for the second case. As described above, we consider an practical case that n dummy values φ1, ..., φ n chosen from the k possible values uniformly at random, and the user makes a guess from the received n + 1 shuffled values φ1, ..., φ n , . Now suppose that the user received the i-th possible value a i times for each 1 ≤ i ≤ k (hence ). Since the choices of φ1, ..., φ n are independent of , the probability that the user received i-th possible value ai times for each 1 ≤ i ≤ k and that is i0-th possible value is
Therefore, the conditional probability that is the i0-th possible value, conditioned on the set of the user's received values, is
This implies that the user's best strategy is to guess that is the i0-th possible value, where
We estimated success probabilities of user's guess for the both cases by simulation experiments. Here we assumed typical case when TI1,1,0.8 and 166 MACCS keys are used. In this case, k = 831 and we performed the experiments for n = 831 × 100, 831 × 101, ..., 831 × 104 on three different distributions of which were obtained by the following schemes:
1 We randomly selected one fingerprint qfrom ChEMBL and calculated for all the entries in ChEMBL and used the observed distribution as w. In our experiment, 177159-th fingerprint was selected as q(referred as wChEMBL-177159).
2 The same scheme as 1) was used when qwas 265935-th fingerprint (referred as wChEMBL-265935).
3 We randomly selected a value from 1, ..., k for m times and count frequency of i as h i and set w i = h i /m (referred as wrandom). We used k × 5 as m.
All the distributions used here are shown in Section 6 of Additional File 1.
We performed 100, 000 trials for each experiment. Each trial consisted of choosing φ1, ..., φ n uniformly at random; choosing according to w; deciding the user's guess i0 by formula (3) and formula (4) respectively (we adopted a uniformly random choice if there were more than one such i0); and checking whether or not was the i0-th possible value for both rules (i.e., the user's guess succeeded). The results of the experiment are given in Table 1; they show that the user's attack success probability became significantly close to the ideal case when a sufficiently large number of dummies were used; therefore, our technique of using dummies indeed improves the output privacy.
Security analyses for padding dummies for the case when the user is allowed to send more than one query
One might suspect that the attacker can detect the true by sending the same query twice and finding the value which is appeared in both results. However, this attack does not easily succeed if n is sufficiently larger than k (i.e., ideally, all possible values of are covered by sufficient number of dummies), and we consider that k is not too large in practice as we discussed in Parameters settings of the protocol section.
In order to evaluate the security achieved by the padding dummies for the case when the user is allowed to submit L queries, we performed following analyses. Here we evaluate the security achievement by comparing the case of using our protocol based on the padding dummy and the ideal case of returning only the sign of . In order to perform rigorous analyses, we assume the most severe case in which the attacker keeps sending the same query L times. For this case, the probability that is the i0-th possible value after sending L queries on condition that frequency of i-th possible value of j-th query i for j = 1, ..., L is
This implies that the user's best strategy is to choose i-th possible value which maximizes equation (5). As mentioned above, we compared the success ratio of the attack based on the above strategy and the ideal success ratio when the user makes the guess only from the given distribution w. We also assumed more realistic case that user did not know the exact distribution of dummy but knew the distribution that was similar to the actual distribution the server used. For the evaluation of this case, we generated dummies from the distribution u, which was slightly different from uniform distribution, while the user assumed that dummies were generated from uniform distribution. uwas generated as follows:
We performed the experiment for L = 1, 10, 102, ..., 105, n = 831 × 10, 831 × 50, 831 × 102 and δ = 0, 0.05, 0.1, 0.15, 0.2 based on the same approach used in the evaluation of single query security. i.e., for each trial, n dummies were randomly chosen according to u(note that uwas equal to uniform distribution when δ = 0), true value was selected according to wand the attacker's guess was made based on the equation (5). We performed 10, 000 trials for each triplet of L, n and δ. Those experiments were conducted for the same three distributions: wChEMBL-177159, wChEMBL-265935 and wChEMBL-random. We compared the success ratio of the attack and the ideal success ratio when the user made the guess without seeing search results. The results are shown in Figure 4. The success ratio of user's attack decreased as the number of dummies increased and became closer to the ideal value when the sufficient number of dummies are given, even for the case that a large number of queries were sent. Although an efficient method for dummy generation remains as a future task, the results also show that hiding the distribution of dummy is significantly effective for protecting database privacy and the user has to know it with high accuracy in order to steal extra information from the server.
Database privacy in malicious model
For our protocol, the difference between the malicious and semi-honest models is that in the malicious model the user may use an invalid input qwhose components qi are not necessarily in {0, 1}. If the user chooses qin such a way that some component qi is extremely large and the remaining ℓ − 1 components are all zero, then will also be an extreme value (distinguishable from the dummy values) and depend dominantly on the bit p i ; therefore, the user can almost surely guess the secret bit pi. Since our protocol detects whether or not qi is a bit value without invading user privacy, it can safely reject illegal queries and prevent any illegal query attacks, including above case.
Performance evaluation
In this section, we evaluate the performance of the proposed method on two datasets created from ChEMBL.
Implementation
We implemented the proposed protocol using the C++ library of elliptic curve ElGamal encryption [24], in which the NIZK proposed in the previous study [21] is also implemented.
For the implementation, we used parameters called secp192k1, as recommended by SECG (The Standards for Efficient Cryptography Group). These parameters are considered to be more secure than 1024-bit RSA encryption, which is the most commonly used public-key cryptosystem. The implementation of
Owing to the limitation of the range of plaintext, the implementation here does not include sign-preserving randomization. For the purpose of comparison, we also implemented a GP-MPC protocol by using Fairplay [25]. In order to reduce the circuit size of the GP-MPC, we implemented s simple task that computes the sign of Tversky index between a query and a fingerprint in the database, and repeated the task for all the fingerprints in the database. Thus the CPU time and data transfer size of the implementation is linear to the size of database.
Experimental setup
The Jaccard index along with the threshold θ = 0.8 were used for both protocols. For SSCC, we used 10,000 dummies. These two implementations were tested on two datasets: one, referred to as ChEMBL 1000, was the first 1000 fingerprints stored in ChEMBL, and the other, referred to as ChEMBL Full, was 1,292,344 fingerprints in the latest version of ChEMBL. All the programs were run on a single core of an Intel Xeon 2.9 GHz on the same machine equipped with 64 GB memory. To avoid environmental effects, we repeated the same experiment five times and calculated average values.
Results
The results are shown in Table 2. Despite the proposed method including elaborate calculation like the NIZK proof, we can see from the results that both the CPU time and communication size of the proposed method are significantly smaller than those of the GP-MPC protocol. Furthermore, it is clear that SSCC provides industrial-strength performance, considering that it works, even on a huge database like ChEMBL Full, taking no more than 167 s and 173 s for the server and client respectively.
The experiment on ChEMBL Full by using GP-MPC did not finish within 24 hours. Since both CPU time and communication size are exactly linear to the size of database for the GP-MPC protocol, the results of ChEMBL Full for GP-MPC are estimated to be more than 1600 hours for both sides and 3 Gbyte data transfer from client to server, considering the results of ChEMBL 1000.
By using simple data parallelization, the computational speed will be improved linearly with the number of CPUs. Since all the programs were run on the same machine there was almost no latency for the communication between the two parties in these experiments. Therefore, GP-MPC, whose communication size is huge, is expected to require far more time when it runs on an actual network that is not always in a good condition. The other important point is that SSCC requires only two data transfers, which enables data transfer after off-line calculation. On the other hand, GP-MPC must keep online during the search because of the high communication frequency. We also note that it took less than 100 MB to compile SSCC, while GP-MPC required more than 16 GB. Considering these observations, SSCC is efficient for practical use. It is known that several techniques improve the performance of GP-MPC and the previous work by Pinkas et al. [26] reported that Free XOR [27] and Garbled Row Reduction [26], which are commonly used in state-of-the-art GP-MPC methods [28–31], reduced running time and communication size by factors of 1.8 and 6.3 respectively when a circuit computing an encryption of AES was evaluated. Though these techniques are not implemented in Fairplay, we consider that GP-MPC is yet far less practical for the large-scale chemical compound search problem compared to our method which improved running time and communication size by factors of 36, 900 and 12, 000.
Conclusion
In this study, we proposed a novel privacy-preserving protocol for searching chemical compound databases. To our knowledge, this is the first practical study for privacy-preserving (for both user and database sides) similarity searching in the fields of bioinformatics and chemoinformatics. Moreover, the proposed method could be applied to a wide range of life science problems such as searching for similar single-nucleotide polymorphism (SNP) patterns in a personal genome database. While the protocol proposed here focuses on searching for a number of similar compounds, we are examining further improvements of the protocol such as the client being able to download similar compounds; we expect this on-going study to further contribute to the drug screening process. In recent years, open innovation has been attracting attention as a promising approach for speeding up the process of new drug discovery [32]. For example, research on neglected tropical diseases including malaria has been promoted by the recent attempt to share chemical compound libraries in the research community. In spite of high expectations, such an approach is still limited to economically less important problems on account of privacy problems [33]. Therefore, privacy-preserving data mining technology is expected to be the breakthrough promoting open innovation and we believe that our study will play an important role.
References
Subbaraman N: Flawed arithmetic on drug development costs. Nature Biotechnology. 2011, 29 (5): 381-381.
Miller Ma: Chemical database techniques in drug discovery. Nature Reviews Drug Discovery. 2002, 1 (3): 220-7.
Schooler J: Unpublished results hide the decline effect. Nature. 2011, 470: 437-
Ostrovsky R, Skeith WE: A survey of single-database private information retrieval: techniques and applications. Proceedings of the 10th International Conference on Practice and Theory in Public-key Cryptography PKC'07. 2007, 393-411.
Goethals B, Laur S, Lipmaa H, Mielik¨ainen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th Annual International Conference on Information Security and Cryptology ICISC 2004. 2004, 104-120.
Blundo C, Cristofaro ED, Gasti P: EsPRESSo : Efficient Privacy-Preserving Evaluation of Sample Set Similarity. Proceedings of Data Privacy Management and Autonomous Spontaneous Security: 7th International Workshop, DPM 2009 and 5th International Workshop, SETOP 2012 DMP/SETOP 2012. 2012, 89-103.
Murugesan M, Jiang W, Clifton C, Si L, Vaidya J: Efficient privacy-preserving similar document detection. The VLDB Journal. 2010, 19 (4): 457-475.
Yao ACC: How to generate and exchange secrets. Proceedings of the 27th Annual Symposium on Foundations of Computer Science SFCS '86. 1986, 162-167.
Gentry C: Fully homomorphic encryption using ideal lattices. Proceedings of the 41st Annual ACM Symposium on Theory of Computing STOC '09. 2009, 169-178.
Togan M, Plesca C: Comparison-based computations over fully homomorphic encrypted data. Communications (COMM), 2014 10th International Conference. 2014, 1-6. doi:10.1109/ICComm.2014.6866760
Laur S, Lipmaa H: On private similarity search protocols. Proceedings of the 9th Nordic Workshop on Secure IT Systems NordSec. 2004, 73-77.
Popa RA, Redfield CMS, Zeldovich N, Balakrishnan H: Proceedings of the 23rd ACM Symposium on Operating Systems Principles SOSP 11. 85-100.
Martin YC, Kofron JL, Traphagen LM: Do structurally similar molecules have similar biological activity?. Journal of Medicinal Chemistry. 2002, 45 (19): 4350-4358.
Miller JL: Recent developments in focused library design: targeting gene-families. Current Topics in Medicinal Chemistry. 2006, 6 (1): 19-29.
Curty R, Tang J: Someone's loss might be your gain: A case of negative results publications in science. Proceedings of the American Society for Information Science and Technology ASISTS. 2012, 49:
Gaulton A, Bellis LJ, Bento AP, Chambers J, Davies M, Hersey A, Light Y, McGlinchey S, Michalovich D, Al-Lazikani B, Overington JP: ChEMBL: a large-scale bioactivity database for drug discovery. Nucleic Acids Research. 2012, 40 (Database): 1100-1107.
Goldwasser S, Micali S: Probabilistic encryption. J Comput Syst Sci. 1984, 28 (2): 270-299.
Paillier P: Public-key cryptosystems based on composite degree residuosity classes. Proceedings of the 17th International Conference on Theory and Application of Cryptographic Techniques EUROCRYPT'99. 1999, 223-238.
ElGamal T: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory. 1985, 31 (4): 469-472.
Goldreich O: Foundations of Cryptography: Volume 1. 2001, Cambridge University Press
Sakai Y, Emura K, Hanaoka G, Kawai Y, Omote K: Methods for restricting message space in public-key encryption. IEICE Transactions. 2013, 96-A (6): 1156-1168.
Tversky A: Features of similarity. Psychological Review. 1977, 84 (4): 327-352.
Damgård I, Fitzi M, Kiltz E, Nielsen JB, Toft T: Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. Proceedings of the 3rd Theory of Cryptography Conference TCC 2006. 2006, 285-304.
C++ Library implementing elliptic curve ElGamal crypto system [19]. 2015, URL accessed April 13, 2015, [https://github.com/aistcrypt/Lifted-ElGamal]
Ben-david A, Nisan N, Pinkas B: Fairplaymp: A system for secure multi-party computation. Proceedings of ACM Conference on Computer and Communications Security CCS 2008. 2008, 17-21.
Pinkas B, Schneider T, Smart NP, Williams SC: Secure two-party computation is practical. Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2009. 2009, 250-267.
Kolesnikov V, Schneider T: Improved garbled circuit: Free XOR gates and applications. Proceedings of the 35th International Colloquium on Automata, Languages and Programming ICALP 2008. 2008, 486-498.
Henecka W, Kögl S, Sadeghi A, Schneider T, Wehrenberg I: TASTY: tool for automating secure two-party computations. Proceedings of the 17th ACM Conference on Computer and Communications Security CCS 2010. 2010, 451-462.
Huang Y, Evans D, Katz J, Malka L: Faster secure two-party computation using garbled circuits. Proceedings of the 20th USENIX Security Symposium USENIX 2011. 2011
Huang Y, Shen CH, Evans D, Katz J, Shelat A: Efficient secure computation with garbled circuits. Proceedings of the 7th International Conference on Information Systems Security ICISS. 2011, 28-48.
Kreuter B, Shelat A, Shen C: Billion-gate secure computation with malicious adversaries. Proceedings of the 21th USENIX Security Symposium USENIX Security 2012. 2012, 285-300.
Williams AJ, Harland L, Groth P, Pettifer S, Chichester C, Willighagen EL, Evelo CT, Blomberg N, Ecker G, Goble C, Mons B: Open PHACTS: semantic interoperability for drug discovery. Drug Discovery Today. 2012, 17 (21-22): 1188-1198.
Hunter J, Stephens S: Is open innovation the way forward for big pharma?. Nature Reviews Drug Discovery. 2010, 9 (2): 87-88.
Acknowledgements
KS thanks Yusuke Sakai and Takahiro Matsuda for fruitful discussions.
Declarations
This work was supported by the Japan-Finland Cooperative Scientific Research Program of JST/AMED (to KS) and JSPS KAKENHI Grant Number 25540131 (to KS and MH). JS and KT are supported by JST CREST. KT is supported by JST ERATO, RIKEN PostK, NIMS MI2I, JSPS KAKENHI Nanostructure and JSPS KAKENHI Grant Number 15H05711. JS is supported by JSPS KAKENHI Grant Number 24680015.
This article has been published as part of BMC Bioinformatics Volume 16 Supplement 18, 2015: Joint 26th Genome Informatics Workshop and 14th International Conference on Bioinformatics: Bioinformatics. The full contents of the supplement are available online at http://www.biomedcentral.com/bmcbioinformatics/supplements/16/S18.
Author information
Authors and Affiliations
Corresponding author
Additional information
Competing interests
The authors declare that they have no competing interests.
Authors' contributions
KS, HA, KN and KA designed the protocol inspired by the discussion with TH. KS, KN, NA and GH conducted security analyses. KS and SM implemented the protocol. KS evaluated performance of the protocol. All authors wrote the manuscript. All authors read, commented and approved the final manuscript.
Electronic supplementary material
Rights and permissions
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.
About this article
Cite this article
Shimizu, K., Nuida, K., Arai, H. et al. Privacy-preserving search for chemical compound databases. BMC Bioinformatics 16 (Suppl 18), S6 (2015). https://doi.org/10.1186/1471-2105-16-S18-S6
Published:
DOI: https://doi.org/10.1186/1471-2105-16-S18-S6